actions/auth
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

feat: add retries (#181)

Browse Source
This commit is contained in:
Mike Verbanic 2022-05-23 15:17:21 -04:00 committed by GitHub
parent 10d8e00a99
commit 95a6bc2a27
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 398 additions and 344 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
.github/workflows/test.yml vendored
View File

@ -34,7 +34,6 @@ jobs:
- name: 'npm test' - name: 'npm test'
run: 'npm run test' run: 'npm run test'
credentials_json: credentials_json:
if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }} if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
name: 'credentials_json' name: 'credentials_json'
@ -99,6 +98,14 @@ jobs:
id_token_audience: 'https://secretmanager.googleapis.com/' id_token_audience: 'https://secretmanager.googleapis.com/'
id_token_include_email: true id_token_include_email: true
- id: 'auth-sa-retries'
name: 'auth-sa-retries'
uses: './'
with:
retries: '2'
backoff: '200'
backoff_limit: '1000'
credentials_json: '${{ secrets.AUTH_SA_KEY_JSON }}'
workload_identity_federation: workload_identity_federation:
if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }} if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
@ -170,6 +177,16 @@ jobs:
id_token_audience: 'https://secretmanager.googleapis.com/' id_token_audience: 'https://secretmanager.googleapis.com/'
id_token_include_email: true id_token_include_email: true
- id: 'auth-wif-retries'
name: 'auth-wif-retries'
uses: './'
with:
retries: '2'
backoff: '200'
backoff_limit: '1000'
workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}'
service_account: '${{ secrets.OIDC_AUTH_SA_EMAIL }}'
# This test ensures that the GOOGLE_APPLICATION_CREDENTIALS environment # This test ensures that the GOOGLE_APPLICATION_CREDENTIALS environment
# variable is shared with the container and that the path of the file is on # variable is shared with the container and that the path of the file is on
# the shared filesystem with the container and that the USER for the container # the shared filesystem with the container and that the USER for the container

18
action.yml
View File

@ -124,6 +124,24 @@ inputs:
default: '' default: ''
required: false required: false
# retries
retries:
description: |-
Number of times to retry a failed authentication attempt. This is useful
for automated pipelines that may execute before IAM permissions are fully propogated.
default: '0'
required: false
backoff:
description: |-
Delay time before trying another authentication attempt. This
is implemented using a fibonacci backoff method (e.g. 1-1-2-3-5).
This value defaults to 100 milliseconds when retries are greater than 0.
required: false
backoff_limit:
description: |-
Limits the retry backoff to the specified value.
required: false
# id token params # id token params
id_token_audience: id_token_audience:
description: |- description: |-

2
dist/main/index.js vendored
View File

File diff suppressed because one or more lines are too long

2
dist/post/index.js vendored
View File

File diff suppressed because one or more lines are too long

14
package-lock.json generated
View File

@ -10,7 +10,7 @@
"license": "Apache-2.0", "license": "Apache-2.0",
"dependencies": { "dependencies": {
"@actions/core": "^1.7.0", "@actions/core": "^1.7.0",
"@google-github-actions/actions-utils": "^0.3.0" "@google-github-actions/actions-utils": "^0.4.0"
}, },
"devDependencies": { "devDependencies": {
"@types/chai": "^4.3.1", "@types/chai": "^4.3.1",
@ -87,9 +87,9 @@
} }
}, },
"node_modules/@google-github-actions/actions-utils": { "node_modules/@google-github-actions/actions-utils": {
"version": "0.3.0", "version": "0.4.0",
"resolved": "https://registry.npmjs.org/@google-github-actions/actions-utils/-/actions-utils-0.3.0.tgz", "resolved": "https://registry.npmjs.org/@google-github-actions/actions-utils/-/actions-utils-0.4.0.tgz",
"integrity": "sha512-zl6/NDnxhB+22E5wZghMnzR0onUNqJFagGtA13wlaADzO1Cb3K1MgTk/U2mPiNlBtyaMlF5XkBGLLhwX+wS2qA==", "integrity": "sha512-s2ev2a3WwLg0LWPIi5b9zcaf+jTUkVrQi/iGbQAwX+l0veYsPT1wu9mWV2pZxHfGfxenCjsTw4wSnl9RTJ7ytA==",
"dependencies": { "dependencies": {
"yaml": "^2.0.1" "yaml": "^2.0.1"
} }
@ -2462,9 +2462,9 @@
} }
}, },
"@google-github-actions/actions-utils": { "@google-github-actions/actions-utils": {
"version": "0.3.0", "version": "0.4.0",
"resolved": "https://registry.npmjs.org/@google-github-actions/actions-utils/-/actions-utils-0.3.0.tgz", "resolved": "https://registry.npmjs.org/@google-github-actions/actions-utils/-/actions-utils-0.4.0.tgz",
"integrity": "sha512-zl6/NDnxhB+22E5wZghMnzR0onUNqJFagGtA13wlaADzO1Cb3K1MgTk/U2mPiNlBtyaMlF5XkBGLLhwX+wS2qA==", "integrity": "sha512-s2ev2a3WwLg0LWPIi5b9zcaf+jTUkVrQi/iGbQAwX+l0veYsPT1wu9mWV2pZxHfGfxenCjsTw4wSnl9RTJ7ytA==",
"requires": { "requires": {
"yaml": "^2.0.1" "yaml": "^2.0.1"
} }

