gradle/actions
1
0
Fork 0
mirror of https://github.com/gradle/actions synced 2024-11-27 11:52:24 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Set both DEVELOCITY_ACCESS_KEY and GRADLE_ENTERPRISE_ACCESS_KEY env vars (#225)

Browse source 
Follow up of https://github.com/gradle/actions/pull/224, we now attempt to set both old and new access key env variables to a short lived token.
If a short-lived token cannot be obtained, then:
- DEVELOCITY_ACCESS_KEY is set to an empty string, preventing this from being used.
- GRADLE_ENTERPRISE_ACCESS_KEY is left intact, with a deprecation warning being issued.
This commit is contained in:
Alexis Tual 2024-05-17 23:07:50 +02:00 committed by GitHub
parent db270b9337
commit 96b9cb4988
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 61 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
.github/workflows/integ-test-inject-develocity.yml vendored
View file

@ -67,21 +67,23 @@ jobs:
with: with:
script: | script: |
core.setFailed('No Build Scan detected') core.setFailed('No Build Scan detected')
- name: Check short lived token - name: Check short lived token (DEVELOCITY_ACCESS_KEY)
if: ${{ matrix.plugin-version == '3.17.3' }}
run: "[ ${#DEVELOCITY_ACCESS_KEY} -gt 500 ] || (echo 'DEVELOCITY_ACCESS_KEY does not look like a short lived token'; exit 1)" run: "[ ${#DEVELOCITY_ACCESS_KEY} -gt 500 ] || (echo 'DEVELOCITY_ACCESS_KEY does not look like a short lived token'; exit 1)"
- name: Check short lived token (GRADLE_ENTERPRISE_ACCESS_KEY)
run: "[ ${#GRADLE_ENTERPRISE_ACCESS_KEY} -gt 500 ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY does not look like a short lived token'; exit 1)"
inject-develocity-with-access-key: inject-develocity-with-access-key:
env: env:
DEVELOCITY_INJECTION_ENABLED: true DEVELOCITY_INJECTION_ENABLED: true
DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com' DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
DEVELOCITY_PLUGIN_VERSION: 3.17.3 DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0' DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
gradle: [current, 7.6.2, 6.9.4, 5.6.4] gradle: [current, 7.6.2, 6.9.4, 5.6.4]
os: ${{fromJSON(inputs.runner-os)}} os: ${{fromJSON(inputs.runner-os)}}
plugin-version: [3.16.2, 3.17.3]
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:
- name: Checkout sources - name: Checkout sources
@ -105,8 +107,10 @@ jobs:
id: gradle id: gradle
working-directory: .github/workflow-samples/no-ge working-directory: .github/workflow-samples/no-ge
run: gradle help run: gradle help
- name: Check short lived token - name: Check short lived token (DEVELOCITY_ACCESS_KEY)
run: "[ ${#DEVELOCITY_ACCESS_KEY} -gt 500 ] || (echo 'DEVELOCITY_ACCESS_KEY does not look like a short lived token'; exit 1)" run: "[ ${#DEVELOCITY_ACCESS_KEY} -gt 500 ] || (echo 'DEVELOCITY_ACCESS_KEY does not look like a short lived token'; exit 1)"
- name: Check short lived token (GRADLE_ENTERPRISE_ACCESS_KEY)
run: "[ ${#GRADLE_ENTERPRISE_ACCESS_KEY} -gt 500 ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY does not look like a short lived token'; exit 1)"
- name: Check Build Scan url - name: Check Build Scan url
if: ${{ !steps.gradle.outputs.build-scan-url }} if: ${{ !steps.gradle.outputs.build-scan-url }}
uses: actions/github-script@v7 uses: actions/github-script@v7
@ -118,10 +122,17 @@ jobs:
env: env:
DEVELOCITY_INJECTION_ENABLED: true DEVELOCITY_INJECTION_ENABLED: true
DEVELOCITY_URL: 'https://localhost:3333/' DEVELOCITY_URL: 'https://localhost:3333/'
DEVELOCITY_PLUGIN_VERSION: 3.17.3 DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0' DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
# Access key also set as an env var, we want to check it does not leak # Access key also set as an env var, we want to check it does not leak
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
strategy:
fail-fast: false
matrix:
gradle: [ current, 7.6.2, 6.9.4, 5.6.4 ]
os: ${{fromJSON(inputs.runner-os)}}
plugin-version: [ 3.16.2, 3.17.3 ]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout sources - name: Checkout sources
@ -144,5 +155,7 @@ jobs:
id: gradle id: gradle
working-directory: .github/workflow-samples/no-ge working-directory: .github/workflow-samples/no-ge
run: gradle help run: gradle help
- name: Check access key is blank - name: Check access key is blank (DEVELOCITY_ACCESS_KEY)
run: "[ \"${DEVELOCITY_ACCESS_KEY}\" == \"\" ] || (echo 'DEVELOCITY_ACCESS_KEY has leaked!'; exit 1)" run: "[ \"${DEVELOCITY_ACCESS_KEY}\" == \"\" ] || (echo 'DEVELOCITY_ACCESS_KEY has leaked!'; exit 1)"
- name: Check access key is not blank (GRADLE_ENTERPRISE_ACCESS_KEY)
run: "[ \"${GRADLE_ENTERPRISE_ACCESS_KEY}\" != \"\" ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY is still supported in v3!'; exit 1)"

15
docs/deprecation-upgrade-guide.md
View file

@ -1,9 +1,9 @@
# Deprecation upgrade guide # Deprecation upgrade guide
As these actions evolve, certain inputs, behaviour and usages are deprecated for removal. As these actions evolve, certain inputs, behaviour and usages are deprecated for removal.
