From 27aef50e9948a661181a7c7ed59f314d8f6a00b3 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 16 Jan 2025 16:00:47 -0500 Subject: [PATCH 001/147] add test gha codebuild runner --- .github/workflows/codebuild_runner_test.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 .github/workflows/codebuild_runner_test.yml diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml new file mode 100644 index 00000000..a80b280b --- /dev/null +++ b/.github/workflows/codebuild_runner_test.yml @@ -0,0 +1,11 @@ +name: GHA Codebuild Runner Test +on: [push] +jobs: + test1: + runs-on: + - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} + steps: + - run: | + echo "running GHS workflow ${{ github.event.number }}" + echo -e "dumping\n${{ toJson(runner) }}" + From 58f7acf21ab00ca584d10414b02a39422a4d1f51 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 16 Jan 2025 16:05:48 -0500 Subject: [PATCH 002/147] pr triggering --- .github/workflows/codebuild_runner_test.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index a80b280b..ef2a6241 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -1,5 +1,9 @@ name: GHA Codebuild Runner Test -on: [push] + +on: + pull_request: + branches: [main] + jobs: test1: runs-on: From 47477b0c094d9b8752a4529bf6e7de18b0261b78 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 16 Jan 2025 16:08:54 -0500 Subject: [PATCH 003/147] force trigger --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index ef2a6241..92bc13bb 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -10,6 +10,6 @@ jobs: - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} steps: - run: | + echo "force trigger" echo "running GHS workflow ${{ github.event.number }}" echo -e "dumping\n${{ toJson(runner) }}" - From e932e02baf9db2ec226339ef120b981e584fd1cc Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 16 Jan 2025 16:57:41 -0500 Subject: [PATCH 004/147] force trigger --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 92bc13bb..88661a18 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -12,4 +12,4 @@ jobs: - run: | echo "force trigger" echo "running GHS workflow ${{ github.event.number }}" - echo -e "dumping\n${{ toJson(runner) }}" + echo -e "dumping\n${{ toJson(github) }}" From fb6a0fb984521fe27cceb5df581ccb45c83b3b9c Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 16 Jan 2025 17:00:29 -0500 Subject: [PATCH 005/147] force trigger --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 88661a18..f1dfc86d 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -10,6 +10,6 @@ jobs: - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} steps: - run: | - echo "force trigger" + echo "force trigger again" echo "running GHS workflow ${{ github.event.number }}" echo -e "dumping\n${{ toJson(github) }}" From bd71bce60d5f9152b658c6fe50f22646d2ca3444 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 16 Jan 2025 17:11:11 -0500 Subject: [PATCH 006/147] force trigger --- .github/workflows/codebuild_runner_test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index f1dfc86d..3a38d798 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -12,4 +12,3 @@ jobs: - run: | echo "force trigger again" echo "running GHS workflow ${{ github.event.number }}" - echo -e "dumping\n${{ toJson(github) }}" From 5b57d6da85deaa3410bb7d6607517b2468e9bc21 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 16 Jan 2025 17:23:49 -0500 Subject: [PATCH 007/147] force trigger --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 3a38d798..bedde1af 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -11,4 +11,4 @@ jobs: steps: - run: | echo "force trigger again" - echo "running GHS workflow ${{ github.event.number }}" + echo "running GHS workflow ${{ github.event.number }}\build: ${{ github.run_id }}\attempt: ${{ github.run_attempt }}" From ba03ab2c376654933617e2f1254f6a436d9e5a3d Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 16 Jan 2025 17:27:26 -0500 Subject: [PATCH 008/147] force trigger --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index bedde1af..532e99f4 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -11,4 +11,4 @@ jobs: steps: - run: | echo "force trigger again" - echo "running GHS workflow ${{ github.event.number }}\build: ${{ github.run_id }}\attempt: ${{ github.run_attempt }}" + echo -e "running GHS workflow ${{ github.event.number }}\build: ${{ github.run_id }}\attempt: ${{ github.run_attempt }}" From 7b5c371b179941418be169fdae745d80473dd83c Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 16 Jan 2025 17:29:05 -0500 Subject: [PATCH 009/147] force trigger --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 532e99f4..d7fb6760 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -11,4 +11,4 @@ jobs: steps: - run: | echo "force trigger again" - echo -e "running GHS workflow ${{ github.event.number }}\build: ${{ github.run_id }}\attempt: ${{ github.run_attempt }}" + echo -e "running GHS workflow ${{ github.event.number }}\nbuild: ${{ github.run_id }}\nattempt: ${{ github.run_attempt }}" From 33589ef9ec0a1866b9d16f6fc4aeab282926d6f8 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 16 Jan 2025 17:30:31 -0500 Subject: [PATCH 010/147] force trigger --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index d7fb6760..dd9cdf61 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -11,4 +11,4 @@ jobs: steps: - run: | echo "force trigger again" - echo -e "running GHS workflow ${{ github.event.number }}\nbuild: ${{ github.run_id }}\nattempt: ${{ github.run_attempt }}" + echo -e "running GHA workflow ${{ github.event.number }}\nbuild: ${{ github.run_id }}\nattempt: ${{ github.run_attempt }}" From 494d9dff8ff569cbb8b9df3c084c4073f73dd9a5 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 10:03:07 -0500 Subject: [PATCH 011/147] force trigger --- .github/workflows/codebuild_runner_test.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index dd9cdf61..0cf2f064 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -12,3 +12,5 @@ jobs: - run: | echo "force trigger again" echo -e "running GHA workflow ${{ github.event.number }}\nbuild: ${{ github.run_id }}\nattempt: ${{ github.run_attempt }}" + - listclusters: | + aws eks list-clusters --region us-east-1 --output json From 2976b8aedbba07dd810938a3caa52eb5d77347d8 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 10:05:35 -0500 Subject: [PATCH 012/147] force trigger --- .github/workflows/codebuild_runner_test.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 0cf2f064..d8e6abed 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -9,8 +9,10 @@ jobs: runs-on: - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} steps: - - run: | + - name: echo + run: | echo "force trigger again" echo -e "running GHA workflow ${{ github.event.number }}\nbuild: ${{ github.run_id }}\nattempt: ${{ github.run_attempt }}" - - listclusters: | + - name: listclusters: + run: | aws eks list-clusters --region us-east-1 --output json From 2190bbaaed036173c8dea7585855b18742765d7c Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 10:08:23 -0500 Subject: [PATCH 013/147] force trigger --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index d8e6abed..d536ca7d 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -13,6 +13,6 @@ jobs: run: | echo "force trigger again" echo -e "running GHA workflow ${{ github.event.number }}\nbuild: ${{ github.run_id }}\nattempt: ${{ github.run_attempt }}" - - name: listclusters: + - name: listclusters run: | aws eks list-clusters --region us-east-1 --output json From ed5ba53214984aa2f425f02ca4b68eaa0e7cea86 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 10:27:18 -0500 Subject: [PATCH 014/147] force trigger --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index d536ca7d..3ff38dde 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -15,4 +15,4 @@ jobs: echo -e "running GHA workflow ${{ github.event.number }}\nbuild: ${{ github.run_id }}\nattempt: ${{ github.run_attempt }}" - name: listclusters run: | - aws eks list-clusters --region us-east-1 --output json + aws secretsmanager list-clusters --region us-east-1 --output json From fd136113f0001df93dbae05fca943ae653b1a768 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 10:29:39 -0500 Subject: [PATCH 015/147] force trigger --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 3ff38dde..9171be05 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -15,4 +15,4 @@ jobs: echo -e "running GHA workflow ${{ github.event.number }}\nbuild: ${{ github.run_id }}\nattempt: ${{ github.run_attempt }}" - name: listclusters run: | - aws secretsmanager list-clusters --region us-east-1 --output json + aws secretsmanager list-secrets --region us-east-1 --output json From 27034e23718dc9665d1669a114cd410129560aeb Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 10:47:20 -0500 Subject: [PATCH 016/147] force trigger --- .github/workflows/codebuild_runner_test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 9171be05..90145e55 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -13,6 +13,6 @@ jobs: run: | echo "force trigger again" echo -e "running GHA workflow ${{ github.event.number }}\nbuild: ${{ github.run_id }}\nattempt: ${{ github.run_attempt }}" - - name: listclusters + - name: list run: | - aws secretsmanager list-secrets --region us-east-1 --output json + aws s3api list-buckets --region us-east-1 --output json From 715dbe2df3c1da0154ddb104aee13337e9e9cdc1 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 11:03:23 -0500 Subject: [PATCH 017/147] testing --- .github/workflows/codebuild_runner_test.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 90145e55..3f05ce5a 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -13,6 +13,17 @@ jobs: run: | echo "force trigger again" echo -e "running GHA workflow ${{ github.event.number }}\nbuild: ${{ github.run_id }}\nattempt: ${{ github.run_attempt }}" - - name: list + + - name: create log stream + run: | + aws logs create-log-stream --log-group-name cfpb-regtech-gha-test-1 --log-stream-name ${{ github.run_id }}${{ github.run_number }}${{ github.run_attempt }} + + - name: list buckets run: | aws s3api list-buckets --region us-east-1 --output json + + - name: put events + run: | + gh run view ${{ github.run_id }} --log >runevents + aws logs put-log-events --log-group-name cfpb-regtech-gha-test-1 --log-stream-name ${{ github.run_id }}${{ github.run_n umber }}${{ github.run_attempt }} --log-events runevents + From bb1d7c937f4d0ec4fe6bc4beb419ca2658d05c9f Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 11:04:00 -0500 Subject: [PATCH 018/147] testing --- .github/workflows/codebuild_runner_test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 3f05ce5a..3ed23268 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -23,7 +23,7 @@ jobs: aws s3api list-buckets --region us-east-1 --output json - name: put events - run: | - gh run view ${{ github.run_id }} --log >runevents - aws logs put-log-events --log-group-name cfpb-regtech-gha-test-1 --log-stream-name ${{ github.run_id }}${{ github.run_n umber }}${{ github.run_attempt }} --log-events runevents + run: | + gh run view ${{ github.run_id }} --log >runevents + aws logs put-log-events --log-group-name cfpb-regtech-gha-test-1 --log-stream-name ${{ github.run_id }}${{ github.run_n umber }}${{ github.run_attempt }} --log-events runevents From 73b774cf27b9e3552740085e883e94f6ebcbfe42 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 11:05:25 -0500 Subject: [PATCH 019/147] testing --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 3ed23268..458bdf75 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -25,5 +25,5 @@ jobs: - name: put events run: | gh run view ${{ github.run_id }} --log >runevents - aws logs put-log-events --log-group-name cfpb-regtech-gha-test-1 --log-stream-name ${{ github.run_id }}${{ github.run_n umber }}${{ github.run_attempt }} --log-events runevents + aws logs put-log-events --log-group-name cfpb-regtech-gha-test-1 --log-stream-name ${{ github.run_id }}${{ github.run_number }}${{ github.run_attempt }} --log-events runevents From 7bce5fc7015e74d4ecf5f436011816d005fa1a42 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 11:17:51 -0500 Subject: [PATCH 020/147] testing --- .github/workflows/codebuild_runner_test.