Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support GitHub Apps for GitOps Workflow #243

Merged
merged 1 commit into from
Apr 24, 2024
Merged

Support GitHub Apps for GitOps Workflow #243

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 23 additions & 4 deletions .github/workflows/template_gitops.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ on:
docker-file:
required: false
type: string
default: './Dockerfile'
default: "./Dockerfile"
docker-image:
required: false
type: string
Expand All @@ -26,10 +26,14 @@ on:
gitops-prod:
required: false
type: string
gitops-organization:
required: false
type: string
default: ${{ github.repository_owner }}
working-directory:
required: false
type: string
default: '.'
default: "."
# waiting for: https://github.com/github-community/community/discussions/17554
secrets:
docker-username:
Expand All @@ -44,19 +48,34 @@ on:
required: false
gonosumdb:
required: false
app-id:
required: false
private-key:
required: false

jobs:
gitops:

name: GitOps
runs-on: ubuntu-22.04

if: github.ref == 'refs/heads/dev' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || startsWith(github.ref, 'refs/tags/')

env:
USING_APP_CREDENTIALS: ${{ secrets.app-id != '' && secrets.private-key != '' }}

steps:
- name: Checkout
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure why we need the actions/checkout here

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you want to start the action, you want to get the code of the repo where you execute this action. In this repo, you have the Dockerfile, etc. Without this action, you will get a not-found exception for several files. 😆 If you are unsure, feel free to test your solution. You can use the branch name as your new version. 🙌

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sense. I totally forgot that the workflow replaces the entire job content where normally the checkout happens.

uses: actions/checkout@v4

- name: Get App Token
if: ${{ env.USING_APP_CREDENTIALS == 'true' }}
uses: actions/create-github-app-token@v1.9.0
id: get_token
with:
app-id: ${{ secrets.app-id }}
private-key: ${{ secrets.private-key }}
owner: ${{inputs.gitops-organization }}

- name: GitOps (build, push and deploy a new Docker image)
uses: Staffbase/gitops-github-action@v5.4
with:
Expand All @@ -70,7 +89,7 @@ jobs:
docker-build-target: ${{ inputs.docker-build-target }}
docker-file: ${{ inputs.docker-file }}
docker-image: ${{ inputs.docker-image }}
gitops-token: ${{ secrets.gitops-token }}
gitops-token: ${{ env.USING_APP_CREDENTIALS == 'true' && steps.get_token.outputs.token || secrets.gitops-token }}
gitops-dev: ${{ inputs.gitops-dev }}
gitops-stage: ${{ inputs.gitops-stage }}
gitops-prod: ${{ inputs.gitops-prod }}
Expand Down
16 changes: 16 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,7 @@ jobs:
# optional: private key of the GitHub App
private_key: ${{ <your-private-key> }}
```

</details>

### GitOps
Expand Down Expand Up @@ -135,6 +136,8 @@ jobs:
# optional: files which should be updated for prod
gitops-prod: |-
your files
# optional: organization of the gitops repository, default: github.repository_owner
gitops-organization: <your-organization>
Comment on lines +139 to +140
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Out of interest: What is a use case where this should differ? 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The actions/create-github-app-token action needs an owner to set the correct scope for the token. Otherwise, the token is only granted for the current repository. But you want to push to another repository (inside of your organization). Therefore, you need to be able to configure them. Otherwise, people outside of Staffbase can't use that workflow.

secrets:
# optional: username for the docker registry
docker-username: ${{ <your-docker-username> }}
Expand All @@ -150,7 +153,12 @@ jobs:
gitops-token: ${{ <your-gitops-token> }}
# optional: gonosumdb environment variable
gonosumdb: ${{ <your-gonosumdb> }}
# optional: identifier of the GitHub App for authentication
app-id: ${{ <your-app-id> }}
# optional: private key of the GitHub App
private-key: ${{ <your-private-key> }}
```

</details>

### Jira Ticket Tagging
Expand Down Expand Up @@ -183,6 +191,7 @@ jobs:
# email of the api token owner
jira-email: ${{ <your-email> }}
```

</details>

### LaunchDarkly Code References
Expand All @@ -209,6 +218,7 @@ jobs:
# LD access token with correct access rights
access-token: ${{ <your-access-token> }}
```

</details>

### Release Drafter
Expand Down Expand Up @@ -247,6 +257,7 @@ jobs:
# optional: private key of the GitHub App
private_key: ${{ <your-private-key> }}
```

</details>

### Release Version Detector
Expand Down Expand Up @@ -283,6 +294,7 @@ on:
- cron: '0 0 * * 1'
- cron: '0 0 1 1 *'
```

</details>

### Secret Scanning
Expand All @@ -299,6 +311,7 @@ jobs:
trufflehog:
uses: Staffbase/gha-workflows/.github/workflows/template_secret_scan.yml@v5.1.0
```

</details>

### Stale
Expand Down Expand Up @@ -330,6 +343,7 @@ jobs:
# optional: comment on the staled pull request, default: This PR has been automatically marked as stale because there has been no recent activity in the last 60 days. It will be closed in 7 days if no further activity occurs such as removing the label.
stale-pr-message: your message
```

</details>

### TechDocs
Expand Down Expand Up @@ -366,6 +380,7 @@ jobs:
# optional: specifies the access key associated with the storage account
azure-account-key: ${{ secrets.TECHDOCS_AZURE_ACCESS_KEY }}
```

</details>

### TestIO
Expand Down Expand Up @@ -421,6 +436,7 @@ jobs:
# optional: path which files should be checked recursively, default: .
target-path: your path
```

</details>

## Limitations 🚧
Expand Down
Loading