Skip to content
This repository has been archived by the owner. It is now read-only.
Permalink
Browse files
feat: Add post-job action cleanup of credentials and region env vars …
…(#101)
  • Loading branch information
clareliguori committed Jul 29, 2020
1 parent 1fa7cca commit d19cafcdd1be7e3358f84574a00df37af494036a
Showing 5 changed files with 91 additions and 3 deletions.
@@ -52,3 +52,4 @@ outputs:
runs:
using: 'node12'
main: 'dist/index.js'
post: 'dist/cleanup/index.js'
@@ -0,0 +1,36 @@
const core = require('@actions/core');

/**
* When the GitHub Actions job is done, clean up any environment variables that
* may have been set by the configure-aws-credentials steps in the job.
*
* Environment variables are not intended to be shared across different jobs in
* the same GitHub Actions workflow: GitHub Actions documentation states that
* each job runs in a fresh instance. However, doing our own cleanup will
* give us additional assurance that these environment variables are not shared
* with any other jobs.
*/

async function cleanup() {
try {
// The GitHub Actions toolkit does not have an option to completely unset
// environment variables, so we overwrite the current value with an empty
// string. The AWS CLI and AWS SDKs will behave correctly: they treat an
// empty string value as if the environment variable does not exist.
core.exportVariable('AWS_ACCESS_KEY_ID', '');
core.exportVariable('AWS_SECRET_ACCESS_KEY', '');
core.exportVariable('AWS_SESSION_TOKEN', '');
core.exportVariable('AWS_DEFAULT_REGION', '');
core.exportVariable('AWS_REGION', '');
}
catch (error) {
core.setFailed(error.message);
}
}

module.exports = cleanup;

/* istanbul ignore next */
if (require.main === module) {
cleanup();
}
@@ -0,0 +1,51 @@
const core = require('@actions/core');
const cleanup = require('./cleanup.js');

jest.mock('@actions/core');

const FAKE_ACCESS_KEY_ID = 'MY-AWS-ACCESS-KEY-ID';
const FAKE_SECRET_ACCESS_KEY = 'MY-AWS-SECRET-ACCESS-KEY';
const FAKE_SESSION_TOKEN = 'MY-AWS-SESSION-TOKEN';
const FAKE_REGION = 'fake-region-1';
const ACTION_ENVIRONMENT_VARIABLES = {
AWS_ACCESS_KEY_ID: FAKE_ACCESS_KEY_ID,
AWS_SECRET_ACCESS_KEY: FAKE_SECRET_ACCESS_KEY,
AWS_SESSION_TOKEN: FAKE_SESSION_TOKEN,
AWS_DEFAULT_REGION: FAKE_REGION,
AWS_REGION: FAKE_REGION,
};

describe('Configure AWS Credentials', () => {
const OLD_ENV = process.env;

beforeEach(() => {
jest.resetModules();
process.env = {...OLD_ENV, ...ACTION_ENVIRONMENT_VARIABLES};
});

afterEach(() => {
process.env = OLD_ENV;
});

test('replaces AWS credential and region env vars with empty strings', async () => {
await cleanup();
expect(core.setFailed).toHaveBeenCalledTimes(0);
expect(core.exportVariable).toHaveBeenCalledTimes(5);
expect(core.exportVariable).toHaveBeenCalledWith('AWS_ACCESS_KEY_ID', '');
expect(core.exportVariable).toHaveBeenCalledWith('AWS_SECRET_ACCESS_KEY', '');
expect(core.exportVariable).toHaveBeenCalledWith('AWS_SESSION_TOKEN', '');
expect(core.exportVariable).toHaveBeenCalledWith('AWS_DEFAULT_REGION', '');
expect(core.exportVariable).toHaveBeenCalledWith('AWS_REGION', '');
});

test('error is caught and fails the action', async () => {
core.exportVariable.mockReset();
core.exportVariable.mockImplementation(() => {
throw new Error();
});

await cleanup();

expect(core.setFailed).toBeCalled();
});
});
@@ -1,7 +1,7 @@
const core = require('@actions/core');
const assert = require('assert');
const aws = require('aws-sdk');
const run = require('.');
const run = require('./index.js');

jest.mock('@actions/core');

@@ -5,8 +5,8 @@
"main": "index.js",
"scripts": {
"lint": "eslint **.js",
"package": "ncc build index.js -o dist",
"test": "eslint **.js && jest --coverage"
"package": "ncc build index.js -o dist && ncc build cleanup.js -o dist/cleanup",
"test": "eslint **.js && jest --coverage --verbose"
},
"repository": {
"type": "git",

0 comments on commit d19cafc

Please sign in to comment.