Add support for short-lived tokens #224
Conversation
Job Summary for GradleDemo adding Build Scan® comment to PR :: failing-build-with-comment-on-failure
|
Job Summary for GradleDemo adding Build Scan® comment to PR :: successful-build-with-always-comment
|
Job Summary for GradleDemo adding Build Scan® comment to PR :: successful-build-with-always-comment
|
Job Summary for GradleDemo adding Build Scan® comment to PR :: failing-build-with-comment-on-failure
|
| @@ -0,0 +1,164 @@ | |||
| import * as httpm from 'typed-rest-client/HttpClient' | |||
There was a problem hiding this comment.
The "package" for this file should not be "shortlived-token", but something more general purpose. Let's use "develocity".
There was a problem hiding this comment.
Also, for consistency we should name this short-lived-token.
| @@ -1,7 +1,8 @@ | |||
| import * as core from '@actions/core' | |||
There was a problem hiding this comment.
This file can be moved into the same "package" as shortlived-token.ts.
| working-directory: .github/workflow-samples/no-ge | ||
| run: gradle help | ||
| - name: Check access key does not leak | ||
| run: "[ \"${DEVELOCITY_ACCESS_KEY}\" != \"${{ secrets.DEVELOCITY_ACCESS_KEY }}\" ] || (echo 'DEVELOCITY_ACCESS_KEY has leaked!'; exit 1)" |
There was a problem hiding this comment.
We need to ensure that the ACCESS KEY isn't leaked to the console here.
| script: | | ||
| core.setFailed('No Build Scan detected') | ||
|
|
||
| inject-develocity-short-lived-token-failed: |
There was a problem hiding this comment.
What real behaviour are we trying to test here?
There was a problem hiding this comment.
if requesting a token fails, we want to avoid the passed access key as an env var to be used downstream (and potentially leaked)
| script: | | ||
| core.setFailed('No Build Scan detected') | ||
|
|
||
| inject-develocity-short-lived-token-with-env: |
There was a problem hiding this comment.
This test already exists in integ-test-inject-develocity. Just need to add the token check.
| @@ -0,0 +1,151 @@ | |||
| name: Test develocity injection | |||
There was a problem hiding this comment.
Instead of adding a separate integration test, let's merge this coverage into the existing inject-develocity test. So we'll be testing develocity injection, and verifying that a short-lived token is used.
| develocity-token-expiry: | ||
| description: The Develocity short-lived access tokens expiry in hours. Default is 2 hours. | ||
| required: false | ||
|
|
There was a problem hiding this comment.
We need to add the same arguments to the dependency-submission action. These actions share many implementation details, including build-scan publishing.
docs/setup-gradle.md
Outdated
| DEVELOCITY_URL: https://develocity.your-server.com | ||
| DEVELOCITY_PLUGIN_VERSION: 3.17 | ||
| with: | ||
| develocity-access-key: ${{ secrets.MY_DEVELOCITY_ACCESS_KEY }} |
There was a problem hiding this comment.
I don't think this will work. The access key needs to be provided to the setup-gradle Step.
|
|
||
| This access key will be used during the action execution to get a short-lived token and set it to the DEVELOCITY_ACCESS_KEY environment variable. | ||
|
|
||
| ### Short-lived access tokens |
There was a problem hiding this comment.
The feature to map develocityAccessKey to a short-lived token isn't directly related to Develocity injection. I think we should include develocityAccessKey in our examples for Develocity injection, but this feature will also come into play when the build is configured for Develocity (without injection).
I think we should also consider adding test coverage for this: ensure a sample build that is wired to publish to ge.solutions-team.gradle.com can use short-lived access tokens.
sources/src/build-scan.ts
Outdated
| @@ -11,6 +12,34 @@ export function setup(config: BuildScanConfig): void { | |||
| maybeExportVariable('DEVELOCITY_TERMS_OF_USE_URL', config.getBuildScanTermsOfUseUrl()) | |||
| maybeExportVariable('DEVELOCITY_TERMS_OF_USE_AGREE', config.getBuildScanTermsOfUseAgree()) | |||
| } | |||
| const develocityAccesskeyEnvVar = `DEVELOCITY_ACCESS_KEY` | |||
| if (config.getDevelocityAccessKey()) { | |||
| try { | |||
There was a problem hiding this comment.
Let's move this logic to shortlived-token.ts.
bigdaz
force-pushed
the
atual/short-lived-tokens
branch
from
83c899f to
81f24ed
Compare
…ars (#225) Follow up of #224, we now attempt to set both old and new access key env variables to a short lived token. If a short-lived token cannot be obtained, then: - DEVELOCITY_ACCESS_KEY is set to an empty string, preventing this from being used. - GRADLE_ENTERPRISE_ACCESS_KEY is left intact, with a deprecation warning being issued.
The setup-gradle action tries to get a short-lived access token given the passed Develocity access key.
This key can be passed either with the
DEVELOCITY_ACCESS_KEYenv var or better with a new inputdevelocity-access-key.If a token can be retrieved, then the
DEVELOCITY_ACCESS_KEYenv var will be set to the token. Otherwise theDEVELOCITY_ACCESS_KEYwill be set to a blank string, to avoid a leak.