From e863a4315ef9de1aa4fd5fd175cae49567163572 Mon Sep 17 00:00:00 2001 From: Joshua Gilman Date: Tue, 22 Jul 2025 14:19:45 -0700 Subject: [PATCH 1/9] feat: adds support for configuring Tailscale --- actions/setup/action.yml | 53 +++++++++++++++++++ blueprint.cue | 8 +++ .../global/providers/cue_types_gen.go | 15 ++++++ .../blueprint/global/providers/main.cue | 3 ++ .../blueprint/global/providers/tailscale.cue | 15 ++++++ 5 files changed, 94 insertions(+) create mode 100644 lib/schema/blueprint/global/providers/tailscale.cue diff --git a/actions/setup/action.yml b/actions/setup/action.yml index 5e9a280c..ca513531 100644 --- a/actions/setup/action.yml +++ b/actions/setup/action.yml @@ -33,6 +33,10 @@ inputs: description: If true, skips installing KCL CLI if the provider is configured required: false default: "false" + skip_tailscale: + description: If true, skips installing and authenticating with skip_tailscale + required: false + default: "false" skip_timoni: description: If true, skips installing Timoni CLI if the provider is configured required: false @@ -275,3 +279,52 @@ runs: shell: bash run: | kcl version + + # Tailscale Provider + - name: Get Tailscale provider configuration + id: tailscale + if: inputs.skip_tailscale == 'false' + shell: bash + run: | + echo "==== Tailscale Setup =====" + BP=$(forge dump .) + + TAILSCALE=$(echo "$BP" | jq -r .global.ci.providers.tailscale) + if [[ "$TAILSCALE" != "null" ]]; then + CONFIGURED="true" + VERSION=$(echo "$BP" | jq -r .global.ci.providers.tailscale.version) + if [[ "$VERSION" == "null" ]]; then + VERSION="latest" + fi + + TAGS=$(echo "$BP" | jq -r .global.ci.providers.tailscale.tags) + if [[ "$TAGS" == "null" ]]; then + TAGS="" + fi + + SECRET=$(forge secret get --project . global.ci.providers.tailscale.credentials) + CLIENT_ID=$(echo "$SECRET" | jq -r .client_id) + CLIENT_SECRET=$(echo "$SECRET" | jq -r .client_secret) + + echo "::add-mask::$CLIENT_ID" + echo "::add-mask::$CLIENT_SECRET" + + echo "client_id=$CLIENT_ID" >> $GITHUB_OUTPUT + echo "client_secret=$CLIENT_SECRET" >> $GITHUB_OUTPUT + echo "tags=$TAGS" >> $GITHUB_OUTPUT + echo "version=$VERSION" >> $GITHUB_OUTPUT + else + echo "Not configuring Tailscale" + CONFIGURED="false" + fi + + echo "configured=$CONFIGURED" >> $GITHUB_OUTPUT + - name: Install and configure Tailscale + if: inputs.skip_tailscale == 'false' && steps.tailscale.outputs.configured == 'true' + uses: tailscale/github-action@v3 + with: + oauth-client-id: ${{ steps.tailscale.outputs.client_id }} + oauth-secret: ${{ steps.tailscale.outputs.client_secret }} + tags: ${{ steps.tailscale.outputs.tags }} + use-cache: "true" + version: ${{ steps.tailscale.outputs.version }} diff --git a/blueprint.cue b/blueprint.cue index 8062009b..fbe48203 100644 --- a/blueprint.cue +++ b/blueprint.cue @@ -60,6 +60,14 @@ global: { ] version: "v0.11.0" } + + tailscale: { + credentials: { + provider: "aws" + path: "global/ci/tailscale" + } + version: "latest" + } } secrets: [ { diff --git a/lib/schema/blueprint/global/providers/cue_types_gen.go b/lib/schema/blueprint/global/providers/cue_types_gen.go index 51806fb9..e86b0c5a 100644 --- a/lib/schema/blueprint/global/providers/cue_types_gen.go +++ b/lib/schema/blueprint/global/providers/cue_types_gen.go @@ -105,10 +105,25 @@ type Providers struct { // KCL contains the configuration for the KCL provider. Kcl *KCL `json:"kcl,omitempty"` + // Tailscale contains the configuration for the Tailscale provider. + Tailscale *Tailscale `json:"tailscale,omitempty"` + // Timoni contains the configuration for the Timoni provider. Timoni *Timoni `json:"timoni,omitempty"` } +type Tailscale struct { + // Credentials contains the OAuth2 credentials for authenticating to the + // Tailscale network. + Credentials *common.Secret `json:"credentials,omitempty"` + + // Tags is a comma-separated list of tags to impersonate. + Tags string `json:"tags,omitempty"` + + // Version contains the version of Tailscale to install. + Version string `json:"version,omitempty"` +} + type Timoni struct { // Install contains whether to install Timoni in the CI environment. Install bool `json:"install,omitempty"` diff --git a/lib/schema/blueprint/global/providers/main.cue b/lib/schema/blueprint/global/providers/main.cue index cb435b8d..6fe143e0 100644 --- a/lib/schema/blueprint/global/providers/main.cue +++ b/lib/schema/blueprint/global/providers/main.cue @@ -22,6 +22,9 @@ package providers // KCL contains the configuration for the KCL