Deprecated functionality will be fully supported during the current major release, and will be Deprecated functionality will be fully supported during the current major release, and will be
removed in the next major release. removed in the next major release.
Users will receive a deprecation warning when they rely on deprecated functionality, Users will receive a deprecation warning when they rely on deprecated functionality,
prompting them to update their workflows. prompting them to update their workflows.
## The action `gradle/gradle-build-action` has been replaced by `gradle/actions/setup-gradle` ## The action `gradle/gradle-build-action` has been replaced by `gradle/actions/setup-gradle`
@ -25,10 +25,10 @@ with
## The action `gradle/wrapper-validation-action` has been replaced by `gradle/actions/wrapper-validation` ## The action `gradle/wrapper-validation-action` has been replaced by `gradle/actions/wrapper-validation`
To facilitate ongoing development, the `wrapper-validation-action` action implementation has been merged into To facilitate ongoing development, the `wrapper-validation-action` action implementation has been merged into
the https://github.com/gradle/actions repository, and the `gradle/wrapper-validation-action` has been replaced by the `gradle/actions/wrapper-validation` action. the https://github.com/gradle/actions repository, and the `gradle/wrapper-validation-action` has been replaced by the `gradle/actions/wrapper-validation` action.
As of `v3.x`, the `gradle/wrapper-validation-action` and `gradle/actions/wrappper-validation` actions are As of `v3.x`, the `gradle/wrapper-validation-action` and `gradle/actions/wrappper-validation` actions are
functionally identical, and are released with the same versions. functionally identical, and are released with the same versions.
In a future major version (likely `v4.x`) we will stop releasing new versions of `gradle/wrapper-validation-action`: In a future major version (likely `v4.x`) we will stop releasing new versions of `gradle/wrapper-validation-action`:
@ -143,3 +143,8 @@ to this:
build-scan-terms-of-use-agree: "yes" build-scan-terms-of-use-agree: "yes"
``` ```
These deprecated build-scan parameters are scheduled to be removed in `setup-gradle@v4` and `dependency-submission@v4`. These deprecated build-scan parameters are scheduled to be removed in `setup-gradle@v4` and `dependency-submission@v4`.
## The GRADLE_ENTERPRISE_ACCESS_KEY env var is deprecated
Gradle Enterprise has been renamed to Develocity starting from Gradle plugin 3.17 and Develocity server 2024.1.
In v4 release of the action, it will require setting the access key with the `develocity-access-key` input and Develocity 2024.1 at least to generate short-lived tokens.
If those requirements are not met, the `GRADLE_ENTERPRISE_ACCESS_KEY` env var will be cleared out and build scan publication or other authenticated Develocity operations won't be possible.

5
docs/setup-gradle.md
View file

@ -747,8 +747,9 @@ This access key will be used during the action execution to get a short-lived to
### Short-lived access tokens ### Short-lived access tokens
Develocity access keys are long-lived, creating risks if they are leaked. To avoid this, users can use short-lived access tokens to authenticate with Develocity. Access tokens can be used wherever an access key would be used. Access tokens are only valid for the Develocity instance that created them. Develocity access keys are long-lived, creating risks if they are leaked. To avoid this, users can use short-lived access tokens to authenticate with Develocity. Access tokens can be used wherever an access key would be used. Access tokens are only valid for the Develocity instance that created them.
If a short-lived token fails to be retrieved (for example, if the Develocity server version is lower than `2024.1`), no access key will be set. If a short-lived token fails to be retrieved (for example, if the Develocity server version is lower than `2024.1`):
In that case, Develocity authenticated operations like build cache read/write and build scan publication will fail without failing the build. - if a `GRADLE_ENTERPRISE_ACCESS_KEY` env var has been set, we're falling back to it with a deprecation warning
- otherwise no access key env var will be set. In that case Develocity authenticated operations like build cache read/write and build scan publication will fail without failing the build.
