Skip to content

Commit

Permalink
feat: add retries (#181)
Browse files Browse the repository at this point in the history
  • Loading branch information
@verbanicm
verbanicm committed May 23, 2022
1 parent 10d8e00 commit 95a6bc2
Show file tree
Hide file tree
Showing 7 changed files with 396 additions and 342 deletions.
293 changes: 155 additions & 138 deletions .github/workflows/test.yml
View file
Expand Up @@ -3,10 +3,10 @@ name: 'test'
on:
push:
branches:
- 'main'
- 'main'
pull_request:
branches:
- 'main'
- 'main'
workflow_dispatch:

concurrency:
Expand All @@ -19,21 +19,20 @@ jobs:
runs-on: 'ubuntu-latest'

steps:
- uses: 'actions/checkout@v3'
- uses: 'actions/checkout@v3'

- uses: 'actions/setup-node@v2'
with:
node-version: '16.x'
- uses: 'actions/setup-node@v2'
with:
node-version: '16.x'

- name: 'npm build'
run: 'npm ci && npm run build'
- name: 'npm build'
run: 'npm ci && npm run build'

- name: 'npm lint'
run: 'npm run lint'

- name: 'npm test'
run: 'npm run test'
- name: 'npm lint'
run: 'npm run lint'

- name: 'npm test'
run: 'npm run test'

credentials_json:
if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
Expand All @@ -43,62 +42,70 @@ jobs:
fail-fast: false
matrix:
os:
- 'ubuntu-latest'
- 'windows-latest'
- 'macos-latest'
- 'ubuntu-latest'
- 'windows-latest'
- 'macos-latest'

steps:
- uses: 'actions/checkout@v3'

- uses: 'actions/setup-node@v2'
with:
node-version: '16.x'

- name: 'npm build'
run: 'npm ci && npm run build'

- id: 'auth-default'
name: 'auth-default'
uses: './'
with:
credentials_json: '${{ secrets.AUTH_SA_KEY_JSON }}'

- id: 'setup-gcloud'
name: 'setup-gcloud'
uses: 'google-github-actions/setup-gcloud@main'

- id: 'gcloud'
name: 'gcloud'
shell: 'bash'
run: |-
gcloud secrets versions access "latest" --secret "${{ secrets.OIDC_AUTH_TEST_SECRET_NAME }}"
- id: 'auth-access-token'
name: 'auth-access-token'
uses: './'
with:
credentials_json: '${{ secrets.AUTH_SA_KEY_B64 }}'
token_format: 'access_token'

- id: 'access-token'
name: 'access-token'
shell: 'bash'
run: |-
curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ secrets.OIDC_AUTH_TEST_SECRET_NAME }}/versions/latest:access \
--silent \
--show-error \
--fail \
--header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"
- id: 'auth-id-token'
name: 'auth-id-token'
uses: './'
with:
credentials_json: '${{ secrets.AUTH_SA_KEY_JSON }}'
token_format: 'id_token'
id_token_audience: 'https://secretmanager.googleapis.com/'
id_token_include_email: true

- uses: 'actions/checkout@v3'

- uses: 'actions/setup-node@v2'
with:
node-version: '16.x'

- name: 'npm build'
run: 'npm ci && npm run build'

- id: 'auth-default'
name: 'auth-default'
uses: './'
with:
credentials_json: '${{ secrets.AUTH_SA_KEY_JSON }}'

- id: 'setup-gcloud'
name: 'setup-gcloud'
uses: 'google-github-actions/setup-gcloud@main'

- id: 'gcloud'
name: 'gcloud'
shell: 'bash'
run: |-
gcloud secrets versions access "latest" --secret "${{ secrets.OIDC_AUTH_TEST_SECRET_NAME }}"
- id: 'auth-access-token'
name: 'auth-access-token'
uses: './'
with:
credentials_json: '${{ secrets.AUTH_SA_KEY_B64 }}'
token_format: 'access_token'

- id: 'access-token'
name: 'access-token'
shell: 'bash'
run: |-
curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ secrets.OIDC_AUTH_TEST_SECRET_NAME }}/versions/latest:access \
--silent \
--show-error \
--fail \
--header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"
- id: 'auth-id-token'
name: 'auth-id-token'
uses: './'
with:
credentials_json: '${{ secrets.AUTH_SA_KEY_JSON }}'
token_format: 'id_token'
id_token_audience: 'https://secretmanager.googleapis.com/'
id_token_include_email: true

- id: 'auth-sa-retries'
name: 'auth-sa-retries'
uses: './'
with:
retries: '2'
backoff: '200'
backoff_limit: '1000'
credentials_json: '${{ secrets.AUTH_SA_KEY_JSON }}'

workload_identity_federation:
if: ${{ github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name }}
Expand All @@ -108,67 +115,77 @@ jobs:
fail-fast: false
matrix:
os:
- 'ubuntu-latest'
- 'windows-latest'
- 'macos-latest'
- 'ubuntu-latest'
- 'windows-latest'
- 'macos-latest'

permissions:
id-token: 'write'

steps:
- uses: 'actions/checkout@v3'

- uses: 'actions/setup-node@v2'
with:
node-version: '16.x'

- name: 'npm build'
run: 'npm ci && npm run build'

- id: 'auth-default'
name: 'auth-default'
uses: './'
with:
workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}'
service_account: '${{ secrets.OIDC_AUTH_SA_EMAIL }}'

