feat: automate user permissions in openshift #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Scheduled Workflow | |
| on: | |
| schedule: | |
| - cron: "0 0 * * *" | |
| pull_request: #TODO remove PR trigger after successful test | |
| branches: | |
| - master | |
| workflow_dispatch: | |
| inputs: | |
| token: | |
| description: 'Github Token to override default' | |
| required: false | |
| type: string | |
| permissions: read-all | |
| jobs: | |
| add-remove-users-from-openshift: | |
| name: Add/Remove Users from OpenShift Based On Github Team Membership | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Install CLI tools from OpenShift Mirror | |
| uses: redhat-actions/openshift-tools-installer@v1 | |
| with: | |
| oc: "4" | |
| - name: Login to OpenShift | |
| shell: bash | |
| run: | | |
| # OC Login, the service account token is used to get a temporary token, this is custom service account token which has access to different namespaces | |
| OC_TEMP_TOKEN=$(curl -k -X POST ${{ secrets.oc_server }}/api/v1/namespaces/${{ secrets.oc_namespace }}/serviceaccounts/pipeline/token --header "Authorization: Bearer ${{ secrets.oc_token }}" -d '{"spec": {"expirationSeconds": 600}}' -H 'Content-Type: application/json; charset=utf-8' | jq -r '.status.token' ) | |
| oc login --token=$OC_TEMP_TOKEN --server=${{ secrets.oc_server }} | |
| - name: Create Env File And Execute Make Authorize | |
| shell: bash | |
| run: | | |
| # check if input token is there or else default to github token | |
| TOKEN=${{ secrets.GH_TOKEN }} | |
| ./lib/oc_add_gh_team_to_nsp.sh --token ${TOKEN} -t ${{ secrets.GH_ADMINS_TEAM }} -pp ${{ secrets.OC_PROJECT_PREFIXES }} -r admin | |