From fee85c3fb1243b301f5f28ecab791bafa10271c5 Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Fri, 13 Sep 2024 15:48:32 +0200 Subject: [PATCH 1/7] ci: setup OIDC in release.yml --- .github/workflows/release.yml | 20 +++++--------------- 1 file changed, 5 insertions(+), 15 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b1cb7c698..6987c891b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,8 @@ permissions: env: ELASTIC_CDN_BUCKET_NAME: ${{ inputs.dry-run == false && 'apm-rum-357700bc' || 'oblt-apm-agent-rum-js-ci' }} - ELASTIC_CDN_CREDENTIALS: ${{ inputs.dry-run == false && 'secret/gce/elastic-cdn/service-account/apm-rum-admin' || 'secret/observability-team/ci/service-account/apm-agent-rum-js' }} + ELASTIC_CDN_PROJECT_ID: ${{ inputs.dry-run == false && 'elastic-cdn-4ae000ab' || 'elastic-observability-ci' }} + ELASTIC_CDN_PROJECT_NUMBER: ${{ inputs.dry-run == false && '382950469386' || '911195782929' }} SLACK_BUILD_MESSAGE: "Build: (<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|here>)" jobs: @@ -61,21 +62,10 @@ jobs: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > .npmrc npm run ci:release - - name: Read GCE vault secrets - uses: hashicorp/vault-action@v3.0.0 + - uses: elastic/oblt-actions/google/auth@v1 with: - method: approle - url: ${{ secrets.VAULT_ADDR }} - roleId: ${{ secrets.VAULT_ROLE_ID }} - secretId: ${{ secrets.VAULT_SECRET_ID }} - secrets: | - ${{ env.ELASTIC_CDN_CREDENTIALS }} value | GOOGLE_CREDENTIALS ; - - - name: 'Authenticate to Google Cloud' - uses: 'google-github-actions/auth@v2' - with: - credentials_json: '${{ env.GOOGLE_CREDENTIALS }}' - create_credentials_file: true + project-id: ${{ env.ELASTIC_CDN_PROJECT_ID }} + project-number: ${{ env.ELASTIC_CDN_PROJECT_NUMBER }} - id: prepare-release name: 'Prepare CDN release' From 3bd6487fdfcb6f642820d17ae64a74e754d56c8b Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Fri, 13 Sep 2024 15:49:04 +0200 Subject: [PATCH 2/7] ci: add it-token write permissions --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6987c891b..8cf16e765 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,6 +13,7 @@ on: permissions: contents: read + id-token: write env: ELASTIC_CDN_BUCKET_NAME: ${{ inputs.dry-run == false && 'apm-rum-357700bc' || 'oblt-apm-agent-rum-js-ci' }} From fcb62082d889af644f67ed527bfbbbe092943f96 Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Fri, 13 Sep 2024 15:53:48 +0200 Subject: [PATCH 3/7] ci: move id-token permissions to the correct place --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8cf16e765..84b0b9031 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,7 +13,6 @@ on: permissions: contents: read - id-token: write env: ELASTIC_CDN_BUCKET_NAME: ${{ inputs.dry-run == false && 'apm-rum-357700bc' || 'oblt-apm-agent-rum-js-ci' }} @@ -27,6 +26,7 @@ jobs: permissions: # Needed to write the release changelog contents: write + id-token: write services: verdaccio: image: verdaccio/verdaccio:5 From 9a06c241d875ab626052751187e9fefd4c071c0e Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Fri, 13 Sep 2024 15:58:19 +0200 Subject: [PATCH 4/7] ci: fix bucket name --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 84b0b9031..5380c9d6b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,7 +15,7 @@ permissions: contents: read env: - ELASTIC_CDN_BUCKET_NAME: ${{ inputs.dry-run == false && 'apm-rum-357700bc' || 'oblt-apm-agent-rum-js-ci' }} + ELASTIC_CDN_BUCKET_NAME: ${{ inputs.dry-run == false && 'apm-rum-357700bc' || 'oblt-apm-rum-test' }} ELASTIC_CDN_PROJECT_ID: ${{ inputs.dry-run == false && 'elastic-cdn-4ae000ab' || 'elastic-observability-ci' }} ELASTIC_CDN_PROJECT_NUMBER: ${{ inputs.dry-run == false && '382950469386' || '911195782929' }} SLACK_BUILD_MESSAGE: "Build: (<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|here>)" From 4708d4f0def800bc0b47d8855d9d9f69ca309f75 Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Fri, 13 Sep 2024 16:32:41 +0200 Subject: [PATCH 5/7] ci: add comment referencing the oidc setup --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5380c9d6b..0b68b85ca 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -63,6 +63,8 @@ jobs: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > .npmrc npm run ci:release + # The permissions configuration for this can be found at + # https://github.com/elastic/oblt-infra/blob/main/conf/resources/repos/apm-agent-rum-js/02-gcp-oidc.tf - uses: elastic/oblt-actions/google/auth@v1 with: project-id: ${{ env.ELASTIC_CDN_PROJECT_ID }} From 4f8a3f569e1baeab5eea3cb164bc83032c8bbbf4 Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Mon, 16 Sep 2024 10:13:21 +0200 Subject: [PATCH 6/7] ci: use project-number only --- .github/workflows/release.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0b68b85ca..8d0adfcce 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,6 @@ permissions: env: ELASTIC_CDN_BUCKET_NAME: ${{ inputs.dry-run == false && 'apm-rum-357700bc' || 'oblt-apm-rum-test' }} - ELASTIC_CDN_PROJECT_ID: ${{ inputs.dry-run == false && 'elastic-cdn-4ae000ab' || 'elastic-observability-ci' }} ELASTIC_CDN_PROJECT_NUMBER: ${{ inputs.dry-run == false && '382950469386' || '911195782929' }} SLACK_BUILD_MESSAGE: "Build: (<${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}|here>)" @@ -67,7 +66,6 @@ jobs: # https://github.com/elastic/oblt-infra/blob/main/conf/resources/repos/apm-agent-rum-js/02-gcp-oidc.tf - uses: elastic/oblt-actions/google/auth@v1 with: - project-id: ${{ env.ELASTIC_CDN_PROJECT_ID }} project-number: ${{ env.ELASTIC_CDN_PROJECT_NUMBER }} - id: prepare-release From 797541f1dfd2bda59b529c493741135d2e71382a Mon Sep 17 00:00:00 2001 From: Jan Calanog Date: Tue, 17 Sep 2024 13:40:56 +0200 Subject: [PATCH 7/7] Update .github/workflows/release.yml --- .github/workflows/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8d0adfcce..cf51d75a7 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -63,7 +63,9 @@ jobs: npm run ci:release # The permissions configuration for this can be found at - # https://github.com/elastic/oblt-infra/blob/main/conf/resources/repos/apm-agent-rum-js/02-gcp-oidc.tf + # https://github.com/elastic/oblt-infra/blob/main/conf/resources/repos/apm-agent-rum-js/02-gcp-oidc-elastic-cdn.tf + # and + # https://github.com/elastic/oblt-infra/blob/main/conf/resources/repos/apm-agent-rum-js/02-gcp-oidc-elastic-observability.tf - uses: elastic/oblt-actions/google/auth@v1 with: project-number: ${{ env.ELASTIC_CDN_PROJECT_NUMBER }}