Add update_strategy for envvars and secrets

The default behavior remains to merge (--update), but setting the update_strategy to "overwrite" will set all values.
google-github-actions · May 17, 2024 · 647937e · 647937e
1 parent 08b62e2
commit 647937e
Show file tree

Hide file tree

Showing 9 changed files with 220 additions and 163 deletions.
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -21,7 +21,6 @@ permissions:
 
 jobs:
   deploy:
-    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
     runs-on: 'ubuntu-latest'
 
     strategy:
@@ -44,7 +43,7 @@ jobs:
 
       - uses: 'actions/setup-node@v4'
         with:
-          node-version: '20.x'
+          node-version: '20.12.x' # https://github.com/nodejs/node/issues/53033
 
       - run: 'npm ci && npm run build'
 
@@ -151,7 +150,6 @@ jobs:
           REVISION_COUNT: 2
 
   metadata:
-    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
     runs-on: 'ubuntu-latest'
 
     steps:
@@ -167,7 +165,7 @@ jobs:
 
       - uses: 'actions/setup-node@v4'
         with:
-          node-version: '20.x'
+          node-version: '20.12.x' # https://github.com/nodejs/node/issues/53033
 
       - run: 'npm ci && npm run build'
 
@@ -227,7 +225,6 @@ jobs:
           REVISION_COUNT: 2
 
   jobs:
-    if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name && github.actor != 'dependabot[bot]' }}
     runs-on: 'ubuntu-latest'
 
     steps:
@@ -239,7 +236,7 @@ jobs:
 
       - uses: 'actions/setup-node@v4'
         with:
-          node-version: '20.x'
+          node-version: '20.12.x' # https://github.com/nodejs/node/issues/53033
 
       - run: 'npm ci && npm run build'
 

diff --git a/README.md b/README.md
@@ -92,61 +92,46 @@ jobs:
     specifying 'v1' for a service named 'helloworld', would lead to a revision
     named 'helloworld-v1'. The default value is no suffix.
 
--   `env_vars`: (Optional) List of key=value pairs to set as environment
-    variables. All existing environment variables will be retained. If both
-    `env_vars` and `env_vars_file` are specified, the keys in `env_vars` will take
-    precendence over the keys in `env_vars_files`.
+-   `env_vars`, `env_vars_file`, and `env_vars_update_strategy`: (Optional)
+    These values define environment variables and their update strategy.
 
-    ```yaml
-    with:
-      env_vars: |
-        FOO=bar
-        ZIP=zap
-    ```
-
-    Entries are separated by commas (`,`) and newline characters. Keys and
-    values are separated by `=`. To use `,`, `=`, or newline characters, escape
-    them with a backslash:
+    `env_vars` is specified as comma-separated or newline-separated key-value
+    pairs, with special characters escaped using a backslash.
 
     ```yaml
     with:
       env_vars: |
+        NAME=person
         EMAILS=foo@bar.com\,zip@zap.com
     ```
 
--   `env_vars_file`: (Optional) Path to a file on disk, relative to the
-    workspace, that defines environment variables. The file can be
-    newline-separated KEY=VALUE pairs, JSON, or YAML format. If both `env_vars`
-    and `env_vars_file` are specified, the keys in env_vars will take
-    precendence over the keys in env_vars_files.
+    `env_vars_file` is the path to a file on disk relative to the workspace that
+    defines newline-separated KEY=VALUE pairs, JSON, or YAML.
 
     ```text
-    FOO=bar
-    ZIP=zap
+    NAME=person
+    EMAILS=foo@bar.com\,zip@zap.com
     ```
 
-    or
-
-    ```json
-    {
-      "FOO": "bar",
-      "ZIP": "zap"
-    }
-    ```
+    If both `env_vars` and `env_vars_file` are specified, they are merged and
+    the values from `env_vars` will take precedence on conflict.
 
-    or
+    `env_vars_update_strategy` controls how the environment variables are set on
+    the Cloud Run service. If `env_vars_update_strategy` is set to "merge", then
+    the environment variables are _merged_ with any upstream values. If set to
+    "overwrite", then all environment variables on the Cloud Run service will be
+    replaced with exactly the values given by the GitHub Action (making it
+    authoritative). The default value is "merge".
 
     ```yaml
-    FOO: 'bar'
-    ZIP: 'zap'
+    with:
+      env_vars_update_strategy: 'overwrite'
     ```
 
-    When specified as KEY=VALUE pairs, the same escaping rules apply as
-    described in `env_vars`. You do not have to escape YAML or JSON.
-
--   `secrets`: (Optional) List of key=value pairs to use as secrets. These can
-    either be injected as environment variables or mounted as volumes. All
-    existing environment secrets and volume mounts will be retained.
+-   `secrets`, `secrets_update_strategy`: (Optional) List of key=value pairs to
+    use as secrets. These can either be injected as environment variables or
+    mounted as volumes. All existing environment secrets and volume mounts will
+    be retained.
 
     ```yaml
     with:
@@ -161,6 +146,18 @@ jobs:
     The same rules apply for escaping entries as from `env_vars`, but Cloud Run
     is more restrictive with allowed keys and names for secrets.
 
+    `secrets_update_strategy` controls how the secrets are set on the Cloud Run
+    service. If `secrets_update_strategy` is set to "merge", then the secrets
+    are _merged_ with any upstream values. If set to "overwrite", then all
+    secrets on the Cloud Run service will be replaced with exactly the values
+    given by the GitHub Action (making it authoritative). The default value is
+    "merge".
+
+    ```yaml
+    with:
+      secrets_update_strategy: 'overwrite'
+    ```
+
 -   `labels`: (Optional) List of key=value pairs to set as labels on the Cloud
     Run service. Existing labels will be overwritten.
 

diff --git a/action.yml b/action.yml
@@ -111,6 +111,16 @@ inputs:
       described in `env_vars`. You do not have to escape YAML or JSON.
     required: false
 
+  env_vars_update_strategy:
+    description: |-
+      (Optional) Controls how the environment variables are set on the Cloud Run
+      service. If set to "merge", then the environment variables are merged with
+      any upstream values. If set to "overwrite", then all environment variables
+      on the Cloud Run service will be replaced with exactly the values given by
+      the GitHub Action (making it authoritative).
+    required: true
+    default: 'merge'
+
   secrets:
     description: |-
       (Optional) List of key=value pairs to use as secrets. These can either be
@@ -129,6 +139,16 @@ inputs:
       Run is more restrictive with allowed keys and names for secrets.
     required: false
 
+  secrets_update_strategy:
+    description: |-
+      (Optional) Controls how the secrets are set on the Cloud Run service. If
+      set to "merge", then the secrets are merged with any upstream values. If
+      set to "overwrite", then all secrets on the Cloud Run service will be
+      replaced with exactly the values given by the GitHub Action (making it
+      authoritative).
+    required: true
+    default: 'merge'
+
   labels:
     description: |-
       (Optional) List of key=value pairs to set as labels on the Cloud

diff --git a/dist/main/index.js b/dist/main/index.js