teracyhq-incubator / secret-manager-action Goto Github PK

the initial release is almost ready now https://github.com/teracyhq-incubator/secret-manager-action/milestone/1

ship it when it's ready

Sometimes I need to validate some key values, for example:

• some keys are required
• some keys are required to validate against a regular expression
• some keys are validated against a regular expression

Validators can be plugin added in the future: required, isNumber, isBoolean, etc. (out of this issue scope), only required and regex validator is expected for this issue.

If any key values are not valid, the run step should fail with the invalid message of the associated key.

The github action input configuration could be like this:

validation: "FOO:required, BAR:/^\d+$/"

or:

validation: "FOO: required | /^\d+$/, BAR: required"

Pipeline is supported to add a chain of validators, there is no limit to use the pipeline. The key values will be validated again the validator of the pipeline chain from left to right, if any validation failed, the whole key-value valuation fails.

so that forked repo won't get failed even without requiring any secret config, however, currently, it requires github secret config to run.

We need to use docker-compose run CI/CD, build and publish docker images, etc.

protocol:

https://:location#:relative-file-path
git://:location#:relative-file-path

for example:

• https://gist.github.com/e7e06874c5a7b84d220ff5faf0a2c3a5.git#.env-type-config
• [email protected]:e7e06874c5a7b84d220ff5faf0a2c3a5.git#.env-type-config

make sure to support different auth mechanisms for this protocol (basic auth, ssh, etc).

• build and push the docker image to the docker hub
• update the action.yaml file

sometimes it's desired to skip the action if required inputs are not configured, this is especially helpful on forked repo when running github actions.

so let's add skip_allowed option (true) by default.

if skip_allowed=true: when one of the required inputs is not configured, skip the run step.
if skip_allowed=false: when one of the required inputs is not configured, failed the run step.

sometimes I got the following similar errors:

##[error]Error: Command failed: cat /tmp/tmp-7-KO9Z5nBzpauj | gpg --quiet --batch --yes --decrypt --passphrase-fd=0 /tmp/tmp-7-xWWPkjYsReqI
gpg: Fatal: can't create directory '/github/home/.gnupg': File exists

this is used to dynamically to publish all available env vars, very useful when this kind of dynamic is required (the same behavior to gitlab env vars)

so that users can refer to the decrypted file on their repo (sometimes this is necessary) https://github.com/teracyhq-incubator/secret-manager-action/blob/develop/src/config.ts#L7-L11

file://:path means relative path to the github_workspace
file:///:path means the absolute path

see this line: https://github.com/teracyhq-incubator/secret-manager-action/blob/develop/src/config.ts#L165

You must create a secret named ACTIONS_STEP_DEBUG with the value true to see the debug messages.

expected: values should be masked, only exclude the values from unmasked_keys
actual: all the values were displayed without any mask

as it's usually to have more unmasked keys than masked keys, so it's more sensible to use masked_keys input to specify which keys to be masked. This will help us to use as little config as possible.

see: https://github.com/teracyhq-incubator/secret-manager-action/actions

the http(s) protocol should be implemented: https://github.com/teracyhq-incubator/secret-manager-action/blob/develop/src/config.ts#L13-L17

fatal: detected dubious ownership in repository at '/github/workspace'
To add an exception for this directory, call:
Push to branch develop

	git config --global --add safe.directory /github/workspace

see: https://github.com/teracyhq-incubator/secret-manager-action/actions/runs/3468478806/jobs/5794360939

it's ready

with updated changes to remove deprecated warnings from github actions