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 458bdf75..d216f4b1 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -6,6 +6,9 @@ on: jobs: test1: + env: + CLOUDWATCH_LOGGROUP_NAME: '/aws/codebuild/cfpb-regtech-gha-test-1' + CLOUDWATCH_LOGSTREAM_NAME: ${{ github.run_id }}${{ github.run_number }}${{ github.run_attempt }} runs-on: - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} steps: @@ -16,7 +19,7 @@ jobs: - name: create log stream run: | - aws logs create-log-stream --log-group-name cfpb-regtech-gha-test-1 --log-stream-name ${{ github.run_id }}${{ github.run_number }}${{ github.run_attempt }} + aws logs create-log-stream --log-group-name $CLOUDWATCH_LOGGROUP_NAME --log-stream-name $CLOUDWATCH_LOGSTREAM_NAME - name: list buckets run: | @@ -25,5 +28,5 @@ jobs: - name: put events run: | gh run view ${{ github.run_id }} --log >runevents - aws logs put-log-events --log-group-name cfpb-regtech-gha-test-1 --log-stream-name ${{ github.run_id }}${{ github.run_number }}${{ github.run_attempt }} --log-events runevents + aws logs put-log-events --log-group-name $CLOUDWATCH_LOGGROUP_NAME --log-stream-name $CLOUDWATCH_LOGSTREAM_NAME --log-events runevents From 67fe78b0b3c50cc73bfac977815c5fdf9ee73779 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 11:21:06 -0500 Subject: [PATCH 021/147] testing --- .github/workflows/codebuild_runner_test.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index d216f4b1..6468c218 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -26,6 +26,8 @@ jobs: aws s3api list-buckets --region us-east-1 --output json - name: put events + env: + GH_TOKEN: ${{ github.token }} run: | gh run view ${{ github.run_id }} --log >runevents aws logs put-log-events --log-group-name $CLOUDWATCH_LOGGROUP_NAME --log-stream-name $CLOUDWATCH_LOGSTREAM_NAME --log-events runevents From 6cdc89117b67ac7658f5cb1f9ddec0d70ccfacc4 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 11:34:03 -0500 Subject: [PATCH 022/147] testing --- .github/workflows/codebuild_runner_test.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 6468c218..7109b471 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -12,6 +12,9 @@ jobs: runs-on: - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v4 + - name: echo run: | echo "force trigger again" From d68afd3f34572d276c1ad462bb1c9bfba4605ffa Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 11:40:08 -0500 Subject: [PATCH 023/147] testing --- .github/workflows/codebuild_runner_test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 7109b471..c73469fc 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -32,6 +32,6 @@ jobs: env: GH_TOKEN: ${{ github.token }} run: | - gh run view ${{ github.run_id }} --log >runevents - aws logs put-log-events --log-group-name $CLOUDWATCH_LOGGROUP_NAME --log-stream-name $CLOUDWATCH_LOGSTREAM_NAME --log-events runevents + ls -alt >events_test + aws logs put-log-events --log-group-name $CLOUDWATCH_LOGGROUP_NAME --log-stream-name $CLOUDWATCH_LOGSTREAM_NAME --log-events events_test From f14b65d1b5dae0c34f23049c413772d4146e01ec Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 12:34:23 -0500 Subject: [PATCH 024/147] testing --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index c73469fc..928dbd42 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -33,5 +33,5 @@ jobs: GH_TOKEN: ${{ github.token }} run: | ls -alt >events_test - aws logs put-log-events --log-group-name $CLOUDWATCH_LOGGROUP_NAME --log-stream-name $CLOUDWATCH_LOGSTREAM_NAME --log-events events_test + aws logs put-log-events --log-group-name $CLOUDWATCH_LOGGROUP_NAME --log-stream-name $CLOUDWATCH_LOGSTREAM_NAME --log-events file://events_test From 8d15535bf47c4a8f98510eaa46562577d82e0da6 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 13:05:47 -0500 Subject: [PATCH 025/147] testing --- .github/workflows/codebuild_runner_test.yml | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 928dbd42..153b85f1 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -32,6 +32,22 @@ jobs: env: GH_TOKEN: ${{ github.token }} run: | - ls -alt >events_test + cat > test_events << EOF + [ + { + "timestamp": 1433190184356, + "message": "Example Event 1" + }, + { + "timestamp": 1433190184358, + "message": "Example Event 2" + }, + { + "timestamp": 1433190184360, + "message": "Example Event 3" + } + ] + EOF + aws logs put-log-events --log-group-name $CLOUDWATCH_LOGGROUP_NAME --log-stream-name $CLOUDWATCH_LOGSTREAM_NAME --log-events file://events_test From c54e6c720b49c9ad96fc78313b43af9dda13633c Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 13:08:38 -0500 Subject: [PATCH 026/147] testing --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 153b85f1..664eafd9 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -49,5 +49,5 @@ jobs: ] EOF - aws logs put-log-events --log-group-name $CLOUDWATCH_LOGGROUP_NAME --log-stream-name $CLOUDWATCH_LOGSTREAM_NAME --log-events file://events_test + aws logs put-log-events --log-group-name $CLOUDWATCH_LOGGROUP_NAME --log-stream-name $CLOUDWATCH_LOGSTREAM_NAME --log-events file://test_events From 6fa3a6ae99cd0655c4ce3c5e266ed96db6d55c32 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 13:23:37 -0500 Subject: [PATCH 027/147] testing --- .github/workflows/codebuild_runner_test.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 664eafd9..4edea055 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -32,18 +32,19 @@ jobs: env: GH_TOKEN: ${{ github.token }} run: | + export CURRENT_EVENT_TIME=$(date +%s%3N) cat > test_events << EOF [ { - "timestamp": 1433190184356, + "timestamp": $CURRENT_EVENT_TIME, "message": "Example Event 1" }, { - "timestamp": 1433190184358, + "timestamp": $CURRENT_EVENT_TIME, "message": "Example Event 2" }, { - "timestamp": 1433190184360, + "timestamp": $CURRENT_EVENT_TIME, "message": "Example Event 3" } ] From 1e5760c7316228a28dc3367d899156f1ef0e169c Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 13:30:59 -0500 Subject: [PATCH 028/147] testing --- .github/workflows/codebuild_runner_test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 4edea055..36d7fed6 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -1,4 +1,4 @@ -name: GHA Codebuild Runner Test +name: GHACodebuildRunnerTest on: pull_request: @@ -8,7 +8,7 @@ jobs: test1: env: CLOUDWATCH_LOGGROUP_NAME: '/aws/codebuild/cfpb-regtech-gha-test-1' - CLOUDWATCH_LOGSTREAM_NAME: ${{ github.run_id }}${{ github.run_number }}${{ github.run_attempt }} + CLOUDWATCH_LOGSTREAM_NAME: ${{ github.repository }}_${{ github.workflow }}_${{ github.run_id }}_${{ github.run_number }}_${{ github.run_attempt }} runs-on: - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} steps: From f00e7768ac1568e80ad2a9d5ffc0a517b65cb6de Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 13:42:20 -0500 Subject: [PATCH 029/147] testing --- .github/workflows/codebuild_runner_test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 36d7fed6..e5c440c2 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -1,4 +1,4 @@ -name: GHACodebuildRunnerTest +name: GHA Codebuild Runner Test on: pull_request: @@ -8,7 +8,7 @@ jobs: test1: env: CLOUDWATCH_LOGGROUP_NAME: '/aws/codebuild/cfpb-regtech-gha-test-1' - CLOUDWATCH_LOGSTREAM_NAME: ${{ github.repository }}_${{ github.workflow }}_${{ github.run_id }}_${{ github.run_number }}_${{ github.run_attempt }} + CLOUDWATCH_LOGSTREAM_NAME: ${{ github.repository }}-${{ github.workflow }}-${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }} runs-on: - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} steps: From 93d1d77127296596e8c79e24470c364ecc7aa621 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 17 Jan 2025 16:13:26 -0500 Subject: [PATCH 030/147] no speces in workflow name for creating log stream --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index e5c440c2..96923406 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -1,4 +1,4 @@ -name: GHA Codebuild Runner Test +name: GHACodebuildRunnerTest on: pull_request: From 72bdb8290b80bb77b6e248a9c94f91e146a11961 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Tue, 21 Jan 2025 16:14:59 -0500 Subject: [PATCH 031/147] test using gha codebuild runner without needing to configure aws creds --- .github/workflows/codebuild_runner_test.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 96923406..3d97d08d 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -52,3 +52,18 @@ jobs: aws logs put-log-events --log-group-name $CLOUDWATCH_LOGGROUP_NAME --log-stream-name $CLOUDWATCH_LOGSTREAM_NAME --log-events file://test_events + - name: get secrets from aws + id: get-aws-secret + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + TEST_SECRET_1, cfpb/team/regtech/gha-codebuild-runner/test-secret-1 + TEST_SECRET_2, cfpb/team/regtech/gha-codebuild-runner/test-secret-2 + arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 + + - name: check aws secrets + id: check-aws-secrets + run: | + echo -e "::add-mask::${{ env.TEST_SECRET_1 }}" + echo -e "::add-mask::${{ env.TEST_SECRET_2 }}" + echo -e "::add-mask::${{ env.TEST_SECRET_3 }}" From 4294df047e69bcf43e3fb0ff0ccc3aea3c2c4396 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Tue, 21 Jan 2025 16:45:12 -0500 Subject: [PATCH 032/147] test using gha codebuild runner without needing to configure aws creds --- .github/workflows/codebuild_runner_test.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 3d97d08d..55b7e455 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -59,11 +59,17 @@ jobs: secret-ids: | TEST_SECRET_1, cfpb/team/regtech/gha-codebuild-runner/test-secret-1 TEST_SECRET_2, cfpb/team/regtech/gha-codebuild-runner/test-secret-2 - arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 + TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 - name: check aws secrets id: check-aws-secrets run: | echo -e "::add-mask::${{ env.TEST_SECRET_1 }}" echo -e "::add-mask::${{ env.TEST_SECRET_2 }}" - echo -e "::add-mask::${{ env.TEST_SECRET_3 }}" + echo -e "${{ env.TEST_SECRET_3 }}" + + - name: check env context + id: check-env-context + run: | + echo "$GITHUB_CONTEXT" + From 58055a310a560ca69bd401605d5b63a7a297b0ba Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Tue, 21 Jan 2025 16:49:39 -0500 Subject: [PATCH 033/147] test using gha codebuild runner and aws secrets --- .github/workflows/codebuild_runner_test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 55b7e455..3bebbc0d 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -64,9 +64,9 @@ jobs: - name: check aws secrets id: check-aws-secrets run: | - echo -e "::add-mask::${{ env.TEST_SECRET_1 }}" - echo -e "::add-mask::${{ env.TEST_SECRET_2 }}" - echo -e "${{ env.TEST_SECRET_3 }}" + echo -e "print test-secret-1 ::add-mask::${{ env.TEST_SECRET_1 }} ... mask applied" + echo -e "print test-secret-2 ::add-mask::${{ env.TEST_SECRET_2 }} ... mask applied" + echo -e "print test-secret-3 ${{ env.TEST_SECRET_3 }}" ... no mask applied - name: check env context id: check-env-context From d72dfc692bf1d65f0503bf5639d2c5b55cc5fae0 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Tue, 21 Jan 2025 17:00:58 -0500 Subject: [PATCH 034/147] test using gha codebuild runner and aws secrets --- .github/workflows/codebuild_runner_test.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 3bebbc0d..e746c4fc 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -63,7 +63,13 @@ jobs: - name: check aws secrets id: check-aws-secrets + # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#example-masking-a-string + description: checking aws secrets for security behavior run: | + echo -e "masking MUST be done for secrets pulled from aws unlike the github secret context which are auto-masked.\n" + echo -e "::add-mask::${{ env.TEST_SECRET_1 }} ... mask applied test-secret-1 ${{ env.TEST_SECRET_1 }}" + echo -e "::add-mask::${{ env.TEST_SECRET_2 }} ... mask applied test-secret-2 ${{ env.TEST_SECRET_2 }}" + echo -e "::add-mask::${{ env.TEST_SECRET_3 }} ... mask applied test-secret-3 ${{ env.TEST_SECRET_3 }}" echo -e "print test-secret-1 ::add-mask::${{ env.TEST_SECRET_1 }} ... mask applied" echo -e "print test-secret-2 ::add-mask::${{ env.TEST_SECRET_2 }} ... mask applied" echo -e "print test-secret-3 ${{ env.TEST_SECRET_3 }}" ... no mask applied From 17af0ebaed7f415cf4dad8b5a1bd621e60da569b Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Tue, 21 Jan 2025 17:05:32 -0500 Subject: [PATCH 035/147] no step description in gha is soooo lame --- .github/workflows/codebuild_runner_test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index e746c4fc..b9c177cd 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -64,7 +64,6 @@ jobs: - name: check aws secrets id: check-aws-secrets # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#example-masking-a-string - description: checking aws secrets for security behavior run: | echo -e "masking MUST be done for secrets pulled from aws unlike the github secret context which are auto-masked.\n" echo -e "::add-mask::${{ env.TEST_SECRET_1 }} ... mask applied test-secret-1 ${{ env.TEST_SECRET_1 }}" From 4d923f58e2f9e935156e398b502bbc2532a8bee8 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Wed, 22 Jan 2025 14:22:39 -0500 Subject: [PATCH 036/147] aws secret mask testing --- .github/workflows/codebuild_runner_test.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index b9c177cd..e820fc46 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -65,13 +65,10 @@ jobs: id: check-aws-secrets # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#example-masking-a-string run: | - echo -e "masking MUST be done for secrets pulled from aws unlike the github secret context which are auto-masked.\n" - echo -e "::add-mask::${{ env.TEST_SECRET_1 }} ... mask applied test-secret-1 ${{ env.TEST_SECRET_1 }}" - echo -e "::add-mask::${{ env.TEST_SECRET_2 }} ... mask applied test-secret-2 ${{ env.TEST_SECRET_2 }}" - echo -e "::add-mask::${{ env.TEST_SECRET_3 }} ... mask applied test-secret-3 ${{ env.TEST_SECRET_3 }}" - echo -e "print test-secret-1 ::add-mask::${{ env.TEST_SECRET_1 }} ... mask applied" - echo -e "print test-secret-2 ::add-mask::${{ env.TEST_SECRET_2 }} ... mask applied" - echo -e "print test-secret-3 ${{ env.TEST_SECRET_3 }}" ... no mask applied + echo -e "::add-mask::${{ env.TEST_SECRET_1 }} ... this will be masked test-secret-1 value=${{ env.TEST_SECRET_1 }}" + echo -e "any_text ::add-mask::${{ env.TEST_SECRET_2 }} ... this will not be masked test-secret-2 ${{ env.TEST_SECRET_2 }}" + echo -e "${{ env.TEST_SECRET_3 }} <- registering the secret with add mask" + echo -e "any_txt ${{ env.TEST_SECRET_3 }} ... is this masked? test-secret-3" - name: check env context id: check-env-context From 51d7ddd1dc881079a9933f85921be0bf8fde6c79 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Wed, 22 Jan 2025 14:33:03 -0500 Subject: [PATCH 037/147] aws secret mask testing --- .github/workflows/codebuild_runner_test.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index e820fc46..ddfdd715 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -68,7 +68,8 @@ jobs: echo -e "::add-mask::${{ env.TEST_SECRET_1 }} ... this will be masked test-secret-1 value=${{ env.TEST_SECRET_1 }}" echo -e "any_text ::add-mask::${{ env.TEST_SECRET_2 }} ... this will not be masked test-secret-2 ${{ env.TEST_SECRET_2 }}" echo -e "${{ env.TEST_SECRET_3 }} <- registering the secret with add mask" - echo -e "any_txt ${{ env.TEST_SECRET_3 }} ... is this masked? test-secret-3" + echo -e "${{ env.TEST_SECRET_3 }} ... is test-secret-3 masked?" + echo -e "is it really masked? ${{ env.TEST_SECRET_3 }" - name: check env context id: check-env-context From 509281b72d4f3f523a8def3f509d3f3c09f8dd74 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Wed, 22 Jan 2025 14:34:29 -0500 Subject: [PATCH 038/147] aws secret mask testing --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index ddfdd715..cc80d5c5 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -69,7 +69,7 @@ jobs: echo -e "any_text ::add-mask::${{ env.TEST_SECRET_2 }} ... this will not be masked test-secret-2 ${{ env.TEST_SECRET_2 }}" echo -e "${{ env.TEST_SECRET_3 }} <- registering the secret with add mask" echo -e "${{ env.TEST_SECRET_3 }} ... is test-secret-3 masked?" - echo -e "is it really masked? ${{ env.TEST_SECRET_3 }" + echo -e "is it really masked? ${{ env.TEST_SECRET_3 }}" - name: check env context id: check-env-context From 4b92e78ab7a736891808c22df13527017b47248e Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Wed, 22 Jan 2025 14:36:11 -0500 Subject: [PATCH 039/147] aws secret mask testing --- .github/workflows/codebuild_runner_test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index cc80d5c5..8433b921 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -17,7 +17,6 @@ jobs: - name: echo run: | - echo "force trigger again" echo -e "running GHA workflow ${{ github.event.number }}\nbuild: ${{ github.run_id }}\nattempt: ${{ github.run_attempt }}" - name: create log stream From 015537f2aa227906aeadbff2fec88a5b14296c61 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Wed, 22 Jan 2025 14:46:15 -0500 Subject: [PATCH 040/147] aws secret mask testing --- .github/workflows/codebuild_runner_test.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 8433b921..c89f8a93 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -64,11 +64,12 @@ jobs: id: check-aws-secrets # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#example-masking-a-string run: | - echo -e "::add-mask::${{ env.TEST_SECRET_1 }} ... this will be masked test-secret-1 value=${{ env.TEST_SECRET_1 }}" - echo -e "any_text ::add-mask::${{ env.TEST_SECRET_2 }} ... this will not be masked test-secret-2 ${{ env.TEST_SECRET_2 }}" - echo -e "${{ env.TEST_SECRET_3 }} <- registering the secret with add mask" - echo -e "${{ env.TEST_SECRET_3 }} ... is test-secret-3 masked?" - echo -e "is it really masked? ${{ env.TEST_SECRET_3 }}" + echo -e "::add-mask::${{ env.TEST_SECRET_1 }} <- registering test-secret-1 with add mask" + echo -e "::add-mask::${{ env.TEST_SECRET_2 }} <- registering test-secret-2 with add mask" + echo -e "${{ env.TEST_SECRET_3 }} <- not registering test-secret-3 with add mask" + echo -e "show test-secret-1 ${{ env.TEST_SECRET_1 }}" + echo -e "show test-secret-2 ${{ env.TEST_SECRET_2 }}" + echo -e "show test-secret-3 ${{ env.TEST_SECRET_3 }}" - name: check env context id: check-env-context From 51f633d441b0674b403b166bd89ba8939658bde0 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Wed, 22 Jan 2025 15:16:07 -0500 Subject: [PATCH 041/147] aws secret mask testing --- .github/workflows/codebuild_runner_test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index c89f8a93..d8d47585 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -66,10 +66,10 @@ jobs: run: | echo -e "::add-mask::${{ env.TEST_SECRET_1 }} <- registering test-secret-1 with add mask" echo -e "::add-mask::${{ env.TEST_SECRET_2 }} <- registering test-secret-2 with add mask" - echo -e "${{ env.TEST_SECRET_3 }} <- not registering test-secret-3 with add mask" + echo -e "::add-mask::${{ env.TEST_SECRET_3 }} <- registering test-secret-3 with add mask" echo -e "show test-secret-1 ${{ env.TEST_SECRET_1 }}" - echo -e "show test-secret-2 ${{ env.TEST_SECRET_2 }}" - echo -e "show test-secret-3 ${{ env.TEST_SECRET_3 }}" + echo -e "::add-mask::${{ env.TEST_SECRET_2 }} show test-secret-2" + echo -e "show test-secret-3 ::add-mask::${{ env.TEST_SECRET_3 }}" - name: check env context id: check-env-context From 1ae0e96bbdd26b7d14b9e3d799cce4d8ce3dd2e8 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 15:46:01 -0500 Subject: [PATCH 042/147] masking custom action --- .github/actions/mask_secrets/actions.yml | 18 +++++++++++++++++ .github/workflows/codebuild_runner_test.yml | 22 ++++++++++++++++----- 2 files changed, 35 insertions(+), 5 deletions(-) create mode 100644 .github/actions/mask_secrets/actions.yml diff --git a/.github/actions/mask_secrets/actions.yml b/.github/actions/mask_secrets/actions.yml new file mode 100644 index 00000000..ce505a16 --- /dev/null +++ b/.github/actions/mask_secrets/actions.yml @@ -0,0 +1,18 @@ +name: 'Set environment variables' +description: 'Configures environment variables for a workflow' +inputs: + secrets: + description: 'List of string separated by EOL' + required: true +runs: + using: "composite" + steps: + - name: Masking + run: | + IFS='\n' read -ra secrets <<< "${{ inputs.secrets }}" + for secret in "${secrets[@]}" ; do + if [[ "$secret" ]]; then + echo "::add-mask::$secret ... registered" + fi + done + shell: bash diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index d8d47585..40c27195 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -60,16 +60,28 @@ jobs: TEST_SECRET_2, cfpb/team/regtech/gha-codebuild-runner/test-secret-2 TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 + # wrap aws secrets + - name: Secret Masking + uses: ./.github/actions/mask_secrets + with: + secrets: | + ${{ env.TEST_SECRET_1 }} + ${{ env.TEST_SECRET_2 }} + ${{ env.TEST_SECRET_3 }} + - name: check aws secrets id: check-aws-secrets # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#example-masking-a-string run: | - echo -e "::add-mask::${{ env.TEST_SECRET_1 }} <- registering test-secret-1 with add mask" - echo -e "::add-mask::${{ env.TEST_SECRET_2 }} <- registering test-secret-2 with add mask" - echo -e "::add-mask::${{ env.TEST_SECRET_3 }} <- registering test-secret-3 with add mask" + #echo -e "::add-mask::${{ env.TEST_SECRET_1 }} <- registering test-secret-1 with add mask" + #echo -e "::add-mask::${{ env.TEST_SECRET_2 }} <- registering test-secret-2 with add mask" + #echo -e "::add-mask::${{ env.TEST_SECRET_3 }} <- registering test-secret-3 with add mask" echo -e "show test-secret-1 ${{ env.TEST_SECRET_1 }}" - echo -e "::add-mask::${{ env.TEST_SECRET_2 }} show test-secret-2" - echo -e "show test-secret-3 ::add-mask::${{ env.TEST_SECRET_3 }}" + echo -e "show test-secret-2 ${{ env.TEST_SECRET_2 }}" + echo -e "show test-secret-3 ${{ env.TEST_SECRET_3 }}" + + #echo -e "::add-mask::${{ env.TEST_SECRET_2 }} show test-secret-2" + #echo -e "show test-secret-3 ::add-mask::${{ env.TEST_SECRET_3 }}" - name: check env context id: check-env-context From 5695da69eefde614c1b2e966b94b7483a817da6b Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 15:52:07 -0500 Subject: [PATCH 043/147] masking custom action --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 40c27195..2bfcc994 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -62,7 +62,7 @@ jobs: # wrap aws secrets - name: Secret Masking - uses: ./.github/actions/mask_secrets + uses: ./regtech-deployments/.github/actions/mask_secrets with: secrets: | ${{ env.TEST_SECRET_1 }} From 721a1fbf71327a323c5e5eae369ba7342ec981f1 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 15:54:31 -0500 Subject: [PATCH 044/147] masking custom action --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 2bfcc994..046ed125 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -62,7 +62,7 @@ jobs: # wrap aws secrets - name: Secret Masking - uses: ./regtech-deployments/.github/actions/mask_secrets + uses: ../.github/actions/mask_secrets with: secrets: | ${{ env.TEST_SECRET_1 }} From a7a26e821b89ba8cc28838f7f4d7b4151a80a70a Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 15:56:22 -0500 Subject: [PATCH 045/147] masking custom action --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 046ed125..19f9c57b 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -62,7 +62,7 @@ jobs: # wrap aws secrets - name: Secret Masking - uses: ../.github/actions/mask_secrets + uses: '.github/actions/mask_secrets' with: secrets: | ${{ env.TEST_SECRET_1 }} From 07ab5e77143f98586d6277a7ff53dd0d42d6e280 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 16:01:11 -0500 Subject: [PATCH 046/147] masking custom action --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 19f9c57b..2bfcc994 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -62,7 +62,7 @@ jobs: # wrap aws secrets - name: Secret Masking - uses: '.github/actions/mask_secrets' + uses: ./regtech-deployments/.github/actions/mask_secrets with: secrets: | ${{ env.TEST_SECRET_1 }} From 70d8c494305f9d23570e84a2337444ba52df4584 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 16:12:35 -0500 Subject: [PATCH 047/147] masking custom action --- .github/workflows/codebuild_runner_test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 2bfcc994..3517e5a6 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -61,6 +61,7 @@ jobs: TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 # wrap aws secrets + - uses: actions/checkout@v4 - name: Secret Masking uses: ./regtech-deployments/.github/actions/mask_secrets with: From 1d60d3743441756f43b4f9844ff60fd381abc93b Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 16:16:36 -0500 Subject: [PATCH 048/147] debug custom action --- .github/actions/mask_secrets/actions.yml | 2 ++ .github/workflows/codebuild_runner_test.yml | 1 - 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/actions.yml b/.github/actions/mask_secrets/actions.yml index ce505a16..eea6e50a 100644 --- a/.github/actions/mask_secrets/actions.yml +++ b/.github/actions/mask_secrets/actions.yml @@ -7,6 +7,8 @@ inputs: runs: using: "composite" steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v4 - name: Masking run: | IFS='\n' read -ra secrets <<< "${{ inputs.secrets }}" diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 3517e5a6..2bfcc994 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -61,7 +61,6 @@ jobs: TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 # wrap aws secrets - - uses: actions/checkout@v4 - name: Secret Masking uses: ./regtech-deployments/.github/actions/mask_secrets with: From 23c55510b3dea4a8dc87ca568abb9c1a63baf4c9 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 16:32:35 -0500 Subject: [PATCH 049/147] debug custom action --- .github/workflows/codebuild_runner_test.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 2bfcc994..77854289 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -62,12 +62,13 @@ jobs: # wrap aws secrets - name: Secret Masking - uses: ./regtech-deployments/.github/actions/mask_secrets - with: - secrets: | - ${{ env.TEST_SECRET_1 }} - ${{ env.TEST_SECRET_2 }} - ${{ env.TEST_SECRET_3 }} + run: pwd + #uses: ./.github/actions/mask_secrets + #with: + # secrets: | + # ${{ env.TEST_SECRET_1 }} + # ${{ env.TEST_SECRET_2 }} + # ${{ env.TEST_SECRET_3 }} - name: check aws secrets id: check-aws-secrets From b008cfc6be02804b5863c4e5c2ba883ea6373609 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 16:51:52 -0500 Subject: [PATCH 050/147] debug custom action --- .github/actions/mask_secrets/actions.yml | 8 +++----- .github/workflows/codebuild_runner_test.yml | 19 +++++++++++++------ 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/.github/actions/mask_secrets/actions.yml b/.github/actions/mask_secrets/actions.yml index eea6e50a..481fe5df 100644 --- a/.github/actions/mask_secrets/actions.yml +++ b/.github/actions/mask_secrets/actions.yml @@ -1,14 +1,12 @@ -name: 'Set environment variables' -description: 'Configures environment variables for a workflow' +name: 'Mask Secrets' +description: 'Masking AWS Secrets' inputs: secrets: - description: 'List of string separated by EOL' + description: 'string separated by EOL' required: true runs: using: "composite" steps: - - name: 'Checkout GitHub Action' - uses: actions/checkout@v4 - name: Masking run: | IFS='\n' read -ra secrets <<< "${{ inputs.secrets }}" diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 77854289..6612ff2c 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -60,15 +60,22 @@ jobs: TEST_SECRET_2, cfpb/team/regtech/gha-codebuild-runner/test-secret-2 TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 + - name: Checkout To Path + uses: actions/checkout@v4 + with: + repository: 'cfpb/regtech-deployments' + ref: 'test/gha-codebuild-runner' + path: 'testing-action' + # wrap aws secrets - name: Secret Masking run: pwd - #uses: ./.github/actions/mask_secrets - #with: - # secrets: | - # ${{ env.TEST_SECRET_1 }} - # ${{ env.TEST_SECRET_2 }} - # ${{ env.TEST_SECRET_3 }} + uses: ./testing-action/.github/actions/setvars + with: + secrets: | + ${{ env.TEST_SECRET_1 }} + ${{ env.TEST_SECRET_2 }} + ${{ env.TEST_SECRET_3 }} - name: check aws secrets id: check-aws-secrets From 933f4d02648c0f111641f07d658fb3fa80e42da0 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 16:52:37 -0500 Subject: [PATCH 051/147] debug custom action --- .github/workflows/codebuild_runner_test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 6612ff2c..d399976f 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -69,7 +69,6 @@ jobs: # wrap aws secrets - name: Secret Masking - run: pwd uses: ./testing-action/.github/actions/setvars with: secrets: | From 05737b8aaf15e5b91ea724b2c1ab3d45c8bbc862 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 16:55:24 -0500 Subject: [PATCH 052/147] debug custom action --- .github/workflows/codebuild_runner_test.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index d399976f..7731f225 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -67,9 +67,14 @@ jobs: ref: 'test/gha-codebuild-runner' path: 'testing-action' + - name: foo + run: | + pwd + ls -alt + # wrap aws secrets - name: Secret Masking - uses: ./testing-action/.github/actions/setvars + uses: ./testing-action/.github/actions/mask_secrets with: secrets: | ${{ env.TEST_SECRET_1 }} From 3cbc83e9bac66cebc507449e5a4ff70ff151fc5a Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 17:00:13 -0500 Subject: [PATCH 053/147] debug custom action --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 7731f225..a7bcd210 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -70,7 +70,7 @@ jobs: - name: foo run: | pwd - ls -alt + ls -altR testing-action # wrap aws secrets - name: Secret Masking From cba73c568d5c8bfba0d1138db56e6cb73ef450fe Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 17:04:10 -0500 Subject: [PATCH 054/147] debug custom action --- .github/workflows/codebuild_runner_test.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index a7bcd210..d576de0a 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -70,7 +70,8 @@ jobs: - name: foo run: | pwd - ls -altR testing-action + cd testing-action + ls -altR . # wrap aws secrets - name: Secret Masking From 482d5b5e0e7c8cb6d4d94a2e897074748d937ddb Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 17:10:54 -0500 Subject: [PATCH 055/147] debug custom action --- .github/workflows/codebuild_runner_test.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index d576de0a..41ce8dbd 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -70,8 +70,7 @@ jobs: - name: foo run: | pwd - cd testing-action - ls -altR . + ls -alt testing-action/.github/actions # wrap aws secrets - name: Secret Masking From abd415e348036e05eea0903a41e31b6897b2ede4 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 17:15:42 -0500 Subject: [PATCH 056/147] debug custom action --- .github/workflows/codebuild_runner_test.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 41ce8dbd..51ec07d2 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -70,8 +70,12 @@ jobs: - name: foo run: | pwd + ls -alt . + ls -alt testing-action + ls -alt testing-action/.github ls -alt testing-action/.github/actions - + ls -alt testing-action/.github/actions/mask_secrets + # wrap aws secrets - name: Secret Masking uses: ./testing-action/.github/actions/mask_secrets From 70128bf870a266ae77fdcbe433551db12d1fdbb8 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 17:19:05 -0500 Subject: [PATCH 057/147] fixed file name --- .github/actions/mask_secrets/{actions.yml => action.yml} | 0 .github/workflows/codebuild_runner_test.yml | 9 --------- 2 files changed, 9 deletions(-) rename .github/actions/mask_secrets/{actions.yml => action.yml} (100%) diff --git a/.github/actions/mask_secrets/actions.yml b/.github/actions/mask_secrets/action.yml similarity index 100% rename from .github/actions/mask_secrets/actions.yml rename to .github/actions/mask_secrets/action.yml diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 51ec07d2..56d62d5c 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -67,15 +67,6 @@ jobs: ref: 'test/gha-codebuild-runner' path: 'testing-action' - - name: foo - run: | - pwd - ls -alt . - ls -alt testing-action - ls -alt testing-action/.github - ls -alt testing-action/.github/actions - ls -alt testing-action/.github/actions/mask_secrets - # wrap aws secrets - name: Secret Masking uses: ./testing-action/.github/actions/mask_secrets From be342d039e6f9ec62c379ff61170b6c661443551 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 17:24:34 -0500 Subject: [PATCH 058/147] test --- .github/actions/mask_secrets/action.yml | 17 ++++++++++------- .github/workflows/codebuild_runner_test.yml | 5 +---- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 481fe5df..cd329f45 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -7,12 +7,15 @@ inputs: runs: using: "composite" steps: +# - name: Masking +# run: | +# IFS='\n' read -ra secrets <<< "${{ inputs.secrets }}" +# for secret in "${secrets[@]}" ; do +# if [[ "$secret" ]]; then +# echo "::add-mask::$secret ... registered" +# fi +# done +# shell: bash - name: Masking run: | - IFS='\n' read -ra secrets <<< "${{ inputs.secrets }}" - for secret in "${secrets[@]}" ; do - if [[ "$secret" ]]; then - echo "::add-mask::$secret ... registered" - fi - done - shell: bash + echo "::add-mask::${{ secrets }}" diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 56d62d5c..093853d3 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -71,10 +71,7 @@ jobs: - name: Secret Masking uses: ./testing-action/.github/actions/mask_secrets with: - secrets: | - ${{ env.TEST_SECRET_1 }} - ${{ env.TEST_SECRET_2 }} - ${{ env.TEST_SECRET_3 }} + secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_3 }}" - name: check aws secrets id: check-aws-secrets From 2e1fa1b0cfd98d0aac1d7d6cda4eac5317ef35ab Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 17:30:00 -0500 Subject: [PATCH 059/147] test --- .github/actions/mask_secrets/action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index cd329f45..2ad068d5 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -18,4 +18,5 @@ runs: # shell: bash - name: Masking run: | - echo "::add-mask::${{ secrets }}" + echo "::add-mask::${{ inputs.secrets }}" + shell: bash From 3da791f7099a33cdf34380e9ccc649af1ecd6df3 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 17:33:47 -0500 Subject: [PATCH 060/147] test --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 093853d3..afcd1b06 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -71,7 +71,7 @@ jobs: - name: Secret Masking uses: ./testing-action/.github/actions/mask_secrets with: - secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_3 }}" + secrets: "${{ env.TEST_SECRET_1 }}" - name: check aws secrets id: check-aws-secrets From 42831dc34851c1234527018940d087a2b784205d Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 18:16:06 -0500 Subject: [PATCH 061/147] test --- .github/actions/mask_secrets/action.yml | 18 ++++++++---------- .github/workflows/codebuild_runner_test.yml | 2 +- 2 files changed, 9 insertions(+), 11 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 2ad068d5..eda24217 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -7,16 +7,14 @@ inputs: runs: using: "composite" steps: -# - name: Masking -# run: | -# IFS='\n' read -ra secrets <<< "${{ inputs.secrets }}" -# for secret in "${secrets[@]}" ; do -# if [[ "$secret" ]]; then -# echo "::add-mask::$secret ... registered" -# fi -# done -# shell: bash - name: Masking run: | - echo "::add-mask::${{ inputs.secrets }}" + IFS=',' read -ra secrets <<< "${{ inputs.secrets }}" + for secret in "${secrets[@]}" ; do + echo "::add-mask::${{ secret }} ... registered" + done shell: bash +# - name: Masking +# run: | +# echo "::add-mask::${{ inputs.secrets }}" +# shell: bash diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index afcd1b06..699caece 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -71,7 +71,7 @@ jobs: - name: Secret Masking uses: ./testing-action/.github/actions/mask_secrets with: - secrets: "${{ env.TEST_SECRET_1 }}" + secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }}" - name: check aws secrets id: check-aws-secrets From 0ea26115a2649f195f08a1d3f8992d5b876caa8f Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 18:20:24 -0500 Subject: [PATCH 062/147] test --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index eda24217..036ea0b9 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -11,7 +11,7 @@ runs: run: | IFS=',' read -ra secrets <<< "${{ inputs.secrets }}" for secret in "${secrets[@]}" ; do - echo "::add-mask::${{ secret }} ... registered" + echo "::add-mask::$secret ... registered" done shell: bash # - name: Masking From 17304d797ad7813a5964b736b09ea41779406558 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 18:22:13 -0500 Subject: [PATCH 063/147] test --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 036ea0b9..88a4dacd 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -11,7 +11,7 @@ runs: run: | IFS=',' read -ra secrets <<< "${{ inputs.secrets }}" for secret in "${secrets[@]}" ; do - echo "::add-mask::$secret ... registered" + echo "::add-mask::${secret} ... registered" done shell: bash # - name: Masking From 919e64d29819b43d94b8bd2faec3230b337a23c3 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 19:00:11 -0500 Subject: [PATCH 064/147] test --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 88a4dacd..e981e525 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -11,7 +11,7 @@ runs: run: | IFS=',' read -ra secrets <<< "${{ inputs.secrets }}" for secret in "${secrets[@]}" ; do - echo "::add-mask::${secret} ... registered" + echo -e "::add-mask::\"$secret\" ... registered" done shell: bash # - name: Masking From dc129ad9bbe42064e586eeacc4782b57c8a9a5ef Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 19:02:46 -0500 Subject: [PATCH 065/147] Revert "test" This reverts commit 919e64d29819b43d94b8bd2faec3230b337a23c3. --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index e981e525..88a4dacd 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -11,7 +11,7 @@ runs: run: | IFS=',' read -ra secrets <<< "${{ inputs.secrets }}" for secret in "${secrets[@]}" ; do - echo -e "::add-mask::\"$secret\" ... registered" + echo "::add-mask::${secret} ... registered" done shell: bash # - name: Masking From 624b0a71f987628ea5fbd1242de1b700dbdc4aa8 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 22:28:06 -0500 Subject: [PATCH 066/147] test --- .github/actions/mask_secrets/action.yml | 2 +- .github/workflows/codebuild_runner_test.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 88a4dacd..036ea0b9 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -11,7 +11,7 @@ runs: run: | IFS=',' read -ra secrets <<< "${{ inputs.secrets }}" for secret in "${secrets[@]}" ; do - echo "::add-mask::${secret} ... registered" + echo "::add-mask::$secret ... registered" done shell: bash # - name: Masking diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 699caece..882b8416 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -71,7 +71,7 @@ jobs: - name: Secret Masking uses: ./testing-action/.github/actions/mask_secrets with: - secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }}" + secrets: "TEST_SECRET_1,TEST_SECRET_2" - name: check aws secrets id: check-aws-secrets From d4b38f4425f488bd2596f471fc50c571c54cb692 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 22:38:36 -0500 Subject: [PATCH 067/147] test --- .github/actions/mask_secrets/action.yml | 16 ++++++++-------- .github/workflows/codebuild_runner_test.yml | 6 +++++- 2 files changed, 13 insertions(+), 9 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 036ea0b9..a59c7c3f 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -7,14 +7,14 @@ inputs: runs: using: "composite" steps: - - name: Masking - run: | - IFS=',' read -ra secrets <<< "${{ inputs.secrets }}" - for secret in "${secrets[@]}" ; do - echo "::add-mask::$secret ... registered" - done - shell: bash # - name: Masking # run: | -# echo "::add-mask::${{ inputs.secrets }}" +# IFS=',' read -ra secrets <<< "${{ inputs.secrets }}" +# for secret in "${secrets[@]}" ; do +# echo "::add-mask::$secret ... registered" +# done # shell: bash + - name: Masking + run: | + echo "::add-mask::${{ inputs.secrets }}" + shell: bash diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 882b8416..7add967e 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -67,11 +67,15 @@ jobs: ref: 'test/gha-codebuild-runner' path: 'testing-action' + - name: checkout output + run: | + echo -e "${{ steps.get-aws-secret.outputs.secret-ids }} + # wrap aws secrets - name: Secret Masking uses: ./testing-action/.github/actions/mask_secrets with: - secrets: "TEST_SECRET_1,TEST_SECRET_2" + secrets: "${{ env.TEST_SECRET_1 }}" - name: check aws secrets id: check-aws-secrets From 3e3d9dd449e0315abce26f4548d5efbdb6acad8f Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 22:39:49 -0500 Subject: [PATCH 068/147] test --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 7add967e..b20237e1 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -69,7 +69,7 @@ jobs: - name: checkout output run: | - echo -e "${{ steps.get-aws-secret.outputs.secret-ids }} + echo -e "${{ steps.get-aws-secret.outputs.secret-ids }}" # wrap aws secrets - name: Secret Masking From 0e6770e043f6fc9179d7c3c3f41b1fe2304f9279 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 22:46:41 -0500 Subject: [PATCH 069/147] test --- .github/actions/mask_secrets/action.yml | 16 ++++++++-------- .github/workflows/codebuild_runner_test.yml | 4 +++- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index a59c7c3f..626c5db9 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -7,14 +7,14 @@ inputs: runs: using: "composite" steps: -# - name: Masking -# run: | -# IFS=',' read -ra secrets <<< "${{ inputs.secrets }}" -# for secret in "${secrets[@]}" ; do -# echo "::add-mask::$secret ... registered" -# done -# shell: bash - name: Masking run: | - echo "::add-mask::${{ inputs.secrets }}" + while read -r line + do + echo "::add-mask::${line}" + done <<< "${{ inputs.secrets }}" shell: bash +# - name: Masking +# run: | +# echo "::add-mask::${{ inputs.secrets }}" +# shell: bash diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index b20237e1..fdce5658 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -75,7 +75,9 @@ jobs: - name: Secret Masking uses: ./testing-action/.github/actions/mask_secrets with: - secrets: "${{ env.TEST_SECRET_1 }}" + secrets: | + ${{ env.TEST_SECRET_1 }} + ${{ env.TEST_SECRET_1 }} - name: check aws secrets id: check-aws-secrets From 632f945256a9f8153253ae57dd15b2a14ce5a639 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 22:56:12 -0500 Subject: [PATCH 070/147] test --- .github/actions/mask_secrets/action.yml | 1 + .github/workflows/codebuild_runner_test.yml | 8 +------- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 626c5db9..d4b59788 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -9,6 +9,7 @@ runs: steps: - name: Masking run: | + IFS="," while read -r line do echo "::add-mask::${line}" diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index fdce5658..02d08d33 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -67,17 +67,11 @@ jobs: ref: 'test/gha-codebuild-runner' path: 'testing-action' - - name: checkout output - run: | - echo -e "${{ steps.get-aws-secret.outputs.secret-ids }}" - # wrap aws secrets - name: Secret Masking uses: ./testing-action/.github/actions/mask_secrets with: - secrets: | - ${{ env.TEST_SECRET_1 }} - ${{ env.TEST_SECRET_1 }} + secrets: ${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_1 }} - name: check aws secrets id: check-aws-secrets From 6ed15aa9fe002cde575906e3daa3d45511a3444c Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 23:01:13 -0500 Subject: [PATCH 071/147] test --- .github/actions/mask_secrets/action.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index d4b59788..0ffcc814 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -9,11 +9,10 @@ runs: steps: - name: Masking run: | - IFS="," - while read -r line - do - echo "::add-mask::${line}" - done <<< "${{ inputs.secrets }}" + IFS="," read -a var <<< "${{ inputs.secrets }}" + for x in "${var[@]}"; do + echo "::add-mask::${x}" + done shell: bash # - name: Masking # run: | From 25304282eb230f89c7c843b3c3c73cf45980dab6 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 23:10:17 -0500 Subject: [PATCH 072/147] test --- .github/workflows/codebuild_runner_test.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 02d08d33..18821349 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -67,11 +67,18 @@ jobs: ref: 'test/gha-codebuild-runner' path: 'testing-action' + + - name: Masking + run: | + IFS="," read -a var <<< "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }}" + for x in "${var[@]}"; do + echo "::add-mask::${{ x }}" + done # wrap aws secrets - - name: Secret Masking - uses: ./testing-action/.github/actions/mask_secrets - with: - secrets: ${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_1 }} + #- name: Secret Masking + # uses: ./testing-action/.github/actions/mask_secrets + # with: + # secrets: ${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_1 }} - name: check aws secrets id: check-aws-secrets From 254170c3c411b0d6f9ba8942a450dfaefb5f7af1 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 23:11:12 -0500 Subject: [PATCH 073/147] test --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 18821349..881a4db7 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -72,7 +72,7 @@ jobs: run: | IFS="," read -a var <<< "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }}" for x in "${var[@]}"; do - echo "::add-mask::${{ x }}" + echo "::add-mask::$x" done # wrap aws secrets #- name: Secret Masking From 0d0173d872592fc38db433bbe9d3422622f2e927 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 23:18:25 -0500 Subject: [PATCH 074/147] test --- .github/actions/mask_secrets/action.yml | 6 +----- .github/workflows/codebuild_runner_test.yml | 24 ++++++++++----------- 2 files changed, 12 insertions(+), 18 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 0ffcc814..9968a41e 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -11,10 +11,6 @@ runs: run: | IFS="," read -a var <<< "${{ inputs.secrets }}" for x in "${var[@]}"; do - echo "::add-mask::${x}" + echo "::add-mask::$x" done shell: bash -# - name: Masking -# run: | -# echo "::add-mask::${{ inputs.secrets }}" -# shell: bash diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 881a4db7..8e6cd67a 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -68,25 +68,23 @@ jobs: path: 'testing-action' - - name: Masking - run: | - IFS="," read -a var <<< "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }}" - for x in "${var[@]}"; do - echo "::add-mask::$x" - done + #- name: Masking + # run: | + # IFS="," read -a var <<< "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_2 }}" + # for x in "${var[@]}"; do + # echo "::add-mask::$x" + # done + # wrap aws secrets - #- name: Secret Masking - # uses: ./testing-action/.github/actions/mask_secrets - # with: - # secrets: ${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_1 }} + - name: Secret Masking + uses: ./testing-action/.github/actions/mask_secrets + with: + secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_3 }}" - name: check aws secrets id: check-aws-secrets # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#example-masking-a-string run: | - #echo -e "::add-mask::${{ env.TEST_SECRET_1 }} <- registering test-secret-1 with add mask" - #echo -e "::add-mask::${{ env.TEST_SECRET_2 }} <- registering test-secret-2 with add mask" - #echo -e "::add-mask::${{ env.TEST_SECRET_3 }} <- registering test-secret-3 with add mask" echo -e "show test-secret-1 ${{ env.TEST_SECRET_1 }}" echo -e "show test-secret-2 ${{ env.TEST_SECRET_2 }}" echo -e "show test-secret-3 ${{ env.TEST_SECRET_3 }}" From c76dcea032e1b0764bad15f3369481c5e0b22f36 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 23:22:17 -0500 Subject: [PATCH 075/147] test --- .github/actions/mask_secrets/action.yml | 2 +- .github/workflows/codebuild_runner_test.