Disprove oidc token in container allows auth config #255
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Planetary Computer APIs CI/CD | |
| on: | |
| push: | |
| branches: [user/mjm/remove-secret-from-cicd-test] | |
| tags: ["*"] | |
| permissions: | |
| id-token: write | |
| contents: read | |
| jobs: | |
| # build_and_publish: | |
| # runs-on: ubuntu-latest | |
| # steps: | |
| # - uses: actions/checkout@v3 | |
| # - name: Log in with Azure | |
| # uses: azure/login@v1 | |
| # with: | |
| # client-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).clientId }} | |
| # tenant-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).tenantId }} | |
| # subscription-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).subscriptionId }} | |
| # - name: Authenticate | |
| # run: ./scripts/ciauthenticate | |
| # # - name: Run cibuild | |
| # # run: ./scripts/cibuild | |
| # - name: Get image tag | |
| # id: get_image_tag | |
| # run: | |
| # case "${GITHUB_REF}" in | |
| # *tags*) | |
| # echo "tag=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT ; | |
| # echo "acr=pccomponents" >> $GITHUB_OUTPUT | |
| # ;; | |
| # *) | |
| # echo "tag=latest" >> $GITHUB_OUTPUT ; | |
| # echo "acr=pccomponentstest" >> $GITHUB_OUTPUT | |
| # ;; | |
| # esac | |
| # # - name: Publish images | |
| # # run: ./scripts/cipublish --acr ${{steps.get_image_tag.outputs.acr}} --tag ${{steps.get_image_tag.outputs.tag}} | |
| # outputs: | |
| # image_tag: ${{ steps.get_image_tag.outputs.tag }} | |
| deploy: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Set up Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| - name: Log in with Azure | |
| uses: azure/login@v1 | |
| with: | |
| client-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).clientId }} | |
| tenant-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).tenantId }} | |
| subscription-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).subscriptionId }} | |
| - name: Deploy | |
| env: | |
| IMAGE_TAG: ${{needs.build_and_publish.outputs.image_tag}} | |
| ENVIRONMENT: staging | |
| ARM_CLIENT_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).clientId }} | |
| ARM_SUBSCRIPTION_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).subscriptionId }} | |
| ARM_TENANT_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).tenantId }} | |
| ARM_USE_OIDC: true | |
| TF_LOG: DEBUG | |
| run: | | |
| cd deployment/terraform/staging | |
| terraform --version | |
| [[ -z "$ARM_OIDC_TOKEN:0:1" ]] && echo "The variable is empty." || echo "The variable is not empty." | |
| echo "Client ID: ${ARM_CLIENT_ID:0:5}" | |
| echo "Subscription ID: ${ARM_SUBSCRIPTION_ID:0:5}" | |
| echo "Tenant ID: ${ARM_TENANT_ID:0:5}" | |
| terraform init | |
| deploy1: | |
| runs-on: ubuntu-latest | |
| # needs: | |
| # - build_and_publish | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - name: Log in with Azure | |
| uses: azure/login@v1 | |
| with: | |
| client-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).clientId }} | |
| tenant-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).tenantId }} | |
| subscription-id: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).subscriptionId }} | |
| # - name: Get image tag | |
| # id: get_image_tag | |
| # run: | |
| # case "${GITHUB_REF}" in | |
| # *tags*) | |
| # echo "tag=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT | |
| # ;; | |
| # *) | |
| # echo "tag=latest" >> $GITHUB_OUTPUT | |
| # ;; | |
| # esac | |
| - name: Deploy | |
| env: | |
| IMAGE_TAG: latest | |
| ENVIRONMENT: staging | |
| ARM_CLIENT_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).clientId }} | |
| ARM_SUBSCRIPTION_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).subscriptionId }} | |
| ARM_TENANT_ID: ${{ fromJSON(secrets.SECURE_AZURE_CREDENTIALS).tenantId }} | |
| ARM_USE_OIDC: true | |
| TF_LOG: DEBUG | |
| run: ./scripts/cideploy |