provider. kcl?: #KCL + // Tailscale contains the configuration for the Tailscale provider. + tailscale?: #Tailscale + // Timoni contains the configuration for the Timoni provider. timoni?: #Timoni } diff --git a/lib/schema/blueprint/global/providers/tailscale.cue b/lib/schema/blueprint/global/providers/tailscale.cue new file mode 100644 index 00000000..82328149 --- /dev/null +++ b/lib/schema/blueprint/global/providers/tailscale.cue @@ -0,0 +1,15 @@ +package providers + +import "github.com/input-output-hk/catalyst-forge/lib/schema/blueprint/common" + +#Tailscale: { + // Credentials contains the OAuth2 credentials for authenticating to the + // Tailscale network. + credentials?: common.#Secret + + // Tags is a comma-separated list of tags to impersonate. + tags?: string + + // Version contains the version of Tailscale to install. + version?: string +} From 3c75f41596a921bb1cb1b6e0536f36fafef0a734 Mon Sep 17 00:00:00 2001 From: Joshua Gilman Date: Tue, 22 Jul 2025 14:25:35 -0700 Subject: [PATCH 2/9] wip: test --- .github/workflows/ci.yml | 24 ++++++++++++------------ .github/workflows/deploy.yml | 8 ++++---- .github/workflows/docs.yml | 8 ++++---- .github/workflows/release.yml | 8 ++++---- .github/workflows/run.yml | 8 ++++---- 5 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index edcdd36c..05bd3829 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,20 +43,20 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install Forge - uses: input-output-hk/catalyst-forge/actions/install@master + uses: input-output-hk/catalyst-forge/actions/install@adds-tailscale if: ${{ inputs.forge_version != 'local' }} with: version: ${{ inputs.forge_version }} - name: Install Local Forge id: install-local - uses: input-output-hk/catalyst-forge/actions/install-local@master + uses: input-output-hk/catalyst-forge/actions/install-local@adds-tailscale if: ${{ inputs.forge_version == 'local' }} - name: Check forge version id: local run: | forge version - name: Setup CI - uses: input-output-hk/catalyst-forge/actions/setup@master + uses: input-output-hk/catalyst-forge/actions/setup@adds-tailscale with: skip_docker: 'true' skip_github: 'true' @@ -64,7 +64,7 @@ jobs: skip_earthly_satellite: ${{ inputs.forge_version == 'local' && steps.install-local.outputs.cache-hit == false }} - name: Discovery id: discovery - uses: input-output-hk/catalyst-forge/actions/discovery@master + uses: input-output-hk/catalyst-forge/actions/discovery@adds-tailscale with: filters: | ${{ env.FORGE_REGEX_CHECK }} @@ -76,7 +76,7 @@ jobs: ${{ env.FORGE_REGEX_PUBLISH }} ${{ env.FORGE_REGEX_NIGHTLY }} check: - uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@master + uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@adds-tailscale needs: [discover] if: (fromJson(needs.discover.outputs.earthfiles)['^check(-.*)?$'] != null) && !failure() && !cancelled() with: @@ -88,7 +88,7 @@ jobs: earthly_token: ${{ secrets.earthly_token }} build: - uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@master + uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@adds-tailscale needs: [discover, check] if: (fromJson(needs.discover.outputs.earthfiles)['^build(-.*)?$'] != null) && !failure() && !cancelled() with: @@ -100,7 +100,7 @@ jobs: earthly_token: ${{ secrets.earthly_token }} package: - uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@master + uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@adds-tailscale needs: [discover, check, build] if: (fromJson(needs.discover.outputs.earthfiles)['^package(-.*)?$'] != null) && !failure() && !cancelled() with: @@ -112,7 +112,7 @@ jobs: earthly_token: ${{ secrets.earthly_token }} test: - uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@master + uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@adds-tailscale needs: [discover, check, build, package] if: (fromJson(needs.discover.outputs.earthfiles)['^test(-.*)?$'] != null) && !failure() && !cancelled() with: @@ -124,7 +124,7 @@ jobs: earthly_token: ${{ secrets.earthly_token }} nightly: - uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@master + uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@adds-tailscale needs: [discover, check, build, package] if: (fromJson(needs.discover.outputs.earthfiles)['^nightly(-.*)?$'] != null) && !failure() && !cancelled() && inputs.nightly == true with: @@ -136,7 +136,7 @@ jobs: earthly_token: ${{ secrets.earthly_token }} docs: - uses: input-output-hk/catalyst-forge/.github/workflows/docs.yml@master + uses: input-output-hk/catalyst-forge/.github/workflows/docs.yml@adds-tailscale needs: [discover, check, build, test] if: (fromJson(needs.discover.outputs.earthfiles)['^docs(-.