|
21 | 21 | runner: |
22 | 22 | type: string |
23 | 23 | default: '"ubuntu-latest"' |
24 | | - api_base_url: |
| 24 | + api_base_url: |
25 | 25 | type: string |
26 | 26 | default: "https://api.prod.app.gruntwork.io/api/v1" |
27 | 27 |
|
@@ -53,36 +53,47 @@ jobs: |
53 | 53 | name: Detect Infrastructure Changes |
54 | 54 | runs-on: ${{ fromJSON(inputs.runner) }} |
55 | 55 | steps: |
| 56 | + - name: Sanitize Tokens |
| 57 | + id: secrets |
| 58 | + shell: bash |
| 59 | + run: | |
| 60 | + PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) |
| 61 | + IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) |
| 62 | + OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) |
| 63 | + echo "PIPELINES_READ_TOKEN=$PR_TRIM" | xargs>> $GITHUB_OUTPUT |
| 64 | + echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT |
| 65 | + echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT |
| 66 | +
|
56 | 67 | - name: Fetch Gruntwork Read Token |
57 | 68 | id: pipelines-gruntwork-read-token |
58 | 69 | uses: gruntwork-io/pipelines-credentials@v1 |
59 | 70 | with: |
60 | 71 | PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" |
61 | | - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} |
| 72 | + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} |
62 | 73 | api_base_url: ${{ inputs.api_base_url }} |
63 | 74 |
|
64 | 75 | - name: Fetch Org Read Token |
65 | 76 | id: pipelines-customer-org-read-token |
66 | 77 | uses: gruntwork-io/pipelines-credentials@v1 |
67 | 78 | with: |
68 | 79 | PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} |
69 | | - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} |
| 80 | + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} |
70 | 81 | api_base_url: ${{ inputs.api_base_url }} |
71 | 82 |
|
72 | 83 | - name: Fetch Infra Root Write Token |
73 | 84 | id: pipelines-infra-root-write-token |
74 | 85 | uses: gruntwork-io/pipelines-credentials@v1 |
75 | 86 | with: |
76 | 87 | PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} |
77 | | - FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} |
| 88 | + FALLBACK_TOKEN: ${{ steps.secrets.outputs.INFRA_ROOT_WRITE_TOKEN }} |
78 | 89 | api_base_url: ${{ inputs.api_base_url }} |
79 | 90 |
|
80 | 91 | - name: Fetch Org Repo Admin Token |
81 | 92 | id: pipelines-org-repo-admin-token |
82 | 93 | uses: gruntwork-io/pipelines-credentials@v1 |
83 | 94 | with: |
84 | 95 | PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} |
85 | | - FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} |
| 96 | + FALLBACK_TOKEN: ${{ steps.secrets.outputs.ORG_REPO_ADMIN_TOKEN }} |
86 | 97 | api_base_url: ${{ inputs.api_base_url }} |
87 | 98 |
|
88 | 99 | - name: Checkout Pipelines Actions |
@@ -120,7 +131,7 @@ jobs: |
120 | 131 | uses: ./pipelines-actions/.github/actions/pipelines-preflight-action |
121 | 132 | with: |
122 | 133 | IS_ROOT: "true" |
123 | | - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} |
| 134 | + PIPELINES_READ_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} |
124 | 135 | INFRA_ROOT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} |
125 | 136 | ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }} |
126 | 137 | PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} |
@@ -151,28 +162,38 @@ jobs: |
151 | 162 | matrix: |
152 | 163 | jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs) }} |
153 | 164 | steps: |
| 165 | + - name: Sanitize Tokens |
| 166 | + id: secrets |
| 167 | + shell: bash |
| 168 | + run: | |
| 169 | + PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) |
| 170 | + IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) |
| 171 | + OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) |
| 172 | + echo "PIPELINES_READ_TOKEN=$PR_TRIM" | xargs>> $GITHUB_OUTPUT |
| 173 | + echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT |
| 174 | + echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT |
154 | 175 | - name: Fetch Gruntwork Read Token |
155 | 176 | id: pipelines-gruntwork-read-token |
156 | 177 | uses: gruntwork-io/pipelines-credentials@v1 |
157 | 178 | with: |
158 | 179 | PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" |
159 | | - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} |
| 180 | + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} |
160 | 181 | api_base_url: ${{ inputs.api_base_url }} |
161 | 182 |
|
162 | 183 | - name: Fetch Org Read Token |
163 | 184 | id: pipelines-customer-org-read-token |
164 | 185 | uses: gruntwork-io/pipelines-credentials@v1 |
165 | 186 | with: |
166 | 187 | PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} |
167 | | - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} |
| 188 | + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} |
168 | 189 | api_base_url: ${{ inputs.api_base_url }} |
169 | 190 |
|
170 | 191 | - name: Fetch Infra Root Write Token |