2
package.json
View File

@ -24,7 +24,7 @@
"license": "Apache-2.0", "license": "Apache-2.0",
"dependencies": { "dependencies": {
"@actions/core": "^1.7.0", "@actions/core": "^1.7.0",
"@google-github-actions/actions-utils": "^0.3.0" "@google-github-actions/actions-utils": "^0.4.0"
}, },
"devDependencies": { "devDependencies": {
"@types/chai": "^4.3.1", "@types/chai": "^4.3.1",

33
src/main.ts
View File

@ -22,6 +22,7 @@ import {
parseCSV, parseCSV,
parseDuration, parseDuration,
pinnedToHeadWarning, pinnedToHeadWarning,
withRetries,
} from '@google-github-actions/actions-utils'; } from '@google-github-actions/actions-utils';
import { WorkloadIdentityClient } from './client/workload_identity_client'; import { WorkloadIdentityClient } from './client/workload_identity_client';
@ -42,7 +43,7 @@ const oidcWarning =
`run from a fork. For more information, please see https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token`; `run from a fork. For more information, please see https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token`;
/** /**
* Executes the main action, documented inline. * Executes the main action.
*/ */
async function run(): Promise<void> { async function run(): Promise<void> {
// Warn if pinned to HEAD // Warn if pinned to HEAD
@ -50,13 +51,35 @@ async function run(): Promise<void> {
logWarning(pinnedToHeadWarning('v0')); logWarning(pinnedToHeadWarning('v0'));
} }
const retries = Number(getInput('retries'));
// set to undefined when not provided [avoids Number('') -> 0]
const backoff = Number(getInput('backoff')) || undefined;
const backoffLimit = Number(getInput('backoff_limit')) || undefined;
try { try {
const mainWithRetries = withRetries(main, {
retries: retries,
backoff: backoff,
backoffLimit: backoffLimit,
});
await mainWithRetries();
} catch (err) {
const msg = errorMessage(err);
setFailed(`google-github-actions/auth failed with: ${msg}`);
}
}
/**
* Main wraps the main action logic into a function to be used as a parameter to the withRetries function.
*/
async function main() {
// Load configuration. // Load configuration.
const projectID = getInput('project_id'); const projectID = getInput('project_id');
const workloadIdentityProvider = getInput('workload_identity_provider'); const workloadIdentityProvider = getInput('workload_identity_provider');
const serviceAccount = getInput('service_account'); const serviceAccount = getInput('service_account');
const audience = const audience = getInput('audience') || `https://iam.googleapis.com/${workloadIdentityProvider}`;
getInput('audience') || `https://iam.googleapis.com/${workloadIdentityProvider}`;
const credentialsJSON = getInput('credentials_json'); const credentialsJSON = getInput('credentials_json');
const createCredentialsFile = getBooleanInput('create_credentials_file'); const createCredentialsFile = getBooleanInput('create_credentials_file');
const exportEnvironmentVariables = getBooleanInput('export_environment_variables'); const exportEnvironmentVariables = getBooleanInput('export_environment_variables');
@ -264,10 +287,6 @@ async function run(): Promise<void> {
throw new Error(`Unknown token format "${tokenFormat}"`); throw new Error(`Unknown token format "${tokenFormat}"`);
} }
} }
} catch (err) {
const msg = errorMessage(err);
setFailed(`google-github-actions/auth failed with: ${msg}`);
}
} }
/** /**