Use GITHUB_ENV for OIDC_TOKEN (#63)

* use GITHUB_ENV for OIDC_TOKEN * remove empty env: line * ./mytoken instead of mytoken * add MYTOKEN to env * solving SHELL_SHFMT issue * shellcheck disable=SC2153 * solving SHELL_SHFMT issue
EGI-Federation · Sep 19, 2024 · 3ba5fba · 3ba5fba
1 parent a055d4f
commit 3ba5fba
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 27 deletions.
diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml
@@ -24,6 +24,8 @@ jobs:
         with:
           python-version: 3.x
       - name: Install environment
+        env:
+          MYTOKEN: ${{ secrets.MYTOKEN }}
         run: |
           curl -L https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 > jq
           chmod +x jq
@@ -36,9 +38,11 @@ jobs:
             > ~/.mytoken/config.yaml
           # add PWD to the PATH
           echo "$PWD" >> "$GITHUB_PATH"
+          # add OIDC access token to ENV
+          OIDC_TOKEN=$(./mytoken AT --MT-env MYTOKEN)
+          echo "::add-mask::$OIDC_TOKEN"
+          echo "OIDC_TOKEN=$OIDC_TOKEN" >> "$GITHUB_ENV"
       - name: Configure providers access
-        env:
-          MYTOKEN: ${{ secrets.MYTOKEN }}
         run: |
           cd deployment
           ./site-config.sh
@@ -113,8 +117,6 @@ jobs:
       - name: Configure with ansible
         if: github.ref == 'refs/heads/main' && github.event_name == 'push'
         uses: dawidd6/action-ansible-playbook@v2
-        env:
-          MYTOKEN: ${{ secrets.MYTOKEN }}
         with:
           playbook: playbook.yaml
           directory: ./deployment
@@ -124,7 +126,7 @@ jobs:
             ${{ steps.public_ip.outputs.stdout }}
           requirements: galaxy-requirements.yaml
           options: |
-            --extra-vars ACCESS_TOKEN="$(mytoken AT --MT-env MYTOKEN)"
+            --extra-vars ACCESS_TOKEN=${{ env.OIDC_TOKEN }}
             --extra-vars git_ref=${{ github.sha }}
             --ssh-common-args="-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
             -u egi
diff --git a/deployment/site-config.sh b/deployment/site-config.sh
@@ -6,18 +6,18 @@ set -e
 # Reads from config.yaml the clouds to use
 
 dump_config() {
-    # dumps a piece of yaml ready to be included in the
-    # clouds.yaml Openstack client config
-    cloud_name="$1"
-    site="$2"
-    vo="$3"
-    oidc_token="$4"
-    token="$(fedcloud openstack token issue \
-                      --oidc-access-token "$oidc_token" \
-                      --site "$site" --vo "$vo" -j \
-                      | jq -r '.[0].Result.id')"
-    eval "$(fedcloud site show-project-id --site "$site" --vo "$vo")"
-    cat << EOF
+	# dumps a piece of yaml ready to be included in the
+	# clouds.yaml Openstack client config
+	cloud_name="$1"
+	site="$2"
+	vo="$3"
+	oidc_token="$4"
+	token="$(fedcloud openstack token issue \
+		--oidc-access-token "$oidc_token" \
+		--site "$site" --vo "$vo" -j |
+		jq -r '.[0].Result.id')"
+	eval "$(fedcloud site show-project-id --site "$site" --vo "$vo")"
+	cat <<EOF
   $cloud_name:
     auth_type: token
     auth:
@@ -27,21 +27,21 @@ dump_config() {
 EOF
 }
 
-OIDC_TOKEN=$(mytoken AT --MT-env MYTOKEN)
-
-echo "::add-mask::$OIDC_TOKEN"
+# using OIDC_TOKEN generated in .github/workflows/deploy.yaml
 
 rm -f clouds.yaml
-echo "clouds:" > tmp-clouds.yaml
+echo "clouds:" >tmp-clouds.yaml
+
+# shellcheck disable=SC2153
 dump_config backend \
-            "$(yq -r .clouds.backend.site config.yaml)" \
-            "$(yq -r .clouds.backend.vo config.yaml)" \
-            "$OIDC_TOKEN" >> tmp-clouds.yaml
+	"$(yq -r .clouds.backend.site config.yaml)" \
+	"$(yq -r .clouds.backend.vo config.yaml)" \
+	"$OIDC_TOKEN" >>tmp-clouds.yaml
 
 dump_config deploy \
-            "$(yq -r .clouds.deploy.site config.yaml)" \
-            "$(yq -r .clouds.deploy.vo config.yaml)" \
-            "$OIDC_TOKEN" >> tmp-clouds.yaml
+	"$(yq -r .clouds.deploy.site config.yaml)" \
+	"$(yq -r .clouds.deploy.vo config.yaml)" \
+	"$OIDC_TOKEN" >>tmp-clouds.yaml
 
 mv tmp-clouds.yaml clouds.yaml
 mkdir -p ~/.config/openstack