-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secrets refactoring #650
Merged
Merged
Secrets refactoring #650
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mazhelez
reviewed
Aug 9, 2023
Actions/DownloadProjectDependencies/DownloadProjectDependencies.Action.ps1
Outdated
Show resolved
Hide resolved
Co-authored-by: Maria Zhelezova <43066499+mazhelez@users.noreply.github.com>
…into OnlyNeededSecrets
End 2 End test with includeDependencies
aholstrup1
reviewed
Aug 9, 2023
mazhelez
approved these changes
Aug 9, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There're still some low-hanging issues.
Actions/DownloadProjectDependencies/DownloadProjectDependencies.Action.ps1
Outdated
Show resolved
Hide resolved
Co-authored-by: Maria Zhelezova <43066499+mazhelez@users.noreply.github.com>
Co-authored-by: Maria Zhelezova <43066499+mazhelez@users.noreply.github.com>
Co-authored-by: Maria Zhelezova <43066499+mazhelez@users.noreply.github.com>
Co-authored-by: Maria Zhelezova <43066499+mazhelez@users.noreply.github.com>
Co-authored-by: Maria Zhelezova <43066499+mazhelez@users.noreply.github.com>
mazhelez
approved these changes
Aug 9, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
With this PR, secrets are refactored kind of what Settings were in #640
Additionally a few bug-fixes were found and included.
ReadSecrets will create an environment variable called Secrets, which contains all requested secrets encoded with base64.
Secrets are no longer created as individual secrets.
All Secrets requested during the call to ReadSecrets will be available in $env:Secrets - empty if the secret doesn't exist.
Part of this refactoring was also to ensure that ReadSecrets and DetermineArtifactUrl didn't have to rewrite the settings environment variable.
ReadSecrets will now determine which secrets are used by AppDependencyProbingPaths and include those in $env:Secrets - and then DownloadProjectDependencies will use the value of the secret to download the dependencies.
ReadSettings in CI/CD will ask for the value of the artifact setting to be read.
DetermineArtifactUrl will now (based on this) determine the artifactUrl and set the environment variable to the "final" value.
RunPipeline will now take artifact as a parameter and use env:artifact as the value.
Additional refactoring, which will be done in separate PRs:
Bugs found during this refactoring:
Unify try/catch for actions
All Actions now have a code snippet in action.yaml, which sets errorpreference and uses try/catch to give good error messages with stack trace. try/catches inside the action.ps1 is only used for telemetry reasons.
DownloadProjectDependencies didn't work for appDependencyProbingPaths
The Download function didn't analyze the settings and used appDependencyProbingPaths as a json structure, which it wasn't. It was always failing, but silently due to a missing multiline symbol in run: in the action.yaml. It might still have worked as RunPipeline itself also was also analyzing appDependencyProbingPaths
Deploy and Deliver didn't work properly after the settings refactoring
After the Settings refactoring, where settings are no longer available as environment variables, Deploy and Deliver was using [System.Environment]::GetEnvironmentVariable to check for settings and secrets - this obviously doesn't work if settings and secrets are no longer individual environment variables.
RunPipeline was requesting wrong secrets
RunPipeline was asking for the StorageContext secret, which it didn't use - instead it needed applicationInsightsConnectionString, which it didn't get. With the new mechanism, we just use secrets.applicationInsightsConnectionString - and if that property is set, we know that we requested the secret.
CalculateArtifactNames were emitting both OUTPUT variables and ENV variables
And in the BuildALGoProject yaml file - some were used as output and some as ENV.
Now only OUTPUT variables are emitted and used all over.
BTW buildMode is output, but it seems like it is never used???
ReadSecrets was called with ghTokenWorkflow=${{ env.GHTOKENWORKFLOWSECRETNAME }}
In multiple places, ReadSecrets was called with ghTokenWorkflow=${{ env.GHTOKENWORKFLOWSECRETNAME }}. The problem is, that the mapping to another secret is done inside ReadSecrets and shouldn't be part of the call. The caller should just ask for GhTokenWorkflow secret and then he should get that secret set from Secrets or Azure KeyVault with whatever name it is mapped to.