Skip to content

feat: sanitize input tokens #94

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: sanitize input tokens #94

Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
2fa966d
feat: sanitize input tokens
ZachGoldberg Nov 11, 2024
793b52d
bugfixes
ZachGoldberg Nov 11, 2024
dd05ebe
depend on credentials sanitization
ZachGoldberg Nov 12, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
73 changes: 58 additions & 15 deletions .github/workflows/pipelines-root.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ on:
runner:
type: string
default: '"ubuntu-latest"'
api_base_url:
api_base_url:
type: string
default: "https://api.prod.app.gruntwork.io/api/v1"

Expand Down Expand Up @@ -53,36 +53,47 @@ jobs:
name: Detect Infrastructure Changes
runs-on: ${{ fromJSON(inputs.runner) }}
steps:
- name: Sanitize Tokens
id: secrets
shell: bash
run: |
PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs)
Copy link
Contributor Author

@ZachGoldberg ZachGoldberg Nov 11, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This needs to actually reference the secret, its not in env yet.

IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs)
OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs)
echo "PIPELINES_READ_TOKEN=$PR_TRIM" >> $GITHUB_OUTPUT
echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT
echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT

- name: Fetch Gruntwork Read Token
id: pipelines-gruntwork-read-token
uses: gruntwork-io/pipelines-credentials@v1
with:
PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io"
FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }}
api_base_url: ${{ inputs.api_base_url }}

- name: Fetch Org Read Token
id: pipelines-customer-org-read-token
uses: gruntwork-io/pipelines-credentials@v1
with:
PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }}
FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }}
api_base_url: ${{ inputs.api_base_url }}

- name: Fetch Infra Root Write Token
id: pipelines-infra-root-write-token
uses: gruntwork-io/pipelines-credentials@v1
with:
PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }}
FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }}
FALLBACK_TOKEN: ${{ steps.secrets.outputs.INFRA_ROOT_WRITE_TOKEN }}
api_base_url: ${{ inputs.api_base_url }}

- name: Fetch Org Repo Admin Token
id: pipelines-org-repo-admin-token
uses: gruntwork-io/pipelines-credentials@v1
with:
PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }}
FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }}
FALLBACK_TOKEN: ${{ steps.secrets.outputs.ORG_REPO_ADMIN_TOKEN }}
api_base_url: ${{ inputs.api_base_url }}

- name: Checkout Pipelines Actions
Expand Down Expand Up @@ -120,7 +131,7 @@ jobs:
uses: ./pipelines-actions/.github/actions/pipelines-preflight-action
with:
IS_ROOT: "true"
PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
PIPELINES_READ_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }}
INFRA_ROOT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }}
ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }}
PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }}
Expand Down Expand Up @@ -151,28 +162,38 @@ jobs:
matrix:
jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs) }}
steps:
- name: Sanitize Tokens
id: secrets
shell: bash
run: |
PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs)
IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs)
OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs)
echo "PIPELINES_READ_TOKEN=$PR_TRIM" >> $GITHUB_OUTPUT
echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT
echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT
- name: Fetch Gruntwork Read Token
id: pipelines-gruntwork-read-token
uses: gruntwork-io/pipelines-credentials@v1
with:
PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io"
FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }}
api_base_url: ${{ inputs.api_base_url }}

- name: Fetch Org Read Token
id: pipelines-customer-org-read-token
uses: gruntwork-io/pipelines-credentials@v1
with:
PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }}
FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }}
api_base_url: ${{ inputs.api_base_url }}

- name: Fetch Infra Root Write Token
id: pipelines-infra-root-write-token
uses: gruntwork-io/pipelines-credentials@v1
with:
PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }}
FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }}
FALLBACK_TOKEN: ${{ steps.secrets.outputs.INFRA_ROOT_WRITE_TOKEN }}
api_base_url: ${{ inputs.api_base_url }}

- name: Checkout Pipelines Actions
Expand Down Expand Up @@ -342,28 +363,39 @@ jobs:
matrix:
jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts }}
steps:
- name: Sanitize Tokens
shell: bash
id: secrets
run: |
PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs)
IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs)
OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs)
echo "PIPELINES_READ_TOKEN=$PR_TRIM" >> $GITHUB_OUTPUT
echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT
echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT

- name: Fetch Gruntwork Read Token
id: pipelines-gruntwork-read-token
uses: gruntwork-io/pipelines-credentials@v1
with:
PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io"
FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }}
api_base_url: ${{ inputs.api_base_url }}

- name: Fetch Org Read Token
id: pipelines-customer-org-read-token
uses: gruntwork-io/pipelines-credentials@v1
with:
PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }}
FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }}
api_base_url: ${{ inputs.api_base_url }}

- name: Fetch Create PR Token
id: pipelines-propose-infra-change-token
uses: gruntwork-io/pipelines-credentials@v1
with:
PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }}
FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }}
FALLBACK_TOKEN: ${{ steps.secrets.outputs.INFRA_ROOT_WRITE_TOKEN }}
api_base_url: ${{ inputs.api_base_url }}

- name: Checkout Pipelines Actions
Expand Down Expand Up @@ -465,28 +497,39 @@ jobs:
# GHA can't check for length, so we just check if there is an item in the 0 index
if: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts[0] != null && needs.pipelines_execute.outputs.delegate_management == 'true' && needs.pipelines_execute.outputs.terragrunt_command == 'run-all apply' }}
steps:
- name: Sanitize Tokens
shell: bash
id: secrets
run: |
PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs)
IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs)
OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs)
echo "PIPELINES_READ_TOKEN=$PR_TRIM" >> $GITHUB_OUTPUT
echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT
echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT

- name: Fetch Gruntwork Read Token
id: pipelines-gruntwork-read-token
uses: gruntwork-io/pipelines-credentials@v1
with:
PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io"
FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }}
api_base_url: ${{ inputs.api_base_url }}

- name: Fetch Org Read Token
id: pipelines-customer-org-read-token
uses: gruntwork-io/pipelines-credentials@v1
with:
PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }}
FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }}
FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }}
api_base_url: ${{ inputs.api_base_url }}

- name: Fetch Org Repo Admin Token
id: pipelines-org-repo-admin-token
uses: gruntwork-io/pipelines-credentials@v1
with:
PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }}
FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }}
FALLBACK_TOKEN: ${{ steps.secrets.outputs.ORG_REPO_ADMIN_TOKEN }}
api_base_url: ${{ inputs.api_base_url }}

- name: Checkout Pipelines Actions
Expand Down