*)?$'] != null) && !failure() && !cancelled() with: @@ -146,7 +146,7 @@ jobs: earthly_token: ${{ secrets.earthly_token }} release: - uses: input-output-hk/catalyst-forge/.github/workflows/release.yml@master + uses: input-output-hk/catalyst-forge/.github/workflows/release.yml@adds-tailscale needs: [discover, check, build, test] if: (fromJson(needs.discover.outputs.releases)[0] != null) && !failure() && !cancelled() with: @@ -158,7 +158,7 @@ jobs: earthly_token: ${{ secrets.earthly_token }} deploy: - uses: input-output-hk/catalyst-forge/.github/workflows/deploy.yml@master + uses: input-output-hk/catalyst-forge/.github/workflows/deploy.yml@adds-tailscale needs: [discover, check, build, test, release] if: (fromJson(needs.discover.outputs.deployments)[0] != null) && !failure() && !cancelled() with: diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index a938df72..04652335 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -42,12 +42,12 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install Forge - uses: input-output-hk/catalyst-forge/actions/install@master + uses: input-output-hk/catalyst-forge/actions/install@adds-tailscale if: ${{ inputs.forge_version != 'local' }} with: version: ${{ inputs.forge_version }} - name: Install Local Forge - uses: input-output-hk/catalyst-forge/actions/install-local@master + uses: input-output-hk/catalyst-forge/actions/install-local@adds-tailscale if: ${{ inputs.forge_version == 'local' }} with: earthly_token: ${{ secrets.earthly_token }} @@ -62,11 +62,11 @@ jobs: echo "skip=false" >> $GITHUB_OUTPUT fi - name: Setup CI - uses: input-output-hk/catalyst-forge/actions/setup@master + uses: input-output-hk/catalyst-forge/actions/setup@adds-tailscale with: skip_earthly: ${{ steps.local.outputs.skip }} - name: Deploy - uses: input-output-hk/catalyst-forge/actions/run@master + uses: input-output-hk/catalyst-forge/actions/run@adds-tailscale with: command: mod deploy args: ${{ matrix.deployment }} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index 80361cee..caeaae8c 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -44,12 +44,12 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install Forge - uses: input-output-hk/catalyst-forge/actions/install@master + uses: input-output-hk/catalyst-forge/actions/install@adds-tailscale if: ${{ inputs.forge_version != 'local' }} with: version: ${{ inputs.forge_version }} - name: Install Local Forge - uses: input-output-hk/catalyst-forge/actions/install-local@master + uses: input-output-hk/catalyst-forge/actions/install-local@adds-tailscale if: ${{ inputs.forge_version == 'local' }} with: earthly_token: ${{ secrets.earthly_token }} @@ -64,11 +64,11 @@ jobs: echo "skip=false" >> $GITHUB_OUTPUT fi - name: Setup CI - uses: input-output-hk/catalyst-forge/actions/setup@master + uses: input-output-hk/catalyst-forge/actions/setup@adds-tailscale with: skip_earthly: ${{ steps.local.outputs.skip }} - name: Run - uses: input-output-hk/catalyst-forge/actions/run@master + uses: input-output-hk/catalyst-forge/actions/run@adds-tailscale with: command: run args: --artifact ${{ env.OUTPUT }} ${{ matrix.earthfile }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 68f50458..5e640761 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,12 +45,12 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install Forge - uses: input-output-hk/catalyst-forge/actions/install@master + uses: input-output-hk/catalyst-forge/actions/install@adds-tailscale if: ${{ inputs.forge_version != 'local' }} with: version: ${{ inputs.forge_version }} - name: Install Local Forge - uses: input-output-hk/catalyst-forge/actions/install-local@master + uses: input-output-hk/catalyst-forge/actions/install-local@adds-tailscale if: ${{ inputs.forge_version == 'local' }} with: earthly_token: ${{ secrets.earthly_token }} @@ -65,11 +65,11 @@ jobs: echo "skip=false" >> $GITHUB_OUTPUT fi - name: Setup CI - uses: input-output-hk/catalyst-forge/actions/setup@master + uses: input-output-hk/catalyst-forge/actions/setup@adds-tailscale with: skip_earthly: ${{ steps.local.outputs.skip }} - name: Release - uses: input-output-hk/catalyst-forge/actions/run@master + uses: input-output-hk/catalyst-forge/actions/run@adds-tailscale with: command: release args: ${{ matrix.release.project }} ${{ matrix.release.name }} diff --git a/.github/workflows/run.yml b/.github/workflows/run.yml index 7f367698..2663fea7 100644 --- a/.github/workflows/run.yml +++ b/.github/workflows/run.yml @@ -42,13 +42,13 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install Forge - uses: input-output-hk/catalyst-forge/actions/install@master + uses: input-output-hk/catalyst-forge/actions/install@adds-tailscale if: ${{ inputs.forge_version != 'local' }} with: version: ${{ inputs.forge_version }} - name: Install Local Forge id: install-local - uses: input-output-hk/catalyst-forge/actions/install-local@master + uses: input-output-hk/catalyst-forge/actions/install-local@adds-tailscale if: ${{ inputs.forge_version == 'local' }} with: earthly_token: ${{ secrets.earthly_token }} @@ -57,12 +57,12 @@ jobs: run: | forge version - name: Setup CI - uses: input-output-hk/catalyst-forge/actions/setup@master + uses: input-output-hk/catalyst-forge/actions/setup@adds-tailscale with: skip_earthly_install: ${{ inputs.forge_version == 'local' && steps.install-local.outputs.cache-hit == false }} skip_earthly_satellite: ${{ inputs.forge_version == 'local' && steps.install-local.outputs.cache-hit == false }} - name: Run - uses: input-output-hk/catalyst-forge/actions/run@master + uses: input-output-hk/catalyst-forge/actions/run@adds-tailscale with: command: run args: ${{ matrix.earthfile }} From ac51fbb97157c78b2e32dcd5d87f2df1d3a8f1a4 Mon Sep 17 00:00:00 2001 From: Joshua Gilman Date: Tue, 22 Jul 2025 14:52:27 -0700 Subject: [PATCH 3/9] wip: wrap strings --- actions/setup/action.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/actions/setup/action.yml b/actions/setup/action.yml index ca513531..cd0284a3 100644 --- a/actions/setup/action.yml +++ b/actions/setup/action.yml @@ -323,8 +323,8 @@ runs: if: inputs.skip_tailscale == 'false' && steps.tailscale.outputs.configured == 'true' uses: tailscale/github-action@v3 with: - oauth-client-id: ${{ steps.tailscale.outputs.client_id }} - oauth-secret: ${{ steps.tailscale.outputs.client_secret }} - tags: ${{ steps.tailscale.outputs.tags }} + oauth-client-id: "${{ steps.tailscale.outputs.client_id }}" + oauth-secret: "${{ steps.tailscale.outputs.client_secret }}" + tags: "${{ steps.tailscale.outputs.tags }}" use-cache: "true" - version: ${{ steps.tailscale.outputs.version }} + version: "${{ steps.tailscale.outputs.version }}" From a2ebf1414aa6e4538dee27dff725259b615d6c1c Mon Sep 17 00:00:00 2001 From: Joshua Gilman Date: Tue, 22 Jul 2025 15:16:24 -0700 Subject: [PATCH 4/9] wip: adds missing tag --- actions/setup/action.yml | 8 ++++---- blueprint.cue | 1 + 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/actions/setup/action.yml b/actions/setup/action.yml index cd0284a3..0965bfdb 100644 --- a/actions/setup/action.yml +++ b/actions/setup/action.yml @@ -309,8 +309,8 @@ runs: echo "::add-mask::$CLIENT_ID" echo "::add-mask::$CLIENT_SECRET" - echo "client_id=$CLIENT_ID" >> $GITHUB_OUTPUT - echo "client_secret=$CLIENT_SECRET" >> $GITHUB_OUTPUT + echo "client-id=$CLIENT_ID" >> $GITHUB_OUTPUT + echo "client-secret=$CLIENT_SECRET" >> $GITHUB_OUTPUT echo "tags=$TAGS" >> $GITHUB_OUTPUT echo "version=$VERSION" >> $GITHUB_OUTPUT else @@ -323,8 +323,8 @@ runs: if: inputs.skip_tailscale == 'false' && steps.tailscale.outputs.configured == 'true' uses: tailscale/github-action@v3 with: - oauth-client-id: "${{ steps.tailscale.outputs.client_id }}" - oauth-secret: "${{ steps.tailscale.outputs.client_secret }}" + oauth-client-id: "${{ steps.tailscale.outputs.client-id }}" + oauth-secret: "${{ steps.tailscale.outputs.client-secret }}" tags: "${{ steps.tailscale.outputs.tags }}" use-cache: "true" version: "${{ steps.tailscale.outputs.version }}" diff --git a/blueprint.cue b/blueprint.cue index fbe48203..7455ad63 100644 --- a/blueprint.cue +++ b/blueprint.cue @@ -66,6 +66,7 @@ global: { provider: "aws" path: "global/ci/tailscale" } + tags: "tag:cat-github" version: "latest" } } From 029e75193b6ff33001b16a3a4cffba4ea3ed95cf Mon Sep 17 00:00:00 2001 From: Joshua Gilman Date: Tue, 22 Jul 2025 16:06:16 -0700 Subject: [PATCH 5/9] chore: updates README and local install action --- actions/install-local/action.yml | 28 +++++++++++++++ actions/setup/README.md | 61 +++++++++++++++++++++++++------- 2 files changed, 77 insertions(+), 12 deletions(-) diff --git a/actions/install-local/action.yml b/actions/install-local/action.yml index 47c8f74b..cc4a9e87 100644 --- a/actions/install-local/action.yml +++ b/actions/install-local/action.yml @@ -72,6 +72,34 @@ runs: EOF echo "::add-mask::$(echo "$SECRET" | jq -r .SecretString | jq -r .host)" + - name: Get Tailscale configuration + if: steps.cache-binary.outputs.cache-hit == false + id: tailscale + shell: bash + run: | + TAILSCALE=$(cue export -e global.ci.providers.tailcsale ./blueprint.cue) + CREDS=$(cue export -e global.ci.providers.tailcsale.credentials ./blueprint.cue) + TAGS="$(echo $TAILSCALE | jq -r .tags)" + VERSION="$(echo $TAILSCALE | jq -r .version)" + CLIENT_ID="$(echo $CREDS | jq -r .client_id)" + CLIENT_SECRET="$(echo $CREDS | jq -r .client_secret)" + + echo "::add-mask::$CLIENT_ID" + echo "::add-mask::$CLIENT_SECRET" + + echo "client-id=$CLIENT_ID" >> $GITHUB_OUTPUT + echo "client-secret=$CLIENT_SECRET" >> $GITHUB_OUTPUT + echo "tags=$TAGS" >> $GITHUB_OUTPUT + echo "version=$VERSION" >> $GITHUB_OUTPUT + - name: Install and configure Tailscale + if: steps.cache-binary.outputs.cache-hit == false + uses: tailscale/github-action@v3 + with: + oauth-client-id: "${{ steps.tailscale.outputs.client-id }}" + oauth-secret: "${{ steps.tailscale.outputs.client-secret }}" + tags: "${{ steps.tailscale.outputs.tags }}" + use-cache: "true" + version: "${{ steps.tailscale.outputs.version }}" - name: Build Forge CLI if: steps.cache-binary.outputs.cache-hit == false shell: bash diff --git a/actions/setup/README.md b/actions/setup/README.md index 7efacd6a..c17c0fc4 100644 --- a/actions/setup/README.md +++ b/actions/setup/README.md @@ -19,12 +19,11 @@ ci: { role: "arn:aws:iam::123456:role/ci" } earthly: { - credentials: { + satellite: credentials: { provider: "aws" path: "path/to/secret" } - org: "myorg" - satellite: "sat" + version: "latest" } } } @@ -52,10 +51,32 @@ jobs: The action will then perform the following: -1. Install the latest version of the Forge CLI -2. Authenticate to AWS via OIDC -3. Authenticate to Earthly Cloud using the credentials in the AWS Secrets Manager secret stored at `path/to/secret` -4. Set the default Earthly Cloud organization to `myorg` +1. **AWS Provider Setup** (if configured): + - Authenticate to AWS using OIDC with the configured role + - Login to Amazon ECR if a registry is specified + +2. **Docker Provider Setup** (if configured): + - Login to Docker Hub using credentials from the configured secret + +3. **GitHub Provider Setup** (if configured): + - Login to GitHub Container Registry (ghcr.io) using the GitHub token + +4. **Earthly Provider Setup** (if configured): + - Install Earthly CLI (latest or specified version) + - Configure remote Earthly satellite authentication if credentials are provided + +5. **Timoni Provider Setup** (if configured): + - Install Timoni CLI with the specified version + +6. **CUE Provider Setup** (if configured): + - Install CUE CLI with the specified version + +7. **KCL Provider Setup** (if configured): + - Install KCL CLI with the specified version + +8. **Tailscale Provider Setup** (if configured): + - Install and configure Tailscale using OAuth2 credentials + - Apply specified tags to the Tailscale node ### Configuring Providers @@ -70,7 +91,15 @@ The below list documents the expected format for each provider: - `username`: The username to login with - `password`: The password to login with 1. Earthly - - `token`: The Earthly Cloud token to login with + - `ca_certificate`: Base64-encoded string containing the common CA certificate for mTLS + - `certificate`: Base64 encoded string containing the (signed) client certificate used to authenticate with the satellite + - `private_key`: Base64 encoded string containing the private key used to authenticate with the satellite + - `host`: The address of the remote satellite in the form of `tcp://hostname:8372` +1. Tailscale + - `client_id`: The OAuth2 client ID used to authenticate with the Tailscale API + - `client_secret`: The OAuth2 secret key used to authenticate with the Tailscale API +1. GitHub + - `token`: The access token used to authenticate with GitHub If the secret uses a different format, the `maps` field of the secret can be used to map them correctly: @@ -103,7 +132,15 @@ Note that this _only_ works when run within the Catalyst Forge repository. ## Inputs -| Name | Description | Required | Default | -| ------------- | ---------------------------------------- | -------- | ----------------------- | -| forge_version | The version of the forge CLI to install | No | `"latest"` | -| github_token | The GitHub token used for authentication | No | `"${{ github.token }}"` | \ No newline at end of file +| Name | Description | Required | Default | +| ---------------------- | -------------------------------------------------------------------- | -------- | ----------------------- | +| github_token | The GitHub token used for authentication | No | `"${{ github.token }}"` | +| skip_aws | If true, skip authenticating with AWS and configuring ECR | No | `"false"` | +| skip_cue | If true, skips installing CUE CLI if the provider is configured | No | `"false"` | +| skip_docker | If true, skip authenticating to DockerHub | No | `"false"` | +| skip_earthly_install | If true, skip installing Earthly | No | `"false"` | +| skip_earthly_satellite | If true, skip adding authentication for the remote Earthly satellite | No | `"false"` | +| skip_github | If true, skip authenticating to GitHub Container Registry | No | `"false"` | +| skip_kcl | If true, skips installing KCL CLI if the provider is configured | No | `"false"` | +| skip_tailscale | If true, skips installing and authenticating with skip_tailscale | No | `"false"` | +| skip_timoni | If true, skips installing Timoni CLI if the provider is configured | No | `"false"` | \ No newline at end of file From ffc677e6609c69ba605b8b8a0e09cb18ae0232ea Mon Sep 17 00:00:00 2001 From: Joshua Gilman Date: Tue, 22 Jul 2025 16:07:17 -0700 Subject: [PATCH 6/9] wip: fixes typo --- actions/install-local/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/actions/install-local/action.yml b/actions/install-local/action.yml index cc4a9e87..9da5bc37 100644 --- a/actions/install-local/action.yml +++ b/actions/install-local/action.yml @@ -77,8 +77,8 @@ runs: id: tailscale shell: bash run: | - TAILSCALE=$(cue export -e global.ci.providers.tailcsale ./blueprint.cue) - CREDS=$(cue export -e global.ci.providers.tailcsale.credentials ./blueprint.cue) + TAILSCALE=$(cue export -e global.ci.providers.tailscale ./blueprint.cue) + CREDS=$(cue export -e global.ci.providers.tailscale.credentials ./blueprint.cue) TAGS="$(echo $TAILSCALE | jq -r .tags)" VERSION="$(echo $TAILSCALE | jq -r .version)" CLIENT_ID="$(echo $CREDS | jq -r .client_id)" From f566062fa2d378be831e1b650ef7d6f0dc1e0c0a Mon Sep 17 00:00:00 2001 From: Joshua Gilman Date: Tue, 22 Jul 2025 16:10:32 -0700 Subject: [PATCH 7/9] wip: fix --- actions/install-local/action.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/actions/install-local/action.yml b/actions/install-local/action.yml index 9da5bc37..98936f48 100644 --- a/actions/install-local/action.yml +++ b/actions/install-local/action.yml @@ -79,10 +79,13 @@ runs: run: | TAILSCALE=$(cue export -e global.ci.providers.tailscale ./blueprint.cue) CREDS=$(cue export -e global.ci.providers.tailscale.credentials ./blueprint.cue) + SECRET_ID=$(echo "$CREDS" | jq -r .path) + SECRET=$(aws secretsmanager get-secret-value --secret-id "$SECRET_ID") + TAGS="$(echo $TAILSCALE | jq -r .tags)" VERSION="$(echo $TAILSCALE | jq -r .version)" - CLIENT_ID="$(echo $CREDS | jq -r .client_id)" - CLIENT_SECRET="$(echo $CREDS | jq -r .client_secret)" + CLIENT_ID="$(echo $SECRET | jq -r .client_id)" + CLIENT_SECRET="$(echo $SECRET | jq -r .client_secret)" echo "::add-mask::$CLIENT_ID" echo "::add-mask::$CLIENT_SECRET" From 5607c75e8eb1db956dff1e30e9b036236133fc1a Mon Sep 17 00:00:00 2001 From: Joshua Gilman Date: Tue, 22 Jul 2025 16:11:22 -0700 Subject: [PATCH 8/9] wip: fix --- actions/install-local/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/actions/install-local/action.yml b/actions/install-local/action.yml index 98936f48..cdc29c69 100644 --- a/actions/install-local/action.yml +++ b/actions/install-local/action.yml @@ -84,8 +84,8 @@ runs: TAGS="$(echo $TAILSCALE | jq -r .tags)" VERSION="$(echo $TAILSCALE | jq -r .version)" - CLIENT_ID="$(echo $SECRET | jq -r .client_id)" - CLIENT_SECRET="$(echo $SECRET | jq -r .client_secret)" + CLIENT_ID="$(echo $SECRET | jq -r .SecretString | jq -r .client_id)" + CLIENT_SECRET="$(echo $SECRET | jq -r .SecretString | jq -r .client_secret)" echo "::add-mask::$CLIENT_ID" echo "::add-mask::$CLIENT_SECRET" From 8afa0c9e58099d801f678d1d48e0f06c45a794a6 Mon Sep 17 00:00:00 2001 From: Joshua Gilman Date: Tue, 22 Jul 2025 16:21:45 -0700 Subject: [PATCH 9/9] wip: cleanup --- .github/workflows/ci.yml | 24 ++++++++++++------------ .github/workflows/deploy.yml | 8 ++++---- .github/workflows/docs.yml | 8 ++++---- .github/workflows/release.yml | 8 ++++---- .github/workflows/run.yml | 8 ++++---- 5 files changed, 28 insertions(+), 