-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Research learnings and ideas from similar GitHub Actions #42
Comments
I looked through them again and two things that stood out for me
There is also a lot to learn in terms of documentation, in particular how to register a GitHub App. |
I was trying to migrate from the action peter-murray/workflow-application-token-action to this one, and I noticed this action does not support the private-key input as a Base64 encoded string. Does it make sense to create an issue for that? I don't have any problem opening a PR to support that use case. Also, an issue we have with the action peter-murray/workflow-application-token-action that didn't have any internal retry mechanism; maybe we can improve that in this action. I will be happy to start working in some PRs to improve this action |
what is the use case? Maybe the decoding a base64 string could be done in a separate step before using this action?
For retries, @octokit has the retry plugin, it's rather heavy though, due to its dependency on |
So joining these two use cases, I have experienced failures getting the token from a GitHub app, so we start to use an extra action to retry Wandalen/wretry.action, then we have the issue with the input that is broken with multiline strings like the format of the PEM files, so we had to do encode the private key with base64. Also, it is annoying to keep copying and pasting the ugly syntax of an action that retries another action. So, does it make sense to implement a retry logic inside the action? |
would replacing line breaks with "\n" work? That's what we do in environments where multi-line environment variables are not supported
Perfect 👍🏼 I agree we should implement a retry, could you please file a separate issue for it? |
I would like to try and help implement the proxy support. Getting this working from self-hosted runners behind a corporate proxy is important for my project. |
@newbloke82 makes sense, thank you for laying it out! Can you please first file an issue? I think |
In my case we migrate from an action expecting the private key to be Base64 encoded. One solution is to create a new secret with the plain private key, but i just tried to test how we could decode it on the fly. - name: Decode private key
id: decoding
run: |
private_key=$(echo "${{ secrets.SEMANTIC_RELEASE_PRIVATE_KEY }}" | base64 -d) &> /dev/null
while read -r line;
do
echo "::add-mask::${line}"
done <<< "$private_key"
echo 'private-key<<EOF' >> "$GITHUB_OUTPUT"
echo "$private_key" >> "$GITHUB_OUTPUT"
echo 'EOF' >> "$GITHUB_OUTPUT"
- name: Generate GitHub App Token
id: generate-token
uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
with:
app-id: ${{ secrets.SEMANTIC_RELEASE_APP_ID }}
private-key: ${{ steps.decoding.outputs.private-key }} The output is a bit ugly, but at least it's concealed:
This works also, and is more clean than the previous one: - name: Decode private key
id: decoding
run: |
private_key=$(echo "${{ secrets.SEMANTIC_RELEASE_PRIVATE_KEY }}" | base64 -d | awk 'BEGIN {ORS="\\n"} {print}' | head -c -2) &> /dev/null
echo "::add-mask::$private_key"
echo "private-key=$private_key" >> "$GITHUB_OUTPUT"
- name: Generate GitHub App Token
id: generate-token
uses: actions/create-github-app-token@31c86eb3b33c9b601a1f60f98dcbfd1d70f379b4 # v1.10.3
with:
app-id: ${{ secrets.SEMANTIC_RELEASE_APP_ID }}
private-key: ${{ steps.decoding.outputs.private-key }} If the action is not planned to handle the private key being potentially encoded in Base64, I think we should add this in the readme, to avoid people leaking their private keys (I can open a PR) |
that's a good idea and thank you for offering. Let's add a note here: https://github.com/actions/create-github-app-token?tab=readme-ov-file#private-key. You could also link to your comment where as an example on how to decode a base64-encoded key If this comes up more often we can reconsider to add built-in base64 decoding, but so far I've only heard it from you. |
Addressing this comment #42 (comment) --------- Co-authored-by: Parker Brown <17183625+parkerbxyz@users.noreply.github.com>
To advocate for supporting Base64 encoded private keys, our use case is using AWS SecretsManager to store GitHub app credentials. SecretsManager supports plaintext secrets or JSON objects. To store the private key (with whitespace) as a JSON key value pair we need to encode it. We expect a secret format of:
The aws-actions/aws-secretsmanager-get-secrets action supports We then consume this in a GitHub Actions job like this:
Having native support for Base64 encoded keys is an advantage as it avoids needing to insert decoding steps ourselves. Implementing something like the above always feels risky as it's quite easy to break the masking if you're doing development against a GitHub Actions workflow. If the private key gets leaked, we need to manually rotate it in the GitHub UI and then repopulate the AWS secret. For compatibility with This feels wrong because
The |
Follow up to #39 (comment).
In preparation for #3 and #4 it might make sense to learn from similar actions.
The text was updated successfully, but these errors were encountered: