Skip to content

Commit

Permalink
fix: Move secrets to inputs
Browse files Browse the repository at this point in the history 
Composite actions can't access secrets, so we pass them as inputs.
  • Loading branch information
@ErikUggeldahl
ErikUggeldahl committed Nov 22, 2024
1 parent d11a42a commit 1900f43
Show file tree
Hide file tree
Showing 4 changed files with 61 additions and 15 deletions.
36 changes: 28 additions & 8 deletions .github/actions/deploy/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,20 +3,40 @@
name: Deploy
description: Deploy the Android library artifacts to Maven Central

inputs:
OSSRH-username:
description: "The OSS Repository Hosting username"
required: true
OSSRH-password:
description: "The OSS Repository Hosting password"
required: true
UAT-OSSRH-username:
description: "The UAT OSS Repository Hosting username"
required: true
UAT-OSSRH-password:
description: "The UAT OSS Repository Hosting password"
required: true
signing-secret-key-ring-file:
description: "The path to the secret key ring file"
required: true
Sonatype-staging-profile-id:
description: "The Sonatype staging profile ID"
required: true

runs:
using: "composite"
steps:
- name: Publish to MavenCentral
shell: bash
run: ./gradlew publishAllPublicationsToSonatypeRepository --max-workers 1 closeAndReleaseSonatypeStagingRepository
env:
UAT_OSSRH_USERNAME: ${{ secrets.UAT_OSSRH_USERNAME }}
UAT_OSSRH_PASSWORD: ${{ secrets.UAT_OSSRH_PASSWORD }}
UAT_OSSRH_USERNAME: ${{ inputs.UAT-OSSRH-username }}
UAT_OSSRH_PASSWORD: ${{ inputs.UAT-OSSRH-password }}
# TODO: remove these after UAT is confirmed working
OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
OSSRH_USERNAME: ${{ inputs.OSSRH-username }}
OSSRH_PASSWORD: ${{ inputs.OSSRH-password }}
# ====
SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
SIGNING_SECRET_KEY_RING_FILE: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }}
SONATYPE_STAGING_PROFILE_ID: ${{ secrets.SONATYPE_STAGING_PROFILE_ID }}
SIGNING_KEY_ID: ${{ inputs.SIGNING_KEY_ID }}
SIGNING_PASSWORD: ${{ inputs.SIGNING_PASSWORD }}
SIGNING_SECRET_KEY_RING_FILE: ${{ inputs.signing-secret-key-ring-file }}
SONATYPE_STAGING_PROFILE_ID: ${{ inputs.Sonatype-staging-profile-id }}
19 changes: 15 additions & 4 deletions .github/actions/prepare/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,27 @@
name: Prepare
description: Prepare the Android environment for the build

inputs:
actions-role:
description: "The role to assume for AWS actions"
required: true
GPG-key-contents:
description: "The GPG key contents"
required: true
signing-secret-key-ring-file:
description: "The path to the secret key ring file"
required: true

runs:
using: "composite"
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v2
with:
aws-region: us-west-2
role-to-assume: ${{ secrets.ACTIONS_ROLE }}
role-to-assume: ${{ inputs.actions-role }}

- name: Update Java
- name: Install Java
uses: actions/setup-java@v4
with:
distribution: "zulu"
Expand Down Expand Up @@ -62,8 +73,8 @@ runs:
- name: Prepare environment
shell: bash
env:
GPG_KEY_CONTENTS: ${{ secrets.GPG_KEY_CONTENTS }}
SIGNING_SECRET_KEY_RING_FILE: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }}
GPG_KEY_CONTENTS: ${{ inputs.GPG-key-contents }}
SIGNING_SECRET_KEY_RING_FILE: ${{ inputs.signing-secret-key-ring-file }}
run: |
git fetch --unshallow
sudo bash -c "echo '$GPG_KEY_CONTENTS' | base64 -d > '$SIGNING_SECRET_KEY_RING_FILE'"
9 changes: 6 additions & 3 deletions .github/actions/version-bump/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ inputs:
description: "Minor"
type: boolean
default: false
Rive-repo-PAT:
description: "The GitHub Personal Access Token for the Rive repository"
required: true

runs:
using: "composite"
Expand All @@ -37,18 +40,18 @@ runs:
run: npm run release -- major --ci
working-directory: ./.github/scripts/release
env:
GITHUB_TOKEN: ${{ secrets.RIVE_REPO_PAT }}
GITHUB_TOKEN: ${{ inputs.Rive-repo-PAT }}
- if: ${{inputs.major == false && inputs.minor == true}}
name: Minor release - Bump version number, update changelog, push and tag
shell: bash
run: npm run release -- minor --ci
working-directory: ./.github/scripts/release
env:
GITHUB_TOKEN: ${{ secrets.RIVE_REPO_PAT }}
GITHUB_TOKEN: ${{ inputs.Rive-repo-PAT }}
- if: ${{inputs.major == false && inputs.minor == false}}
name: Build release - Bump version number, update changelog, push and tag
shell: bash
run: npm run release -- --ci
working-directory: ./.github/scripts/release
env:
GITHUB_TOKEN: ${{ secrets.RIVE_REPO_PAT }}
GITHUB_TOKEN: ${{ inputs.Rive-repo-PAT }}
12 changes: 12 additions & 0 deletions .github/workflows/re-release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
# Note: We may want to consider GitHub Reusable Workflows instead of Composite Actions in the future.
# See https://docs.github.com/en/actions/sharing-automations/avoiding-duplication for the differences.
# Notably the logging visibility may improve by switching.
# Reusable workflows can also view secrets rather than requiring them as inputs.

name: Re-Release

Expand All @@ -25,7 +26,18 @@ jobs:
token: ${{ secrets.PAT_GITHUB }}
- name: Prepare
uses: ./.github/actions/prepare
with:
actions-role: ${{ secrets.ACTIONS_ROLE }}
GPG-key-contents: ${{ secrets.GPG_KEY_CONTENTS }}
signing-secret-key-ring-file: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }}
- name: Build
uses: ./.github/actions/build
- name: Deploy
uses: ./.github/actions/deploy
with:
OSSRH-username: ${{ secrets.OSSRH_USERNAME }}
OSSRH-password: ${{ secrets.OSSRH_PASSWORD }}
UAT-OSSRH-username: ${{ secrets.UAT_OSSRH_USERNAME }}
UAT-OSSRH-password: ${{ secrets.UAT_OSSRH_PASSWORD }}
signing-secret-key-ring-file: ${{ secrets.SIGNING_SECRET_KEY_RING_FILE }}
Sonatype-staging-profile-id: ${{ secrets.SONATYPE_STAGING_PROFILE_ID }}

0 comments on commit 1900f43

Please sign in to comment.