-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
153 lines (131 loc) · 6.34 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
name: Authenticate Terminus from existing session, or initiate new session
description: Restores a Pantheon Terminus session by decrypting the cached
session file and copying it into place. If existing session is missing or
expired (or 'force-new-session' is true), initiates a new session, then
encrypts and saves it to Actions cache. Also, installs Terminus on host if
needed.
inputs:
pantheon-machine-token:
description: Pantheon Terminus machine token, also used as the gpg
"symmetric" encryption passphrase to decrypt the terminus session file.
required: true
force-new-session:
description: Set this to true to skip pulling session from cache and force
creating a new session. E.g., for a nightly cron job that initiates a new
Terminus session for the upcoming day.
required: false
default: false
ddev:
description: Set to TRUE to authenticate Terminus inside the DDEV container
instead of the host.
required: false
default: false
runs:
using: "composite"
steps:
- name: Set Terminus cache directory so we don't have to guess
if: inputs.ddev != 'true'
working-directory: ${{ runner.temp }}
run: |
# Set Terminus cache directory so we don't have to guess.
echo TERMINUS_CACHE_DIR=${TERMINUS_CACHE_DIR:-~/.terminus/cache} >> $GITHUB_ENV
# Also, install Terminus if missing.
hash terminus 2> /dev/null || \
curl -O https://raw.githubusercontent.com/pantheon-systems/terminus-installer/master/builds/installer.phar && \
php installer.phar install &> /dev/null
shell: bash
- name: Set some environment variables when using DDEV
if: inputs.ddev == 'true'
run: |
# Set some environment variables when using DDEV
# Helper variable to optionally execute commands inside DDEV.
echo exec='ddev exec' >> $GITHUB_ENV
# Pull DDEV's Terminus cache directory setting into a local variable.
echo -n TERMINUS_CACHE_DIR= >> $GITHUB_ENV
ddev exec 'echo ${TERMINUS_CACHE_DIR:-~/.terminus/cache}' >> $GITHUB_ENV
shell: bash
- name: Ensure Terminus cache directory exists
run: |
# Ensure Terminus cache directory exists.
$exec mkdir -p $TERMINUS_CACHE_DIR
shell: bash
- name: Set a cache path, key, and restore-key
id: cache
run: |
# Set cache path, key, and restore-key.
echo "path=${{ runner.temp }}/terminus-session.gpg" >> $GITHUB_OUTPUT
machine_token_hash=`echo ${{ inputs.pantheon-machine-token }} | sha256sum | head -c 40`
restore_key="terminus-session-$machine_token_hash"
echo "restore-key=$restore_key-" >> $GITHUB_OUTPUT
# Use the GitHub Actions "run id" to uniqify the cache key so that we
# can force initiating a new session when requested via action input
# (GitHub Actions caches are immutable and can't be updated for a given
# key).
# @see https://github.com/actions/cache/blob/main/tips-and-workarounds.md#update-a-cache
echo "key=$restore_key-${{ github.run_id }}" >> $GITHUB_OUTPUT
shell: bash
- name: Restore encrypted terminus session file from GitHub Actions cache
id: restore-cache
if: inputs.force-new-session != 'true'
uses: actions/cache/restore@v4
with:
path: ${{ steps.cache.outputs.path }}
key: ${{ steps.cache.outputs.key }}
restore-keys: ${{ steps.cache.outputs.restore-key }}
enableCrossOsArchive: true
- name: Decrypt cached session file and move into Terminus cache directory
id: decrypt
if: steps.restore-cache.outcome == 'success'
run: |
# Decrypt cached session file and move into Terminus cache directory
# Verify that the encrypted session file was restored from cache.
test -s ${{ steps.cache.outputs.path }}
# Decrypt the session file using the "file descriptor" passphrase option
# (--passphrase-fd) instead of regular --passphrase because it's more
# secure to pipe the secret than to pass it as a command argument (which
# would expose our machine token in the process list during decryption).
echo ${{ inputs.pantheon-machine-token }} | \
gpg2 --passphrase-fd \
--batch \
--yes \
--pinentry loopback \
--output terminus-session-temp \
--decrypt ${{ steps.cache.outputs.path }}
# Move the session file into place, to support DDEV.
$exec mv terminus-session-temp $TERMINUS_CACHE_DIR/session
# Check if restored session is still valid (normally lasts 24 hours).
$exec terminus auth:whoami | grep -v "You are not logged in"
continue-on-error: true
shell: bash
- name: Initiate a new Terminus session if the old one was not valid or
a new session was requested, and encrypt new session file into GitHub
Actions cache path
id: encrypt
if: steps.decrypt.outcome != 'success'
run: |
# Initiate a new Terminus session because the old one was missing or
# expired, and encrypt new session file into GitHub Actions cache path.
$exec terminus auth:login --machine-token ${{ inputs.pantheon-machine-token }}
# Copy the session file to a mounted folder (in case of DDEV).
$exec cp $TERMINUS_CACHE_DIR/session terminus-session-temp
# Encrypt the session file using the "file descriptor" passphrase option
# (--passphrase-fd) instead of regular --passphrase because it's more
# secure to pipe the secret than pass it as a command argument (which
# would expose our machine token in the process list during encryption).
echo ${{ inputs.pantheon-machine-token }} | \
gpg2 --passphrase-fd \
--batch \
--yes \
--pinentry-mode loopback \
--output ${{ steps.cache.outputs.path }} \
--symmetric terminus-session-temp
# Remove the temporary session file we copied.
rm terminus-session-temp
shell: bash
- name: Save encrypted Terminus session file into GitHub Actions cache
if: steps.encrypt.outcome == 'success'
uses: actions/cache/save@v4
with:
path: ${{ steps.cache.outputs.path }}
key: ${{ steps.cache.outputs.key }}
enableCrossOsArchive: true