28 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 05bd3829..edcdd36c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -43,20 +43,20 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install Forge - uses: input-output-hk/catalyst-forge/actions/install@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/install@master if: ${{ inputs.forge_version != 'local' }} with: version: ${{ inputs.forge_version }} - name: Install Local Forge id: install-local - uses: input-output-hk/catalyst-forge/actions/install-local@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/install-local@master if: ${{ inputs.forge_version == 'local' }} - name: Check forge version id: local run: | forge version - name: Setup CI - uses: input-output-hk/catalyst-forge/actions/setup@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/setup@master with: skip_docker: 'true' skip_github: 'true' @@ -64,7 +64,7 @@ jobs: skip_earthly_satellite: ${{ inputs.forge_version == 'local' && steps.install-local.outputs.cache-hit == false }} - name: Discovery id: discovery - uses: input-output-hk/catalyst-forge/actions/discovery@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/discovery@master with: filters: | ${{ env.FORGE_REGEX_CHECK }} @@ -76,7 +76,7 @@ jobs: ${{ env.FORGE_REGEX_PUBLISH }} ${{ env.FORGE_REGEX_NIGHTLY }} check: - uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@adds-tailscale + uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@master needs: [discover] if: (fromJson(needs.discover.outputs.earthfiles)['^check(-.*)?$'] != null) && !failure() && !cancelled() with: @@ -88,7 +88,7 @@ jobs: earthly_token: ${{ secrets.earthly_token }} build: - uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@adds-tailscale + uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@master needs: [discover, check] if: (fromJson(needs.discover.outputs.earthfiles)['^build(-.*)?$'] != null) && !failure() && !cancelled() with: @@ -100,7 +100,7 @@ jobs: earthly_token: ${{ secrets.earthly_token }} package: - uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@adds-tailscale + uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@master needs: [discover, check, build] if: (fromJson(needs.discover.outputs.earthfiles)['^package(-.*)?$'] != null) && !failure() && !cancelled() with: @@ -112,7 +112,7 @@ jobs: earthly_token: ${{ secrets.earthly_token }} test: - uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@adds-tailscale + uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@master needs: [discover, check, build, package] if: (fromJson(needs.discover.outputs.earthfiles)['^test(-.*)?$'] != null) && !failure() && !cancelled() with: @@ -124,7 +124,7 @@ jobs: earthly_token: ${{ secrets.earthly_token }} nightly: - uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@adds-tailscale + uses: input-output-hk/catalyst-forge/.github/workflows/run.yml@master needs: [discover, check, build, package] if: (fromJson(needs.discover.outputs.earthfiles)['^nightly(-.*)?$'] != null) && !failure() && !cancelled() && inputs.nightly == true with: @@ -136,7 +136,7 @@ jobs: earthly_token: ${{ secrets.earthly_token }} docs: - uses: input-output-hk/catalyst-forge/.github/workflows/docs.yml@adds-tailscale + uses: input-output-hk/catalyst-forge/.github/workflows/docs.yml@master needs: [discover, check, build, test] if: (fromJson(needs.discover.outputs.earthfiles)['^docs(-.*)?$'] != null) && !failure() && !cancelled() with: @@ -146,7 +146,7 @@ jobs: earthly_token: ${{ secrets.earthly_token }} release: - uses: input-output-hk/catalyst-forge/.github/workflows/release.yml@adds-tailscale + uses: input-output-hk/catalyst-forge/.github/workflows/release.yml@master needs: [discover, check, build, test] if: (fromJson(needs.discover.outputs.releases)[0] != null) && !failure() && !cancelled() with: @@ -158,7 +158,7 @@ jobs: earthly_token: ${{ secrets.earthly_token }} deploy: - uses: input-output-hk/catalyst-forge/.github/workflows/deploy.yml@adds-tailscale + uses: input-output-hk/catalyst-forge/.github/workflows/deploy.yml@master needs: [discover, check, build, test, release] if: (fromJson(needs.discover.outputs.deployments)[0] != null) && !failure() && !cancelled() with: diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 04652335..a938df72 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -42,12 +42,12 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install Forge - uses: input-output-hk/catalyst-forge/actions/install@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/install@master