171 | 192 | id: pipelines-infra-root-write-token |
172 | 193 | uses: gruntwork-io/pipelines-credentials@v1 |
173 | 194 | with: |
174 | 195 | PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} |
175 | | - FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} |
| 196 | + FALLBACK_TOKEN: ${{ steps.secrets.outputs.INFRA_ROOT_WRITE_TOKEN }} |
176 | 197 | api_base_url: ${{ inputs.api_base_url }} |
177 | 198 |
|
178 | 199 | - name: Checkout Pipelines Actions |
@@ -342,28 +363,39 @@ jobs: |
342 | 363 | matrix: |
343 | 364 | jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts }} |
344 | 365 | steps: |
| 366 | + - name: Sanitize Tokens |
| 367 | + shell: bash |
| 368 | + id: secrets |
| 369 | + run: | |
| 370 | + PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) |
| 371 | + IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) |
| 372 | + OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) |
| 373 | + echo "PIPELINES_READ_TOKEN=$PR_TRIM" | xargs>> $GITHUB_OUTPUT |
| 374 | + echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT |
| 375 | + echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT |
| 376 | +
|
345 | 377 | - name: Fetch Gruntwork Read Token |
346 | 378 | id: pipelines-gruntwork-read-token |
347 | 379 | uses: gruntwork-io/pipelines-credentials@v1 |
348 | 380 | with: |
349 | 381 | PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" |
350 | | - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} |
| 382 | + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} |
351 | 383 | api_base_url: ${{ inputs.api_base_url }} |
352 | 384 |
|
353 | 385 | - name: Fetch Org Read Token |
354 | 386 | id: pipelines-customer-org-read-token |
355 | 387 | uses: gruntwork-io/pipelines-credentials@v1 |
356 | 388 | with: |
357 | 389 | PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} |
358 | | - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} |
| 390 | + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} |
359 | 391 | api_base_url: ${{ inputs.api_base_url }} |
360 | 392 |
|
361 | 393 | - name: Fetch Create PR Token |
362 | 394 | id: pipelines-propose-infra-change-token |
363 | 395 | uses: gruntwork-io/pipelines-credentials@v1 |
364 | 396 | with: |
365 | 397 | PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} |
366 | | - FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} |
| 398 | + FALLBACK_TOKEN: ${{ steps.secrets.outputs.INFRA_ROOT_WRITE_TOKEN }} |
367 | 399 | api_base_url: ${{ inputs.api_base_url }} |
368 | 400 |
|
369 | 401 | - name: Checkout Pipelines Actions |
@@ -465,28 +497,39 @@ jobs: |
465 | 497 | # GHA can't check for length, so we just check if there is an item in the 0 index |
466 | 498 | if: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts[0] != null && needs.pipelines_execute.outputs.delegate_management == 'true' && needs.pipelines_execute.outputs.terragrunt_command == 'run-all apply' }} |
467 | 499 | steps: |
| 500 | + - name: Sanitize Tokens |
| 501 | + shell: bash |
| 502 | + id: secrets |
| 503 | + run: | |
| 504 | + PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) |
| 505 | + IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) |
| 506 | + OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) |
| 507 | + echo "PIPELINES_READ_TOKEN=$PR_TRIM" | xargs>> $GITHUB_OUTPUT |
| 508 | + echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT |
| 509 | + echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT |
| 510 | +
|
468 | 511 | - name: Fetch Gruntwork Read Token |
469 | 512 | id: pipelines-gruntwork-read-token |
470 | 513 | uses: gruntwork-io/pipelines-credentials@v1 |
471 | 514 | with: |
472 | 515 | PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" |
473 | | - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} |
| 516 | + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} |
474 | 517 | api_base_url: ${{ inputs.api_base_url }} |
475 | 518 |
|
476 | 519 | - name: Fetch Org Read Token |
477 | 520 | id: pipelines-customer-org-read-token |
478 | 521 | uses: gruntwork-io/pipelines-credentials@v1 |
479 | 522 | with: |
480 | 523 | PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} |
481 | | - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} |
| 524 | + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} |
482 | 525 | api_base_url: ${{ inputs.api_base_url }} |
483 | 526 |
|
484 | 527 | - name: Fetch Org Repo Admin Token |
485 | 528 | id: pipelines-org-repo-admin-token |
486 | 529 | uses: gruntwork-io/pipelines-credentials@v1 |
487 | 530 | with: |
488 | 531 | PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} |
489 | | - FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} |
| 532 | + FALLBACK_TOKEN: ${{ steps.secrets.outputs.ORG_REPO_ADMIN_TOKEN }} |
490 | 533 | api_base_url: ${{ inputs.api_base_url }} |
491 | 534 |
|
492 | 535 | - name: Checkout Pipelines Actions |
|
0 commit comments