refresh-test-credentials #10433
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # We need to push credentials into github that have no actual permissions for | |
| # anything. However, just in case those credentials expire every hour we do this | |
| # by having a GCP project where service account keys expire every hour. This is | |
| # done to allow for CI to run some jobs that need a GCP Service Account but | |
| # actually don't need access to run. This will allow us to use some checks with | |
| # contributors without write access to the repo | |
| # This workflow will run every 30 mins to hopefully ensure that credentials | |
| # don't expire even if this script errors. | |
| name: refresh-test-credentials | |
| # For now this only runs on a schedule once a day. Once we have made some of the | |
| # plugin workflows more incremental we will run this on _every_ commit to main | |
| on: | |
| # Allows you to run this workflow manually from the Actions tab | |
| workflow_dispatch: | |
| schedule: | |
| # Schedule every 30 mins | |
| - cron: '*/30 * * * *' | |
| jobs: | |
| refresh-test-credentials: | |
| name: refresh-test-credentials | |
| environment: ops | |
| runs-on: ubuntu-latest | |
| env: | |
| PR_TOOLS_GITHUB_APP_PRIVATE_KEY: ${{ secrets.PR_TOOLS_GITHUB_APP_PRIVATE_KEY}} | |
| PR_TOOLS_GITHUB_APP_ID: ${{ secrets.PR_TOOLS_GITHUB_APP_ID }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 1 | |
| - name: 'Set up Cloud SDK' | |
| uses: 'google-github-actions/setup-gcloud@v2' | |
| with: | |
| version: '>= 363.0.0' | |
| - name: Authenticate to google with an ops user | |
| uses: 'google-github-actions/auth@v2' | |
| with: | |
| credentials_json: '${{ secrets.GOOGLE_OPS_CREDENTIALS_JSON }}' | |
| create_credentials_file: true | |
| - name: Setup external pr tools | |
| uses: ./.github/workflows/setup-external-pr-tools | |
| # These credentials are not supposed to be secrets | |
| - name: Refresh credentials for the oso-test-dummy user on the testing environment | |
| shell: bash | |
| run: | | |
| cd ops/external-prs && | |
| bash scripts/rotate-service-account.sh oso-test-dummy@oso-pull-requests.iam.gserviceaccount.com dummy.json && | |
| pnpm tools oso refresh-gcp-credentials --secret=false testing dummy.json GOOGLE_TEST_DUMMY_CREDENTIALS_JSON | |
| env: | |
| PR_TOOLS_REPO: ${{ github.repository }} | |
| # These credentials are intended to be secret | |
| - name: Refresh credentials for the bigquery-admin user on the many apps and environments | |
| shell: bash | |
| run: | | |
| cd ops/external-prs && | |
| bash scripts/rotate-service-account.sh bigquery-admin@oso-pull-requests.iam.gserviceaccount.com bigquery-admin.json && | |
| pnpm tools oso --repo ${{ github.repository }} refresh-gcp-credentials external-prs-app bigquery-admin.json GOOGLE_BQ_ADMIN_CREDENTIALS_JSON && | |
| pnpm tools oso --repo ${{ github.repository }} refresh-gcp-credentials deploy bigquery-admin.json GOOGLE_BQ_ADMIN_CREDENTIALS_JSON && | |
| pnpm tools oso --repo opensource-observer/oss-directory refresh-gcp-credentials external-prs-app bigquery-admin.json GOOGLE_BQ_ADMIN_CREDENTIALS_JSON | |
| rebuild-docker-public-vars: | |
| name: rebuild-docker-public-vars | |
| environment: testing | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| env: | |
| # Frontend variables | |
| NODE_ENV: ${{ vars.NODE_ENV }} | |
| PLASMIC_PROJECT_ID: ${{ vars.PLASMIC_PROJECT_ID }} | |
| PLASMIC_PROJECT_API_TOKEN: ${{ vars.PLASMIC_PROJECT_API_TOKEN }} | |
| NEXT_PUBLIC_DOMAIN: ${{ vars.NEXT_PUBLIC_DOMAIN }} | |
| NEXT_PUBLIC_DB_GRAPHQL_URL: ${{ vars.NEXT_PUBLIC_DB_GRAPHQL_URL }} | |
| HASURA_URL: ${{ vars.HASURA_URL }} | |
| OSO_API_KEY: ${{ secrets.OSO_API_KEY }} | |
| GOOGLE_PROJECT_ID: "opensource-observer" | |
| GOOGLE_TEST_DUMMY_CREDENTIALS_JSON: ${{ vars.GOOGLE_TEST_DUMMY_CREDENTIALS_JSON }} | |
| PUBLIC_VARS_TEST: "THISISATEST" | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v3 | |
| with: | |
| fetch-depth: 1 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Write public vars | |
| run: | | |
| bash .github/scripts/save-public-vars.sh ${{ github.sha }} \ | |
| NODE_ENV \ | |
| PLASMIC_PROJECT_ID \ | |
| PLASMIC_PROJECT_API_TOKEN \ | |
| NEXT_PUBLIC_DOMAIN \ | |
| NEXT_PUBLIC_DB_GRAPHQL_URL \ | |
| HASURA_URL \ | |
| OSO_API_KEY \ | |
| GOOGLE_PROJECT_ID \ | |
| GOOGLE_TEST_DUMMY_CREDENTIALS_JSON \ | |
| PUBLIC_VARS_TEST |