if: ${{ inputs.forge_version != 'local' }} with: version: ${{ inputs.forge_version }} - name: Install Local Forge - uses: input-output-hk/catalyst-forge/actions/install-local@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/install-local@master if: ${{ inputs.forge_version == 'local' }} with: earthly_token: ${{ secrets.earthly_token }} @@ -62,11 +62,11 @@ jobs: echo "skip=false" >> $GITHUB_OUTPUT fi - name: Setup CI - uses: input-output-hk/catalyst-forge/actions/setup@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/setup@master with: skip_earthly: ${{ steps.local.outputs.skip }} - name: Deploy - uses: input-output-hk/catalyst-forge/actions/run@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/run@master with: command: mod deploy args: ${{ matrix.deployment }} diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml index caeaae8c..80361cee 100644 --- a/.github/workflows/docs.yml +++ b/.github/workflows/docs.yml @@ -44,12 +44,12 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install Forge - uses: input-output-hk/catalyst-forge/actions/install@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/install@master if: ${{ inputs.forge_version != 'local' }} with: version: ${{ inputs.forge_version }} - name: Install Local Forge - uses: input-output-hk/catalyst-forge/actions/install-local@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/install-local@master if: ${{ inputs.forge_version == 'local' }} with: earthly_token: ${{ secrets.earthly_token }} @@ -64,11 +64,11 @@ jobs: echo "skip=false" >> $GITHUB_OUTPUT fi - name: Setup CI - uses: input-output-hk/catalyst-forge/actions/setup@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/setup@master with: skip_earthly: ${{ steps.local.outputs.skip }} - name: Run - uses: input-output-hk/catalyst-forge/actions/run@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/run@master with: command: run args: --artifact ${{ env.OUTPUT }} ${{ matrix.earthfile }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5e640761..68f50458 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -45,12 +45,12 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install Forge - uses: input-output-hk/catalyst-forge/actions/install@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/install@master if: ${{ inputs.forge_version != 'local' }} with: version: ${{ inputs.forge_version }} - name: Install Local Forge - uses: input-output-hk/catalyst-forge/actions/install-local@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/install-local@master if: ${{ inputs.forge_version == 'local' }} with: earthly_token: ${{ secrets.earthly_token }} @@ -65,11 +65,11 @@ jobs: echo "skip=false" >> $GITHUB_OUTPUT fi - name: Setup CI - uses: input-output-hk/catalyst-forge/actions/setup@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/setup@master with: skip_earthly: ${{ steps.local.outputs.skip }} - name: Release - uses: input-output-hk/catalyst-forge/actions/run@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/run@master with: command: release args: ${{ matrix.release.project }} ${{ matrix.release.name }} diff --git a/.github/workflows/run.yml b/.github/workflows/run.yml index 2663fea7..7f367698 100644 --- a/.github/workflows/run.yml +++ b/.github/workflows/run.yml @@ -42,13 +42,13 @@ jobs: steps: - uses: actions/checkout@v4 - name: Install Forge - uses: input-output-hk/catalyst-forge/actions/install@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/install@master if: ${{ inputs.forge_version != 'local' }} with: version: ${{ inputs.forge_version }} - name: Install Local Forge id: install-local - uses: input-output-hk/catalyst-forge/actions/install-local@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/install-local@master if: ${{ inputs.forge_version == 'local' }} with: earthly_token: ${{ secrets.earthly_token }} @@ -57,12 +57,12 @@ jobs: run: | forge version - name: Setup CI - uses: input-output-hk/catalyst-forge/actions/setup@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/setup@master with: skip_earthly_install: ${{ inputs.forge_version == 'local' && steps.install-local.outputs.cache-hit == false }} skip_earthly_satellite: ${{ inputs.forge_version == 'local' && steps.install-local.outputs.cache-hit == false }} - name: Run - uses: input-output-hk/catalyst-forge/actions/run@adds-tailscale + uses: input-output-hk/catalyst-forge/actions/run@master with: command: run args: ${{ matrix.earthfile }}