For more information on short-lived tokens, see [Develocity API documentation](https://docs.gradle.com/develocity/api-manual/#short_lived_access_tokens). For more information on short-lived tokens, see [Develocity API documentation](https://docs.gradle.com/develocity/api-manual/#short_lived_access_tokens).
## Configuring Develocity injection ## Configuring Develocity injection

10
sources/src/configuration.ts
View file

@ -188,6 +188,9 @@ export enum JobSummaryOption {
} }
export class BuildScanConfig { export class BuildScanConfig {
static DevelocityAccessKeyEnvVar = 'DEVELOCITY_ACCESS_KEY'
static GradleEnterpriseAccessKeyEnvVar = 'GRADLE_ENTERPRISE_ACCESS_KEY'
getBuildScanPublishEnabled(): boolean { getBuildScanPublishEnabled(): boolean {
return getBooleanInput('build-scan-publish') && this.verifyTermsOfUseAgreement() return getBooleanInput('build-scan-publish') && this.verifyTermsOfUseAgreement()
} }
@ -201,7 +204,12 @@ export class BuildScanConfig {
} }
getDevelocityAccessKey(): string { getDevelocityAccessKey(): string {
return core.getInput('develocity-access-key') || process.env['DEVELOCITY_ACCESS_KEY'] || '' return (
core.getInput('develocity-access-key') ||
process.env[BuildScanConfig.DevelocityAccessKeyEnvVar] ||
process.env[BuildScanConfig.GradleEnterpriseAccessKeyEnvVar] ||
''
)
} }
getDevelocityTokenExpiry(): string { getDevelocityTokenExpiry(): string {

25
sources/src/develocity/short-lived-token.ts
View file

@ -1,5 +1,7 @@
import * as httpm from 'typed-rest-client/HttpClient' import * as httpm from 'typed-rest-client/HttpClient'
import * as core from '@actions/core' import * as core from '@actions/core'
import {BuildScanConfig} from '../configuration'
import {recordDeprecation} from '../deprecation-collector'
export async function setupToken( export async function setupToken(
develocityAccessKey: string, develocityAccessKey: string,
@ -7,27 +9,40 @@ export async function setupToken(
enforceUrl: string | undefined, enforceUrl: string | undefined,
develocityUrl: string | undefined develocityUrl: string | undefined
): Promise<void> { ): Promise<void> {
const develocityAccesskeyEnvVar = 'DEVELOCITY_ACCESS_KEY'
if (develocityAccessKey) { if (develocityAccessKey) {
try { try {
core.debug('Fetching short-lived token...') core.debug('Fetching short-lived token...')
const tokens = await getToken(enforceUrl, develocityUrl, develocityAccessKey, develocityTokenExpiry) const tokens = await getToken(enforceUrl, develocityUrl, develocityAccessKey, develocityTokenExpiry)
if (tokens != null && !tokens.isEmpty()) { if (tokens != null && !tokens.isEmpty()) {
core.debug(`Got token(s), setting the ${develocityAccesskeyEnvVar} env var`) core.debug(`Got token(s), setting the access key env vars`)
const token = tokens.raw() const token = tokens.raw()
core.setSecret(token) core.setSecret(token)
core.exportVariable(develocityAccesskeyEnvVar, token) exportAccessKeyEnvVars(token)
} else { } else {
// In case of not being able to generate a token we set the env variable to empty to avoid leaks // In case of not being able to generate a token we set the env variable to empty to avoid leaks
core.exportVariable(develocityAccesskeyEnvVar, '') clearAccessKeyEnvVarsWithDeprecationWarning()
} }
} catch (e) { } catch (e) {
core.exportVariable(develocityAccesskeyEnvVar, '') clearAccessKeyEnvVarsWithDeprecationWarning()
core.warning(`Failed to fetch short-lived token, reason: ${e}`) core.warning(`Failed to fetch short-lived token, reason: ${e}`)
} }
} }
} }
function exportAccessKeyEnvVars(value: string): void {
;[BuildScanConfig.DevelocityAccessKeyEnvVar, BuildScanConfig.GradleEnterpriseAccessKeyEnvVar].forEach(key =>
core.exportVariable(key, value)
)
}
function clearAccessKeyEnvVarsWithDeprecationWarning(): void {
if (process.env[BuildScanConfig.GradleEnterpriseAccessKeyEnvVar]) {
// We do not clear the GRADLE_ENTERPRISE_ACCESS_KEY env var in v3, to let the users upgrade to DV 2024.1
recordDeprecation(`The ${BuildScanConfig.GradleEnterpriseAccessKeyEnvVar} env var is deprecated`)
}
core.exportVariable(BuildScanConfig.DevelocityAccessKeyEnvVar, '')
}
export async function getToken( export async function getToken(
enforceUrl: string | undefined, enforceUrl: string | undefined,
serverUrl: string | undefined, serverUrl: string | undefined,