Merge pull request #2524 from signalwire/pat

[GHA] Use temporary token to build artifacts, extend manual run options.
2024-12-11 16:02:17 +03:00 · 2024-12-11 16:02:17 +03:00 · e490fe6d7d
parent c429987181 1f4d1e323e
commit e490fe6d7d
1 changed files with 90 additions and 3 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -9,12 +9,32 @@ on:
    paths:
      - "**"
  workflow_dispatch:
+    inputs:
+      freeswitch_ref:
+        description: 'FreeSWITCH repository ref'
+        required: true
+        default: master
+        type: string
+      release:
+        description: 'FreeSWITCH release type'
+        type: choice
+        required: true
+        default: unstable
+        options:
+          - release
+          - unstable
+      publish:
+        description: 'Publish build data'
+        required: true
+        default: false
+        type: boolean

 concurrency:
  group: ${{ github.head_ref || github.ref }}

 jobs:
  preconfig:
+    name: 'Preconfig'
    runs-on: ubuntu-latest
    outputs:
      deb: ${{ steps.deb.outputs.excludes }}
@ -59,6 +79,8 @@ jobs:
            elif [[ '${{ github.base_ref }}' == 'v1.10' ]]; then
              echo 'release=release' | tee -a $GITHUB_OUTPUT
            fi
+          elif [[ '${{ github.event_name }}' == 'workflow_dispatch' ]]; then
+            echo 'release=${{ inputs.release }}' | tee -a $GITHUB_OUTPUT
          elif [[ '${{ github.ref }}' == 'refs/heads/master' ]]; then
            echo 'release=unstable' | tee -a $GITHUB_OUTPUT
          elif [[ '${{ github.ref }}' == 'refs/heads/v1.10' ]]; then
@ -67,6 +89,33 @@ jobs:
            exit 1
          fi

+  get-nonce:
+    name: 'Get Nonce for token'
+    runs-on: freeswitch-repo-auth-client
+    outputs:
+      nonce: ${{ steps.get-nonce.outputs.nonce }}
+    steps:
+      - name: Get Nonce
+        id: get-nonce
+        uses: signalwire/actions-template/.github/actions/repo-auth-client@main
+        with:
+          mode: nonce
+
+  issue-token:
+    name: 'Issue temporary token'
+    runs-on: ubuntu-latest
+    needs: get-nonce
+    outputs:
+      token: ${{ steps.issue-token.outputs.token }}
+    steps:
+      - name: Issue Token
+        id: issue-token
+        uses: signalwire/actions-template/.github/actions/repo-auth-client@main
+        env:
+          NONCE: ${{ needs.get-nonce.outputs.nonce }}
+        with:
+          mode: issue
+
  deb-public:
    name: 'DEB-PUBLIC'
    permissions:
@ -74,6 +123,7 @@ jobs:
      contents: read
    needs:
      - preconfig
+      - issue-token
    uses: signalwire/actions-template/.github/workflows/cicd-docker-build-and-distribute.yml@main
    strategy:
      # max-parallel: 1
@ -96,6 +146,7 @@ jobs:
        exclude: ${{ fromJson(needs.preconfig.outputs.deb) }}
    with:
      RUNNER: ${{ matrix.platform.runner }}
+      REF: ${{ inputs.freeswitch_ref }}
      ARTIFACTS_PATTERN: '.*\.(deb|dsc|changes|tar.bz2|tar.gz|tar.lzma|tar.xz)$'
      DOCKERFILE: .github/docker/${{ matrix.os }}/${{ matrix.version }}/${{ matrix.platform.name }}/public.${{ matrix.release }}.Dockerfile
      MAINTAINER: 'Andrey Volk <andrey@signalwire.com>'
@ -103,7 +154,17 @@ jobs:
      PLATFORM: ${{ matrix.platform.name }}
      REPO_DOMAIN: 'freeswitch.signalwire.com'
      TARGET_ARTIFACT_NAME: ${{ matrix.os }}-${{ matrix.version }}-${{ matrix.platform.name }}-public-${{ matrix.release }}-artifact
-      UPLOAD_BUILD_ARTIFACTS: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.title, ':upload-artifacts') }}
+      UPLOAD_BUILD_ARTIFACTS: >-
+        ${{
+          (github.event.pull_request.head.repo.full_name == github.repository) &&
+          (
+            (
+              github.event_name != 'pull_request' &&
+              github.event_name != 'workflow_dispatch'
+            ) ||
+            (github.event_name == 'workflow_dispatch' && inputs.publish)
+          )
+        }}
    secrets:
      GH_BOT_DEPLOY_TOKEN: ${{ secrets.PAT }}
      HOSTNAME: ${{ secrets.HOSTNAME }}
@ -111,11 +172,37 @@ jobs:
      USERNAME: ${{ secrets.USERNAME }}
      TELEPORT_TOKEN: ${{ secrets.TELEPORT_TOKEN }}
      REPO_USERNAME: 'SWUSERNAME'
-      REPO_PASSWORD: ${{ secrets.REPOTOKEN }}
+      REPO_PASSWORD: ${{ needs.issue-token.outputs.token }}
+
+  revoke-token:
+    name: 'Revoke temporary token'
+    runs-on: ubuntu-latest
+    # if: always()
+    needs:
+      - issue-token
+      - deb-public
+    steps:
+      - name: Revoke Token
+        id: revoke-token
+        uses: signalwire/actions-template/.github/actions/repo-auth-client@main
+        env:
+          TOKEN: ${{ needs.issue-token.outputs.token }}
+        with:
+          mode: revoke

  meta:
    name: 'Publish build data to meta-repo'
-    if: ${{ github.event_name != 'pull_request' || contains(github.event.pull_request.title, ':upload-artifacts') }}
+    if: >-
+      ${{
+        (github.event.pull_request.head.repo.full_name == github.repository) &&
+        (
+          (
+            github.event_name != 'pull_request' &&
+            github.event_name != 'workflow_dispatch'
+          ) ||
+          (github.event_name == 'workflow_dispatch' && inputs.publish)
+        )
+      }}
    needs:
      - deb-public
    permissions: