-
Notifications
You must be signed in to change notification settings - Fork 1
feat(DEV-1582): New fetch-github-token-js action #8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
chrisnavar
wants to merge
42
commits into
main
Choose a base branch
from
new-js-action
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from 25 commits
Commits
Show all changes
42 commits
Select commit
Hold shift + click to select a range
de2338e
Add fetch-github-token-js GitHub Action
chrisnavar 83e837a
Refactor Vault authentication to use axios and JWT
chrisnavar 035f375
Add token revoke post step to GitHub Action
chrisnavar 192e6ff
Remove Vault token handling from GitHub token scripts
chrisnavar cf0bfb8
Add success log after GitHub token revocation
chrisnavar 3246d65
Create README.md
chrisnavar ed93ec3
Update README.md
chrisnavar e5e29bb
Refactor token revoke logic and update node version
chrisnavar 7807607
Update README.md
chrisnavar 667675a
Update fetch-github-token-js/README.md
chrisnavar ea4733b
Merge branch 'new-js-action' of https://github.com/elastic/ci-gh-acti…
chrisnavar c1056e0
Update dependencies and Node.js engine requirements
chrisnavar e5210b2
Add GitHub Actions context and Octokit integration
chrisnavar 39b11be
Update workflow context to use workflow instead of workflow_ref
chrisnavar 037bf17
Remove unused GitHub Actions dependencies
chrisnavar eb34f01
Update Vault login and GitHub API usage
chrisnavar 1d29950
Remove Octokit usage and verify token with gh CLI
chrisnavar 3c9072f
Replace gh CLI token verification with Octokit API call
chrisnavar 72e4b17
Fix Octokit usage for authenticated requests
chrisnavar 16749d4
Rename revoke input to skip-token-revoke
chrisnavar b5cd626
Add unit test workflow and improve token fetch action
chrisnavar 6186847
Switch to fetch API and update Vault token handling
chrisnavar 56932bf
Remove unused dist chunk files and update build
chrisnavar 7658798
Remove axios request for Vault token fetch
chrisnavar 547b732
Run tests for all package directories in workflow
chrisnavar 1e2b853
Refactor build output for ESM compatibility
chrisnavar 16d6bdb
Update run-unit-tests.yml
chrisnavar 88e8032
Update run-unit-tests.yml
chrisnavar ff3085f
Update run-unit-tests.yml
chrisnavar a9fac27
Update run-unit-tests.yml
chrisnavar 114c799
Migrate fetch-github-token-js to fetch-github-token
chrisnavar eb41789
Update README.md
chrisnavar b9fecf6
Update README.md
chrisnavar 6a1085b
Update test-fetch_token.yaml
chrisnavar fdab423
Change default for skip-token-revoke to false
chrisnavar b46cf9f
Refactor Vault GitHub token action for modularity
chrisnavar b0694b8
Mask GitHub token using core.setSecret
chrisnavar c3679c0
Refactor fetch-github-token to composite action
chrisnavar e629d1c
Update token revoke step path and add README
chrisnavar 4af4f53
Update with-post-step action reference
chrisnavar ad2f174
Update action.yml
chrisnavar 19a5ec6
Update action.yml
chrisnavar File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,25 @@ | ||
| name: Run Unit Tests | ||
|
|
||
| on: | ||
| pull_request: | ||
| branches: | ||
| - main | ||
|
|
||
| jobs: | ||
| test: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - name: Set up Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: '24' | ||
| - name: Find and test all packages | ||
| run: | | ||
| for dir in $(find . -type f -name package.json -exec dirname {} \;); do | ||
| echo "Testing in $dir" | ||
| cd $dir | ||
| npm install | ||
| npm test | ||
| cd - | ||
| done |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| # <!--name-->Get Ephemeral GitHub Token from CI Vault<!--/name--> | ||
chrisnavar marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
|
|
||
| [](https://github.com/search?q=elastic%2Foblt-actions%2Ffetch-github-token-js+%28path%3A.github%2Fworkflows+OR+path%3A**%2Faction.yml+OR+path%3A**%2Faction.yaml%29&type=code) | ||
| [](https://github.com/elastic/ci-gh-actions/actions/workflows/fetch-github-token-js.yml) | ||
|
|
||
| <!--description--> | ||
| Fetch an ephemeral GitHub token from Vault using OIDC authentication | ||
| <!--/description--> | ||
| ## Inputs | ||
| <!--inputs--> | ||
| | Name | Description | Required | Default | | ||
| |---------------------|------------------------------------------------------------------------------------------------------------------------------------|----------|---------| | ||
| | `vault-instance` | Vault instance to connect to (ci-prod or ci-dev) | `true` | ` ` | | ||
| | `vault-role` | Vault role to assume for GitHub token retrieval. If not provided, it will be generated based on the workflow ref of the GH Action. | `false` | ` ` | | ||
| | `skip-token-revoke` | If true, skip revoking the GitHub token on exit | `false` | `true` | | ||
| <!--/inputs--> | ||
| ## Outputs | ||
| <!--outputs--> | ||
| | Name | Description | | ||
| |---------|---------------------------------------| | ||
| | `token` | GitHub App installation access token. | | ||
| <!--/outputs--> | ||
| ## Usage | ||
| <!--usage action="elastic/ci-gh-actions**" version="env:VERSION"--> | ||
| ```yaml | ||
| permissions: | ||
| id-token: write | ||
| steps: | ||
| - uses: elastic/ci-gh-actions/fetch-github-token-js@v1 | ||
| id: fetch-token | ||
| with: | ||
| vault-instance: "ci-prod" | ||
|
|
||
| - uses: .. | ||
| with: | ||
| github-token: ${{ steps.fetch-token.outputs.token }} | ||
| ``` | ||
| <!--/usage--> | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| name: Get Ephemeral GitHub Token from CI Vault | ||
| description: 'Fetch an ephemeral GitHub token from Vault using OIDC authentication' | ||
| inputs: | ||
| vault-instance: | ||
| description: 'Vault instance to connect to (ci-prod or ci-dev)' | ||
| required: true | ||
| vault-role: | ||
| description: 'Vault role to assume for GitHub token retrieval. If not provided, it will be generated based on the workflow ref of the GH Action.' | ||
| required: false | ||
| default: '' | ||
| skip-token-revoke: | ||
esenmarti marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| description: 'If true, skip revoking the GitHub token on exit' | ||
| required: false | ||
| default: 'true' | ||
chrisnavar marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| outputs: | ||
| token: | ||
| description: GitHub App installation access token. | ||
| runs: | ||
| using: 'node24' | ||
| main: 'dist/main.js' | ||
| post: 'dist/revoke.js' | ||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the user's point of view, I think this should keep the same name as previously; it's a new feature, so
v1.1.0could be the semver here.Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean replacing the other old GH action with this one, but reflecting like only an upgrade from the users POV?
Edit: Never mind, just seen that part on the more general comment about adding it to the existing GH Action.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moved fetch-github-token-js to the currently existing folder fetch-github-token to replace the old action once this is merged and a new release is out with the new minor upgrade.