- id: 'setup-gcloud'
name: 'setup-gcloud'
uses: 'google-github-actions/setup-gcloud@main'

- id: 'gcloud'
name: 'gcloud'
shell: 'bash'
run: |-
gcloud secrets versions access "latest" --secret "${{ secrets.OIDC_AUTH_TEST_SECRET_NAME }}"
- id: 'auth-access-token'
name: 'auth-access-token'
uses: './'
with:
workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}'
service_account: '${{ secrets.OIDC_AUTH_SA_EMAIL }}'
token_format: 'access_token'

- id: 'access-token'
name: 'access-token'
shell: 'bash'
run: |-
curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ secrets.OIDC_AUTH_TEST_SECRET_NAME }}/versions/latest:access \
--silent \
--show-error \
--fail \
--header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"
- id: 'auth-id-token'
name: 'auth-id-token'
uses: './'
with:
workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}'
service_account: '${{ secrets.OIDC_AUTH_SA_EMAIL }}'
token_format: 'id_token'
id_token_audience: 'https://secretmanager.googleapis.com/'
id_token_include_email: true
- uses: 'actions/checkout@v3'

- uses: 'actions/setup-node@v2'
with:
node-version: '16.x'

- name: 'npm build'
run: 'npm ci && npm run build'

- id: 'auth-default'
name: 'auth-default'
uses: './'
with:
workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}'
service_account: '${{ secrets.OIDC_AUTH_SA_EMAIL }}'

- id: 'setup-gcloud'
name: 'setup-gcloud'
uses: 'google-github-actions/setup-gcloud@main'

- id: 'gcloud'
name: 'gcloud'
shell: 'bash'
run: |-
gcloud secrets versions access "latest" --secret "${{ secrets.OIDC_AUTH_TEST_SECRET_NAME }}"
- id: 'auth-access-token'
name: 'auth-access-token'
uses: './'
with:
workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}'
service_account: '${{ secrets.OIDC_AUTH_SA_EMAIL }}'
token_format: 'access_token'

- id: 'access-token'
name: 'access-token'
shell: 'bash'
run: |-
curl https://secretmanager.googleapis.com/v1/projects/${{ steps.auth-access-token.outputs.project_id }}/secrets/${{ secrets.OIDC_AUTH_TEST_SECRET_NAME }}/versions/latest:access \
--silent \
--show-error \
--fail \
--header "Authorization: Bearer ${{ steps.auth-access-token.outputs.access_token }}"
- id: 'auth-id-token'
name: 'auth-id-token'
uses: './'
with:
workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}'
service_account: '${{ secrets.OIDC_AUTH_SA_EMAIL }}'
token_format: 'id_token'
id_token_audience: 'https://secretmanager.googleapis.com/'
id_token_include_email: true

- id: 'auth-wif-retries'
name: 'auth-wif-retries'
uses: './'
with:
retries: '2'
backoff: '200'
backoff_limit: '1000'
workload_identity_provider: '${{ secrets.WIF_PROVIDER_NAME }}'
service_account: '${{ secrets.OIDC_AUTH_SA_EMAIL }}'

# This test ensures that the GOOGLE_APPLICATION_CREDENTIALS environment
# variable is shared with the container and that the path of the file is on
Expand All @@ -181,22 +198,22 @@ jobs:
strategy:
fail-fast: false
steps:
- uses: 'actions/checkout@v3'
- uses: 'actions/checkout@v3'

- uses: 'actions/setup-node@v2'
with:
node-version: '16.x'
- uses: 'actions/setup-node@v2'
with:
node-version: '16.x'

- name: 'npm build'
run: 'npm ci && npm run build'
- name: 'npm build'
run: 'npm ci && npm run build'

- name: 'auth-default'
uses: './'
with:
credentials_json: '${{ secrets.AUTH_SA_KEY_JSON }}'
- name: 'auth-default'
uses: './'
with:
credentials_json: '${{ secrets.AUTH_SA_KEY_JSON }}'

- name: 'docker'
uses: 'docker://alpine:3'
with:
entrypoint: '/bin/sh'
args: '-euc "test -n "${GOOGLE_APPLICATION_CREDENTIALS}" && test -r "${GOOGLE_APPLICATION_CREDENTIALS}"'
- name: 'docker'
uses: 'docker://alpine:3'
with:
entrypoint: '/bin/sh'
args: '-euc "test -n "${GOOGLE_APPLICATION_CREDENTIALS}" && test -r "${GOOGLE_APPLICATION_CREDENTIALS}"'
18 changes: 18 additions & 0 deletions action.yml
View file
Expand Up @@ -124,6 +124,24 @@ inputs:
default: ''
required: false

# retries
retries:
description: |-
Number of times to retry a failed authentication attempt. This is useful
for automated pipelines that may execute before IAM permissions are fully propogated.
default: '0'
required: false
backoff:
description: |-
Delay time before trying another authentication attempt. This
is implemented using a fibonacci backoff method (e.g. 1-1-2-3-5).
This value defaults to 100 milliseconds when retries are greater than 0.
required: false
backoff_limit:
description: |-
Limits the retry backoff to the specified value.
required: false

# id token params
id_token_audience:
description: |-
Expand Down
2 changes: 1 addition & 1 deletion dist/main/index.js
View file

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/post/index.js
View file

Large diffs are not rendered by default.

0 comments on commit 95a6bc2

Please sign in to comment.