From 2fa966d5190a1329e60c6174c9894f0ee739aa01 Mon Sep 17 00:00:00 2001 From: Zach Goldberg Date: Mon, 11 Nov 2024 13:03:37 -0800 Subject: [PATCH 1/3] feat: sanitize input tokens --- .github/workflows/pipelines-root.yml | 73 ++++++++++++++++++++++------ 1 file changed, 58 insertions(+), 15 deletions(-) diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index bd879bd..af3fc12 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -21,7 +21,7 @@ on: runner: type: string default: '"ubuntu-latest"' - api_base_url: + api_base_url: type: string default: "https://api.prod.app.gruntwork.io/api/v1" @@ -53,12 +53,23 @@ jobs: name: Detect Infrastructure Changes runs-on: ${{ fromJSON(inputs.runner) }} steps: + - name: Sanitize Tokens + id: secrets + shell: bash + run: | + PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) + IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) + OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) + echo "PIPELINES_READ_TOKEN=$PR_TRIM" | xargs>> $GITHUB_OUTPUT + echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT + echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT + - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Org Read Token @@ -66,7 +77,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Infra Root Write Token @@ -74,7 +85,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} + FALLBACK_TOKEN: ${{ steps.secrets.outputs.INFRA_ROOT_WRITE_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Org Repo Admin Token @@ -82,7 +93,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} + FALLBACK_TOKEN: ${{ steps.secrets.outputs.ORG_REPO_ADMIN_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -120,7 +131,7 @@ jobs: uses: ./pipelines-actions/.github/actions/pipelines-preflight-action with: IS_ROOT: "true" - PIPELINES_READ_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + PIPELINES_READ_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} INFRA_ROOT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }} PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} @@ -151,12 +162,22 @@ jobs: matrix: jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs) }} steps: + - name: Sanitize Tokens + id: secrets + shell: bash + run: | + PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) + IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) + OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) + echo "PIPELINES_READ_TOKEN=$PR_TRIM" | xargs>> $GITHUB_OUTPUT + echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT + echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Org Read Token @@ -164,7 +185,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Infra Root Write Token @@ -172,7 +193,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} + FALLBACK_TOKEN: ${{ steps.secrets.outputs.INFRA_ROOT_WRITE_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -342,12 +363,23 @@ jobs: matrix: jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts }} steps: + - name: Sanitize Tokens + shell: bash + id: secrets + run: | + PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) + IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) + OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) + echo "PIPELINES_READ_TOKEN=$PR_TRIM" | xargs>> $GITHUB_OUTPUT + echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT + echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT + - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Org Read Token @@ -355,7 +387,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Create PR Token @@ -363,7 +395,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} + FALLBACK_TOKEN: ${{ steps.secrets.outputs.INFRA_ROOT_WRITE_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -465,12 +497,23 @@ jobs: # GHA can't check for length, so we just check if there is an item in the 0 index if: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts[0] != null && needs.pipelines_execute.outputs.delegate_management == 'true' && needs.pipelines_execute.outputs.terragrunt_command == 'run-all apply' }} steps: + - name: Sanitize Tokens + shell: bash + id: secrets + run: | + PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) + IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) + OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) + echo "PIPELINES_READ_TOKEN=$PR_TRIM" | xargs>> $GITHUB_OUTPUT + echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT + echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT + - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Org Read Token @@ -478,7 +521,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Org Repo Admin Token @@ -486,7 +529,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} + FALLBACK_TOKEN: ${{ steps.secrets.outputs.ORG_REPO_ADMIN_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions From 793b52da0ff7f20ebee85c59464465ba61a474ec Mon Sep 17 00:00:00 2001 From: Zach Goldberg Date: Mon, 11 Nov 2024 14:12:02 -0800 Subject: [PATCH 2/3] bugfixes --- .github/workflows/pipelines-root.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index af3fc12..0f82ee8 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -60,7 +60,7 @@ jobs: PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) - echo "PIPELINES_READ_TOKEN=$PR_TRIM" | xargs>> $GITHUB_OUTPUT + echo "PIPELINES_READ_TOKEN=$PR_TRIM" >> $GITHUB_OUTPUT echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT @@ -169,7 +169,7 @@ jobs: PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) - echo "PIPELINES_READ_TOKEN=$PR_TRIM" | xargs>> $GITHUB_OUTPUT + echo "PIPELINES_READ_TOKEN=$PR_TRIM" >> $GITHUB_OUTPUT echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT - name: Fetch Gruntwork Read Token @@ -370,7 +370,7 @@ jobs: PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) - echo "PIPELINES_READ_TOKEN=$PR_TRIM" | xargs>> $GITHUB_OUTPUT + echo "PIPELINES_READ_TOKEN=$PR_TRIM" >> $GITHUB_OUTPUT echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT @@ -504,7 +504,7 @@ jobs: PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) - echo "PIPELINES_READ_TOKEN=$PR_TRIM" | xargs>> $GITHUB_OUTPUT + echo "PIPELINES_READ_TOKEN=$PR_TRIM" >> $GITHUB_OUTPUT echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT From dd05ebe56314d6a5189e2f866430e25971abe7bc Mon Sep 17 00:00:00 2001 From: Zach Goldberg Date: Tue, 12 Nov 2024 12:18:22 -0800 Subject: [PATCH 3/3] depend on credentials sanitization --- .github/workflows/pipelines-root.yml | 71 ++++++---------------------- 1 file changed, 14 insertions(+), 57 deletions(-) diff --git a/.github/workflows/pipelines-root.yml b/.github/workflows/pipelines-root.yml index 0f82ee8..a73efcf 100644 --- a/.github/workflows/pipelines-root.yml +++ b/.github/workflows/pipelines-root.yml @@ -53,23 +53,12 @@ jobs: name: Detect Infrastructure Changes runs-on: ${{ fromJSON(inputs.runner) }} steps: - - name: Sanitize Tokens - id: secrets - shell: bash - run: | - PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) - IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) - OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) - echo "PIPELINES_READ_TOKEN=$PR_TRIM" >> $GITHUB_OUTPUT - echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT - echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT - - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Org Read Token @@ -77,7 +66,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Infra Root Write Token @@ -85,7 +74,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ steps.secrets.outputs.INFRA_ROOT_WRITE_TOKEN }} + FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Org Repo Admin Token @@ -93,7 +82,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ steps.secrets.outputs.ORG_REPO_ADMIN_TOKEN }} + FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -131,7 +120,7 @@ jobs: uses: ./pipelines-actions/.github/actions/pipelines-preflight-action with: IS_ROOT: "true" - PIPELINES_READ_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} + PIPELINES_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} INFRA_ROOT_WRITE_TOKEN: ${{ steps.pipelines-infra-root-write-token.outputs.PIPELINES_TOKEN }} ORG_REPO_ADMIN_TOKEN: ${{ steps.pipelines-org-repo-admin-token.outputs.PIPELINES_TOKEN }} PIPELINES_GRUNTWORK_READ_TOKEN: ${{ steps.pipelines-gruntwork-read-token.outputs.PIPELINES_TOKEN }} @@ -162,22 +151,12 @@ jobs: matrix: jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs) }} steps: - - name: Sanitize Tokens - id: secrets - shell: bash - run: | - PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) - IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) - OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) - echo "PIPELINES_READ_TOKEN=$PR_TRIM" >> $GITHUB_OUTPUT - echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT - echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Org Read Token @@ -185,7 +164,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Infra Root Write Token @@ -193,7 +172,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: infra-root-write/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ steps.secrets.outputs.INFRA_ROOT_WRITE_TOKEN }} + FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -363,23 +342,12 @@ jobs: matrix: jobs: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts }} steps: - - name: Sanitize Tokens - shell: bash - id: secrets - run: | - PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) - IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) - OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) - echo "PIPELINES_READ_TOKEN=$PR_TRIM" >> $GITHUB_OUTPUT - echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT - echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT - - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Org Read Token @@ -387,7 +355,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Create PR Token @@ -395,7 +363,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: propose-infra-change/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ steps.secrets.outputs.INFRA_ROOT_WRITE_TOKEN }} + FALLBACK_TOKEN: ${{ secrets.INFRA_ROOT_WRITE_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions @@ -497,23 +465,12 @@ jobs: # GHA can't check for length, so we just check if there is an item in the 0 index if: ${{ fromJson(needs.pipelines_orchestrate.outputs.pipelines_jobs)[0].NewAccounts[0] != null && needs.pipelines_execute.outputs.delegate_management == 'true' && needs.pipelines_execute.outputs.terragrunt_command == 'run-all apply' }} steps: - - name: Sanitize Tokens - shell: bash - id: secrets - run: | - PR_TRIM=$(echo $PIPELINES_READ_TOKEN | xargs) - IR_TRIM=$(echo $INFRA_ROOT_WRITE_TOKEN | xargs) - OR_TRIM=$(echo $ORG_REPO_ADMIN_TOKEN | xargs) - echo "PIPELINES_READ_TOKEN=$PR_TRIM" >> $GITHUB_OUTPUT - echo "INFRA_ROOT_WRITE_TOKEN=$IR_TRIM" >> $GITHUB_OUTPUT - echo "ORG_REPO_ADMIN_TOKEN=$OR_TRIM" >> $GITHUB_OUTPUT - - name: Fetch Gruntwork Read Token id: pipelines-gruntwork-read-token uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: "pipelines-read/gruntwork-io" - FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Org Read Token @@ -521,7 +478,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: pipelines-read/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ steps.secrets.outputs.PIPELINES_READ_TOKEN }} + FALLBACK_TOKEN: ${{ secrets.PIPELINES_READ_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Fetch Org Repo Admin Token @@ -529,7 +486,7 @@ jobs: uses: gruntwork-io/pipelines-credentials@v1 with: PIPELINES_TOKEN_PATH: org-repo-admin/${{ github.repository_owner }} - FALLBACK_TOKEN: ${{ steps.secrets.outputs.ORG_REPO_ADMIN_TOKEN }} + FALLBACK_TOKEN: ${{ secrets.ORG_REPO_ADMIN_TOKEN }} api_base_url: ${{ inputs.api_base_url }} - name: Checkout Pipelines Actions