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 9968a41e..507f81c1 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -11,6 +11,6 @@ runs: run: | IFS="," read -a var <<< "${{ inputs.secrets }}" for x in "${var[@]}"; do - echo "::add-mask::$x" + echo "::add-mask::${{ env[$x] }}" done shell: bash diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 8e6cd67a..f648bfc5 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -79,7 +79,8 @@ jobs: - name: Secret Masking uses: ./testing-action/.github/actions/mask_secrets with: - secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_3 }}" + secrets: "TEST_SECRET_1,TEST_SECRET_2,TEST_SECRET_3" + #secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_3 }}" - name: check aws secrets id: check-aws-secrets From 3efbd64bc4980c0c3d457149b3f7931ec151c3f8 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Thu, 23 Jan 2025 23:24:00 -0500 Subject: [PATCH 076/147] Revert "test" This reverts commit c76dcea032e1b0764bad15f3369481c5e0b22f36. --- .github/actions/mask_secrets/action.yml | 2 +- .github/workflows/codebuild_runner_test.yml | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 507f81c1..9968a41e 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -11,6 +11,6 @@ runs: run: | IFS="," read -a var <<< "${{ inputs.secrets }}" for x in "${var[@]}"; do - echo "::add-mask::${{ env[$x] }}" + echo "::add-mask::$x" done shell: bash diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index f648bfc5..8e6cd67a 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -79,8 +79,7 @@ jobs: - name: Secret Masking uses: ./testing-action/.github/actions/mask_secrets with: - secrets: "TEST_SECRET_1,TEST_SECRET_2,TEST_SECRET_3" - #secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_3 }}" + secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_3 }}" - name: check aws secrets id: check-aws-secrets From d1d2c9ea835e876a39dd5988c7a960d695782d00 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 09:58:46 -0500 Subject: [PATCH 077/147] test alt approach --- .github/actions/mask_secrets/action.yml | 15 +++++++++++---- .github/workflows/codebuild_runner_test.yml | 21 +++++++++++++++++---- 2 files changed, 28 insertions(+), 8 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 9968a41e..e854b130 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -2,15 +2,22 @@ name: 'Mask Secrets' description: 'Masking AWS Secrets' inputs: secrets: - description: 'string separated by EOL' + description: 'string of secrets to get separated by EOL' required: true runs: using: "composite" steps: + - name: secure secrets from aws + id: secure-aws-secret + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: ${{ inputs.secrets }} + - name: Masking run: | - IFS="," read -a var <<< "${{ inputs.secrets }}" - for x in "${var[@]}"; do - echo "::add-mask::$x" + IFS="," read -a secrets <<< "${{ inputs.secrets }}" + for s in "${secrets[@]}"; do + segments=$(echo $s | tr "," "\n") + echo "::add-mask::$segments[0]" done shell: bash diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 8e6cd67a..c7071057 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -67,19 +67,32 @@ jobs: ref: 'test/gha-codebuild-runner' path: 'testing-action' + # wrap aws secrets - #- name: Masking + #- name: Masking Inline + # id: mask-inline # run: | # IFS="," read -a var <<< "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_2 }}" # for x in "${var[@]}"; do # echo "::add-mask::$x" # done + # OR + #- name: Masking via Custom Action + # id: mask-custom-action + # uses: ./testing-action/.github/actions/mask_secrets + # with: + # secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_3 }}" - # wrap aws secrets - - name: Secret Masking + + - name: Masking via Custom Action + id: mask-custom-action uses: ./testing-action/.github/actions/mask_secrets with: - secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_3 }}" + secrets: | + TEST_SECRET_1, cfpb/team/regtech/gha-codebuild-runner/test-secret-1 + TEST_SECRET_2, cfpb/team/regtech/gha-codebuild-runner/test-secret-2 + TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 + - name: check aws secrets id: check-aws-secrets From 8dd913f702f704d13568fce97dfe940fab4f1307 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:02:14 -0500 Subject: [PATCH 078/147] test alt approach --- .github/workflows/codebuild_runner_test.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index c7071057..482b99af 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -51,14 +51,14 @@ jobs: aws logs put-log-events --log-group-name $CLOUDWATCH_LOGGROUP_NAME --log-stream-name $CLOUDWATCH_LOGSTREAM_NAME --log-events file://test_events - - name: get secrets from aws - id: get-aws-secret - uses: aws-actions/aws-secretsmanager-get-secrets@v2 - with: - secret-ids: | - TEST_SECRET_1, cfpb/team/regtech/gha-codebuild-runner/test-secret-1 - TEST_SECRET_2, cfpb/team/regtech/gha-codebuild-runner/test-secret-2 - TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 + #- name: get secrets from aws + # id: get-aws-secret + # uses: aws-actions/aws-secretsmanager-get-secrets@v2 + # with: + # secret-ids: | + # TEST_SECRET_1, cfpb/team/regtech/gha-codebuild-runner/test-secret-1 + # TEST_SECRET_2, cfpb/team/regtech/gha-codebuild-runner/test-secret-2 + # TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 - name: Checkout To Path uses: actions/checkout@v4 From 363fb797a08196a06e9a7845b7e8e90c3b2a57f9 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:05:20 -0500 Subject: [PATCH 079/147] test alt approach --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index e854b130..338c7f36 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -15,7 +15,7 @@ runs: - name: Masking run: | - IFS="," read -a secrets <<< "${{ inputs.secrets }}" + IFS="\n,\r" read -a secrets <<< "${{ inputs.secrets }}" for s in "${secrets[@]}"; do segments=$(echo $s | tr "," "\n") echo "::add-mask::$segments[0]" From 3cf1fdeee42b03e791d0aeb31eab43db7bfa7361 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:09:43 -0500 Subject: [PATCH 080/147] test alt approach --- .github/actions/mask_secrets/action.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 338c7f36..e71a4c92 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -18,6 +18,7 @@ runs: IFS="\n,\r" read -a secrets <<< "${{ inputs.secrets }}" for s in "${secrets[@]}"; do segments=$(echo $s | tr "," "\n") - echo "::add-mask::$segments[0]" + echo -e "the key is $segments[0] ${segments[0]}" + echo "::add-mask::${segments[0]}" done shell: bash From 593a36a45b1d0b8c99ea46108824c7c4ef238112 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:16:58 -0500 Subject: [PATCH 081/147] test alt approach --- .github/actions/mask_secrets/action.yml | 3 ++- .github/workflows/codebuild_runner_test.yml | 8 ++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index e71a4c92..73c84d4c 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -17,8 +17,9 @@ runs: run: | IFS="\n,\r" read -a secrets <<< "${{ inputs.secrets }}" for s in "${secrets[@]}"; do + echo -e "INPUT == ${s}" segments=$(echo $s | tr "," "\n") - echo -e "the key is $segments[0] ${segments[0]}" + echo -e "KEY == ${segments[0]}" echo "::add-mask::${segments[0]}" done shell: bash diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 482b99af..f9f3522c 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -56,8 +56,8 @@ jobs: # uses: aws-actions/aws-secretsmanager-get-secrets@v2 # with: # secret-ids: | - # TEST_SECRET_1, cfpb/team/regtech/gha-codebuild-runner/test-secret-1 - # TEST_SECRET_2, cfpb/team/regtech/gha-codebuild-runner/test-secret-2 + # TEST_SECRET_1,cfpb/team/regtech/gha-codebuild-runner/test-secret-1 + # TEST_SECRET_2,cfpb/team/regtech/gha-codebuild-runner/test-secret-2 # TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 - name: Checkout To Path @@ -89,8 +89,8 @@ jobs: uses: ./testing-action/.github/actions/mask_secrets with: secrets: | - TEST_SECRET_1, cfpb/team/regtech/gha-codebuild-runner/test-secret-1 - TEST_SECRET_2, cfpb/team/regtech/gha-codebuild-runner/test-secret-2 + TEST_SECRET_1,cfpb/team/regtech/gha-codebuild-runner/test-secret-1 + TEST_SECRET_2,cfpb/team/regtech/gha-codebuild-runner/test-secret-2 TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 From 0415e9da3450a162491830835eeb3f344bd55926 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:23:28 -0500 Subject: [PATCH 082/147] test alt approach --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 73c84d4c..c3ad5319 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -15,7 +15,7 @@ runs: - name: Masking run: | - IFS="\n,\r" read -a secrets <<< "${{ inputs.secrets }}" + IFS="\n" read -a secrets <<< "${{ inputs.secrets }}" for s in "${secrets[@]}"; do echo -e "INPUT == ${s}" segments=$(echo $s | tr "," "\n") From 6c912e66a28bd32a853c6c010a2ce420b4e140c5 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:30:09 -0500 Subject: [PATCH 083/147] test alt approach --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index c3ad5319..246a8734 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -15,7 +15,7 @@ runs: - name: Masking run: | - IFS="\n" read -a secrets <<< "${{ inputs.secrets }}" + IFS=' ' read -a secrets <<< "${{ inputs.secrets }}" for s in "${secrets[@]}"; do echo -e "INPUT == ${s}" segments=$(echo $s | tr "," "\n") From 3c8ca87136e524a064e0a193662c6d78baf385af Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:36:07 -0500 Subject: [PATCH 084/147] test alt approach --- .github/actions/mask_secrets/action.yml | 3 ++- .github/workflows/codebuild_runner_test.yml | 6 +++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 246a8734..14b2950c 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -15,7 +15,8 @@ runs: - name: Masking run: | - IFS=' ' read -a secrets <<< "${{ inputs.secrets }}" + MODIFIED_INPUT=$(echo ${{ inputs.secrets }} | tr -d ' ') + IFS='#' read -a secrets <<< "$MODIFIED_INPUT" for s in "${secrets[@]}"; do echo -e "INPUT == ${s}" segments=$(echo $s | tr "," "\n") diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index f9f3522c..ec7556da 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -89,9 +89,9 @@ jobs: uses: ./testing-action/.github/actions/mask_secrets with: secrets: | - TEST_SECRET_1,cfpb/team/regtech/gha-codebuild-runner/test-secret-1 - TEST_SECRET_2,cfpb/team/regtech/gha-codebuild-runner/test-secret-2 - TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 + TEST_SECRET_1,cfpb/team/regtech/gha-codebuild-runner/test-secret-1# + TEST_SECRET_2,cfpb/team/regtech/gha-codebuild-runner/test-secret-2# + TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8# - name: check aws secrets From 84a63c95d85bebf5431f449e0d0bf2786ddf9a5f Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:38:14 -0500 Subject: [PATCH 085/147] test alt approach --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 14b2950c..c6a451f5 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -11,7 +11,7 @@ runs: id: secure-aws-secret uses: aws-actions/aws-secretsmanager-get-secrets@v2 with: - secret-ids: ${{ inputs.secrets }} + secret-ids: $(echo {{ inputs.secrets }} | tr -d '#') - name: Masking run: | From 9263ecbf3c831ab40061d24f64c28f27a99c893c Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:40:05 -0500 Subject: [PATCH 086/147] test alt approach --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index c6a451f5..99193a08 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -11,7 +11,7 @@ runs: id: secure-aws-secret uses: aws-actions/aws-secretsmanager-get-secrets@v2 with: - secret-ids: $(echo {{ inputs.secrets }} | tr -d '#') + secret-ids: $(echo ${{ inputs.secrets }} | tr -d '#') - name: Masking run: | From cd0fef9c5324f15278012d1a9f9702d885165fbd Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:47:57 -0500 Subject: [PATCH 087/147] test alt approach --- .github/actions/mask_secrets/action.yml | 4 ++-- .github/workflows/codebuild_runner_test.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 99193a08..3ab887f7 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -11,11 +11,11 @@ runs: id: secure-aws-secret uses: aws-actions/aws-secretsmanager-get-secrets@v2 with: - secret-ids: $(echo ${{ inputs.secrets }} | tr -d '#') + secret-ids: ${{ inputs.secrets }} - name: Masking run: | - MODIFIED_INPUT=$(echo ${{ inputs.secrets }} | tr -d ' ') + MODIFIED_INPUT=$(echo "${{ inputs.secrets }}" | tr '\n' '#') IFS='#' read -a secrets <<< "$MODIFIED_INPUT" for s in "${secrets[@]}"; do echo -e "INPUT == ${s}" diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index ec7556da..f9f3522c 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -89,9 +89,9 @@ jobs: uses: ./testing-action/.github/actions/mask_secrets with: secrets: | - TEST_SECRET_1,cfpb/team/regtech/gha-codebuild-runner/test-secret-1# - TEST_SECRET_2,cfpb/team/regtech/gha-codebuild-runner/test-secret-2# - TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8# + TEST_SECRET_1,cfpb/team/regtech/gha-codebuild-runner/test-secret-1 + TEST_SECRET_2,cfpb/team/regtech/gha-codebuild-runner/test-secret-2 + TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 - name: check aws secrets From ae46db78c64dd72ace1f9e426faf7119f53bf87b Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:52:30 -0500 Subject: [PATCH 088/147] test alt approach --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 3ab887f7..1f7b42f9 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -21,6 +21,6 @@ runs: echo -e "INPUT == ${s}" segments=$(echo $s | tr "," "\n") echo -e "KEY == ${segments[0]}" - echo "::add-mask::${segments[0]}" + echo "::add-mask::$segments[0]" done shell: bash From 7eb52cc02fc19669c41628daadae5a782deaaa7d Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 10:59:28 -0500 Subject: [PATCH 089/147] test alt approach --- .github/actions/mask_secrets/action.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 1f7b42f9..f4141490 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -18,9 +18,9 @@ runs: MODIFIED_INPUT=$(echo "${{ inputs.secrets }}" | tr '\n' '#') IFS='#' read -a secrets <<< "$MODIFIED_INPUT" for s in "${secrets[@]}"; do - echo -e "INPUT == ${s}" segments=$(echo $s | tr "," "\n") - echo -e "KEY == ${segments[0]}" - echo "::add-mask::$segments[0]" + var="${segments[0]}" + echo "masking $var......." + echo "::add-mask::$var" done shell: bash From bcf1802f95fb46dc3dccaae1d9352026e73b1f4c Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 11:19:43 -0500 Subject: [PATCH 090/147] test alt approach --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index f4141490..82dfdca2 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -21,6 +21,6 @@ runs: segments=$(echo $s | tr "," "\n") var="${segments[0]}" echo "masking $var......." - echo "::add-mask::$var" + echo "::add-mask::${{ env[$var] }}" done shell: bash From 4109481325a37fa6e20a72068978d6e2e50fa95f Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 11:25:44 -0500 Subject: [PATCH 091/147] test alt approach --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 82dfdca2..6e8ed2f6 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -21,6 +21,6 @@ runs: segments=$(echo $s | tr "," "\n") var="${segments[0]}" echo "masking $var......." - echo "::add-mask::${{ env[$var] }}" + echo "::add-mask::${{ env[${var}] }}" done shell: bash From a2e1d7e1dbef52beab8a7ebe56fe1afb71fb6e0d Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 11:28:03 -0500 Subject: [PATCH 092/147] test alt approach --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 6e8ed2f6..213c4f7d 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -21,6 +21,6 @@ runs: segments=$(echo $s | tr "," "\n") var="${segments[0]}" echo "masking $var......." - echo "::add-mask::${{ env[${var}] }}" + echo -e "::add-mask::${var}" done shell: bash From fc534ba69e0a026ed23e3d586621c9df05e0ac07 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 11:30:46 -0500 Subject: [PATCH 093/147] test alt approach --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 213c4f7d..6a230b0e 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -21,6 +21,6 @@ runs: segments=$(echo $s | tr "," "\n") var="${segments[0]}" echo "masking $var......." - echo -e "::add-mask::${var}" + echo -e "::add-mask::$${var}" done shell: bash From 728ebe5af51bba8c16bcf33eff23d792680d668b Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 11:33:52 -0500 Subject: [PATCH 094/147] test alt approach --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 6a230b0e..1415e7dc 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -19,7 +19,7 @@ runs: IFS='#' read -a secrets <<< "$MODIFIED_INPUT" for s in "${secrets[@]}"; do segments=$(echo $s | tr "," "\n") - var="${segments[0]}" + var="$( echo $segments[0] | tr -d '\n')" echo "masking $var......." echo -e "::add-mask::$${var}" done From 299e3e6bafe343e9fe6d8e71e84623cd744d4f10 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 11:41:36 -0500 Subject: [PATCH 095/147] test alt approach --- .github/actions/mask_secrets/action.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 1415e7dc..374c3b79 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -18,9 +18,8 @@ runs: MODIFIED_INPUT=$(echo "${{ inputs.secrets }}" | tr '\n' '#') IFS='#' read -a secrets <<< "$MODIFIED_INPUT" for s in "${secrets[@]}"; do - segments=$(echo $s | tr "," "\n") - var="$( echo $segments[0] | tr -d '\n')" - echo "masking $var......." - echo -e "::add-mask::$${var}" + var=(${s//,/ }) + echo "masking ${var[0]}......." + echo -e "::add-mask::${var[0]}" done shell: bash From 96f460eef73b25548be32d95917fb725ae229667 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 11:46:16 -0500 Subject: [PATCH 096/147] test alt approach --- .github/actions/mask_secrets/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 374c3b79..eeca190b 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -20,6 +20,6 @@ runs: for s in "${secrets[@]}"; do var=(${s//,/ }) echo "masking ${var[0]}......." - echo -e "::add-mask::${var[0]}" + echo -e "::add-mask::$(eval echo \$$var[0])" done shell: bash From c2eba67859ba9957124b90ecc833958ed64bd5f5 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 11:52:12 -0500 Subject: [PATCH 097/147] test alt approach --- .github/actions/mask_secrets/action.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index eeca190b..a9c63cda 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -19,7 +19,8 @@ runs: IFS='#' read -a secrets <<< "$MODIFIED_INPUT" for s in "${secrets[@]}"; do var=(${s//,/ }) - echo "masking ${var[0]}......." - echo -e "::add-mask::$(eval echo \$$var[0])" + val=$(eval echo \$$var[0]) + echo "masking $val......." + echo -e "::add-mask::$val" done shell: bash From 91cc0f0bf34fd81f8177ab3377cffa5c586d73a6 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 11:55:49 -0500 Subject: [PATCH 098/147] test alt approach --- .github/actions/mask_secrets/action.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index a9c63cda..2dc1d81c 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -19,8 +19,9 @@ runs: IFS='#' read -a secrets <<< "$MODIFIED_INPUT" for s in "${secrets[@]}"; do var=(${s//,/ }) - val=$(eval echo \$$var[0]) - echo "masking $val......." - echo -e "::add-mask::$val" + echo "$var ......." + #val=$(eval echo \$$var[0]) + #echo "masking $val......." + echo -e "::add-mask::$var" done shell: bash From 20ad67aac2f748021e1e527aac48244810ce7a80 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 11:58:02 -0500 Subject: [PATCH 099/147] test alt approach --- .github/actions/mask_secrets/action.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 2dc1d81c..97e9f7fd 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -19,9 +19,9 @@ runs: IFS='#' read -a secrets <<< "$MODIFIED_INPUT" for s in "${secrets[@]}"; do var=(${s//,/ }) - echo "$var ......." - #val=$(eval echo \$$var[0]) - #echo "masking $val......." - echo -e "::add-mask::$var" + #echo "$var ......." + val=$(eval echo \$$var) + echo "masking $val ......." + echo -e "::add-mask::$val" done shell: bash From eebfbf79e5bdef127b61160ab9d7ca4e2bcb87a5 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 12:01:58 -0500 Subject: [PATCH 100/147] test alt approach --- .github/actions/mask_secrets/action.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 97e9f7fd..4d330021 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -19,9 +19,8 @@ runs: IFS='#' read -a secrets <<< "$MODIFIED_INPUT" for s in "${secrets[@]}"; do var=(${s//,/ }) - #echo "$var ......." val=$(eval echo \$$var) - echo "masking $val ......." - echo -e "::add-mask::$val" + echo "register mask $var = $val" + echo -e "::add-mask::${val}" done shell: bash From 8597166c3305d539c4c3265544535f7ec6549ee5 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 12:16:49 -0500 Subject: [PATCH 101/147] finalized aws secret mask testing --- .../mask_secrets/_fails_to_mask_in_caller.yml | 26 +++++++++++ .github/actions/mask_secrets/action.yml | 18 ++------ .github/workflows/aws_secret_mask_testing.yml | 40 +++++++++++++++++ .github/workflows/codebuild_runner_test.yml | 44 +++++-------------- 4 files changed, 81 insertions(+), 47 deletions(-) create mode 100644 .github/actions/mask_secrets/_fails_to_mask_in_caller.yml create mode 100644 .github/workflows/aws_secret_mask_testing.yml diff --git a/.github/actions/mask_secrets/_fails_to_mask_in_caller.yml b/.github/actions/mask_secrets/_fails_to_mask_in_caller.yml new file mode 100644 index 00000000..4d330021 --- /dev/null +++ b/.github/actions/mask_secrets/_fails_to_mask_in_caller.yml @@ -0,0 +1,26 @@ +name: 'Mask Secrets' +description: 'Masking AWS Secrets' +inputs: + secrets: + description: 'string of secrets to get separated by EOL' + required: true +runs: + using: "composite" + steps: + - name: secure secrets from aws + id: secure-aws-secret + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: ${{ inputs.secrets }} + + - name: Masking + run: | + MODIFIED_INPUT=$(echo "${{ inputs.secrets }}" | tr '\n' '#') + IFS='#' read -a secrets <<< "$MODIFIED_INPUT" + for s in "${secrets[@]}"; do + var=(${s//,/ }) + val=$(eval echo \$$var) + echo "register mask $var = $val" + echo -e "::add-mask::${val}" + done + shell: bash diff --git a/.github/actions/mask_secrets/action.yml b/.github/actions/mask_secrets/action.yml index 4d330021..9968a41e 100644 --- a/.github/actions/mask_secrets/action.yml +++ b/.github/actions/mask_secrets/action.yml @@ -2,25 +2,15 @@ name: 'Mask Secrets' description: 'Masking AWS Secrets' inputs: secrets: - description: 'string of secrets to get separated by EOL' + description: 'string separated by EOL' required: true runs: using: "composite" steps: - - name: secure secrets from aws - id: secure-aws-secret - uses: aws-actions/aws-secretsmanager-get-secrets@v2 - with: - secret-ids: ${{ inputs.secrets }} - - name: Masking run: | - MODIFIED_INPUT=$(echo "${{ inputs.secrets }}" | tr '\n' '#') - IFS='#' read -a secrets <<< "$MODIFIED_INPUT" - for s in "${secrets[@]}"; do - var=(${s//,/ }) - val=$(eval echo \$$var) - echo "register mask $var = $val" - echo -e "::add-mask::${val}" + IFS="," read -a var <<< "${{ inputs.secrets }}" + for x in "${var[@]}"; do + echo "::add-mask::$x" done shell: bash diff --git a/.github/workflows/aws_secret_mask_testing.yml b/.github/workflows/aws_secret_mask_testing.yml new file mode 100644 index 00000000..b1b41985 --- /dev/null +++ b/.github/workflows/aws_secret_mask_testing.yml @@ -0,0 +1,40 @@ +name: GHACodebuildRunnerSecretTesting + +# this is a test of masking a block of secrets in a custom action. +# all code seems to work as expected, but in the caller workflow, secrets still +# show in logs as unmasked. + +on: + pull_request: + branches: [main] + +jobs: + test1: + runs-on: + - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v4 + + - name: Checkout To Path + uses: actions/checkout@v4 + with: + repository: 'cfpb/regtech-deployments' + ref: 'test/gha-codebuild-runner' + path: 'testing-action' + + - name: Masking via Custom Action + id: mask-custom-action + uses: ./testing-action/.github/actions/mask_secrets + with: + secrets: | + TEST_SECRET_1,cfpb/team/regtech/gha-codebuild-runner/test-secret-1 + TEST_SECRET_2,cfpb/team/regtech/gha-codebuild-runner/test-secret-2 + TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 + + - name: check aws secrets + id: check-aws-secrets + run: | + echo -e "show test-secret-1 ${{ env.TEST_SECRET_1 }}" + echo -e "show test-secret-2 ${{ env.TEST_SECRET_2 }}" + echo -e "show test-secret-3 ${{ env.TEST_SECRET_3 }}" diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index f9f3522c..abdb7c02 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -51,14 +51,14 @@ jobs: aws logs put-log-events --log-group-name $CLOUDWATCH_LOGGROUP_NAME --log-stream-name $CLOUDWATCH_LOGSTREAM_NAME --log-events file://test_events - #- name: get secrets from aws - # id: get-aws-secret - # uses: aws-actions/aws-secretsmanager-get-secrets@v2 - # with: - # secret-ids: | - # TEST_SECRET_1,cfpb/team/regtech/gha-codebuild-runner/test-secret-1 - # TEST_SECRET_2,cfpb/team/regtech/gha-codebuild-runner/test-secret-2 - # TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 + - name: get secrets from aws + id: get-aws-secret + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + TEST_SECRET_1, cfpb/team/regtech/gha-codebuild-runner/test-secret-1 + TEST_SECRET_2, cfpb/team/regtech/gha-codebuild-runner/test-secret-2 + TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 - name: Checkout To Path uses: actions/checkout@v4 @@ -67,32 +67,18 @@ jobs: ref: 'test/gha-codebuild-runner' path: 'testing-action' - # wrap aws secrets - #- name: Masking Inline - # id: mask-inline + #- name: Secret Masking Inline # run: | # IFS="," read -a var <<< "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_2 }}" # for x in "${var[@]}"; do # echo "::add-mask::$x" # done - # OR - #- name: Masking via Custom Action - # id: mask-custom-action - # uses: ./testing-action/.github/actions/mask_secrets - # with: - # secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_3 }}" - - - name: Masking via Custom Action - id: mask-custom-action + - name: Secret Masking via Custom Action uses: ./testing-action/.github/actions/mask_secrets with: - secrets: | - TEST_SECRET_1,cfpb/team/regtech/gha-codebuild-runner/test-secret-1 - TEST_SECRET_2,cfpb/team/regtech/gha-codebuild-runner/test-secret-2 - TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 - + secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_3 }}" - name: check aws secrets id: check-aws-secrets @@ -102,11 +88,3 @@ jobs: echo -e "show test-secret-2 ${{ env.TEST_SECRET_2 }}" echo -e "show test-secret-3 ${{ env.TEST_SECRET_3 }}" - #echo -e "::add-mask::${{ env.TEST_SECRET_2 }} show test-secret-2" - #echo -e "show test-secret-3 ::add-mask::${{ env.TEST_SECRET_3 }}" - - - name: check env context - id: check-env-context - run: | - echo "$GITHUB_CONTEXT" - From dbc436c4bfa4a836c2b1a46c859219f1d87505e6 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 13:47:49 -0500 Subject: [PATCH 102/147] organize tests --- .../action.yml} | 4 ++-- .github/workflows/aws_secret_mask_testing.yml | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) rename .github/actions/{mask_secrets/_fails_to_mask_in_caller.yml => mask_secrets_bulk/action.yml} (90%) diff --git a/.github/actions/mask_secrets/_fails_to_mask_in_caller.yml b/.github/actions/mask_secrets_bulk/action.yml similarity index 90% rename from .github/actions/mask_secrets/_fails_to_mask_in_caller.yml rename to .github/actions/mask_secrets_bulk/action.yml index 4d330021..0b1f076c 100644 --- a/.github/actions/mask_secrets/_fails_to_mask_in_caller.yml +++ b/.github/actions/mask_secrets_bulk/action.yml @@ -1,5 +1,5 @@ -name: 'Mask Secrets' -description: 'Masking AWS Secrets' +name: 'Mask Secrets Bulk' +description: 'Masking AWS Secrets in bulk' inputs: secrets: description: 'string of secrets to get separated by EOL' diff --git a/.github/workflows/aws_secret_mask_testing.yml b/.github/workflows/aws_secret_mask_testing.yml index b1b41985..2b56fc54 100644 --- a/.github/workflows/aws_secret_mask_testing.yml +++ b/.github/workflows/aws_secret_mask_testing.yml @@ -23,9 +23,9 @@ jobs: ref: 'test/gha-codebuild-runner' path: 'testing-action' - - name: Masking via Custom Action - id: mask-custom-action - uses: ./testing-action/.github/actions/mask_secrets + - name: Mask Secrets Bulk + id: mask-secrets-bulk + uses: ./testing-action/.github/actions/mask_secrets_bulk with: secrets: | TEST_SECRET_1,cfpb/team/regtech/gha-codebuild-runner/test-secret-1 From 63f4c8a134867b5700b6d8df0cde8e2535db6051 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 13:55:08 -0500 Subject: [PATCH 103/147] info --- .github/actions/mask_secrets_bulk/action.yml | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/.github/actions/mask_secrets_bulk/action.yml b/.github/actions/mask_secrets_bulk/action.yml index 0b1f076c..dca63d6e 100644 --- a/.github/actions/mask_secrets_bulk/action.yml +++ b/.github/actions/mask_secrets_bulk/action.yml @@ -24,3 +24,15 @@ runs: echo -e "::add-mask::${val}" done shell: bash + + - name: check aws secrets from inside custom action + id: check-aws-secrets-inside + run: | + echo -e "show test-secret-1 ${{ env.TEST_SECRET_1 }}" + echo -e "show test-secret-2 ${{ env.TEST_SECRET_2 }}" + echo -e "show test-secret-3 ${{ env.TEST_SECRET_3 }}" + + - name: Dump + env: + GITHUB_CONTEXT: ${{ toJson(github) }} + run: echo "$GITHUB_CONTEXT" From 3dee12e15751a5b7ffe3b5cf1d7ecc870fda6555 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 14:01:28 -0500 Subject: [PATCH 104/147] info --- .github/actions/mask_secrets_bulk/action.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/actions/mask_secrets_bulk/action.yml b/.github/actions/mask_secrets_bulk/action.yml index dca63d6e..a9796189 100644 --- a/.github/actions/mask_secrets_bulk/action.yml +++ b/.github/actions/mask_secrets_bulk/action.yml @@ -21,7 +21,8 @@ runs: var=(${s//,/ }) val=$(eval echo \$$var) echo "register mask $var = $val" - echo -e "::add-mask::${val}" + #echo -e "::add-mask::${val}" + echo -e "::add-mask::${{ vars[var] }}" done shell: bash @@ -31,8 +32,10 @@ runs: echo -e "show test-secret-1 ${{ env.TEST_SECRET_1 }}" echo -e "show test-secret-2 ${{ env.TEST_SECRET_2 }}" echo -e "show test-secret-3 ${{ env.TEST_SECRET_3 }}" + shell: bash - name: Dump env: GITHUB_CONTEXT: ${{ toJson(github) }} run: echo "$GITHUB_CONTEXT" + shell: bash From 35ec6fa44df8590f1d5a878f528f563cfc294091 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 14:05:22 -0500 Subject: [PATCH 105/147] info --- .github/actions/mask_secrets_bulk/action.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/actions/mask_secrets_bulk/action.yml b/.github/actions/mask_secrets_bulk/action.yml index a9796189..e595f33f 100644 --- a/.github/actions/mask_secrets_bulk/action.yml +++ b/.github/actions/mask_secrets_bulk/action.yml @@ -21,8 +21,7 @@ runs: var=(${s//,/ }) val=$(eval echo \$$var) echo "register mask $var = $val" - #echo -e "::add-mask::${val}" - echo -e "::add-mask::${{ vars[var] }}" + echo -e "::add-mask::${val}" done shell: bash From 11c648c2031dfcfec0fc2c14c512f5c2866bd374 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 14:09:36 -0500 Subject: [PATCH 106/147] info --- .github/actions/mask_secrets_bulk/action.yml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/.github/actions/mask_secrets_bulk/action.yml b/.github/actions/mask_secrets_bulk/action.yml index e595f33f..45c20777 100644 --- a/.github/actions/mask_secrets_bulk/action.yml +++ b/.github/actions/mask_secrets_bulk/action.yml @@ -21,7 +21,7 @@ runs: var=(${s//,/ }) val=$(eval echo \$$var) echo "register mask $var = $val" - echo -e "::add-mask::${val}" + echo "::add-mask::$val" done shell: bash @@ -32,9 +32,3 @@ runs: echo -e "show test-secret-2 ${{ env.TEST_SECRET_2 }}" echo -e "show test-secret-3 ${{ env.TEST_SECRET_3 }}" shell: bash - - - name: Dump - env: - GITHUB_CONTEXT: ${{ toJson(github) }} - run: echo "$GITHUB_CONTEXT" - shell: bash From 8d135c61a8f4338f76a7b0ed2be4afdc66a9f508 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 14:15:53 -0500 Subject: [PATCH 107/147] info --- .github/actions/mask_secrets_bulk/action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/actions/mask_secrets_bulk/action.yml b/.github/actions/mask_secrets_bulk/action.yml index 45c20777..26465fbf 100644 --- a/.github/actions/mask_secrets_bulk/action.yml +++ b/.github/actions/mask_secrets_bulk/action.yml @@ -20,8 +20,8 @@ runs: for s in "${secrets[@]}"; do var=(${s//,/ }) val=$(eval echo \$$var) - echo "register mask $var = $val" - echo "::add-mask::$val" + echo "register mask $var = $val" + echo "::add-mask::${val}" done shell: bash From cd1a152627301e93a59d16174e119efc4b4804e3 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 16:06:54 -0500 Subject: [PATCH 108/147] test buildspec override --- .github/workflows/codebuild_runner_test.yml | 43 ++++++++++++--------- buildspec.yml | 32 +++++++++++++++ 2 files changed, 56 insertions(+), 19 deletions(-) create mode 100644 buildspec.yml diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index abdb7c02..7d27acc2 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -11,7 +11,8 @@ jobs: CLOUDWATCH_LOGSTREAM_NAME: ${{ github.repository }}-${{ github.workflow }}-${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }} runs-on: - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} - steps: + - buildspec-override:true + steps: - name: 'Checkout GitHub Action' uses: actions/checkout@v4 @@ -60,31 +61,35 @@ jobs: TEST_SECRET_2, cfpb/team/regtech/gha-codebuild-runner/test-secret-2 TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 - - name: Checkout To Path - uses: actions/checkout@v4 - with: - repository: 'cfpb/regtech-deployments' - ref: 'test/gha-codebuild-runner' - path: 'testing-action' - + - name: Secret Masking Inline + run: | + IFS="," read -a var <<< "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_2 }}" + for x in "${var[@]}"; do + echo "::add-mask::$x" + done - #- name: Secret Masking Inline - # run: | - # IFS="," read -a var <<< "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_2 }}" - # for x in "${var[@]}"; do - # echo "::add-mask::$x" - # done + #- name: Checkout To Path + # uses: actions/checkout@v4 + # with: + # repository: 'cfpb/regtech-deployments' + # ref: 'test/gha-codebuild-runner' + # path: 'testing-action' - - name: Secret Masking via Custom Action - uses: ./testing-action/.github/actions/mask_secrets - with: - secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_3 }}" + #- name: Secret Masking via Custom Action + # uses: ./testing-action/.github/actions/mask_secrets + # with: + # secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_3 }}" - name: check aws secrets id: check-aws-secrets - # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#example-masking-a-string run: | echo -e "show test-secret-1 ${{ env.TEST_SECRET_1 }}" echo -e "show test-secret-2 ${{ env.TEST_SECRET_2 }}" echo -e "show test-secret-3 ${{ env.TEST_SECRET_3 }}" + - name: 'Login to GitHub Container Registry' + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} diff --git a/buildspec.yml b/buildspec.yml new file mode 100644 index 00000000..9680f306 --- /dev/null +++ b/buildspec.yml @@ -0,0 +1,32 @@ +version: 0.2 + +env: + variables: + TEST_ONE: paul.bruno@cfpb.gov + SMTP_CREDS_SECRET: cfpb/team/regtech/smtp-ses-creds + secrets-manager: + SMTP_PASSWORD: "${SMTP_CREDS_SECRET}:password" + SMTP_PORT: "${SMTP_CREDS_SECRET}:smtp_port" + SMTP_HOST: "${SMTP_CREDS_SECRET}:smtp_server" + SMTP_USERNAME: "${SMTP_CREDS_SECRET}:username" + TEST_SECRET_1: "cfpb/team/regtech/gha-codebuild-runner/test-secret-1:aa" + TEST_SECRET_2: "cfpb/team/regtech/gha-codebuild-runner/test-secret-1:bb" + TEST_SECRET_3: "cfpb/team/regtech/gha-codebuild-runner/test-secret-1:cc" +phases: + install: + commands: + - codebuild-init + - kubectl version --client=true --output yaml + pre_build: + commands: + - echo "TEST_SECRET_1 = ${TEST_SECRET_1}" + - echo "TEST_SECRET_2 = ${TEST_SECRET_2}" + - echo "TEST_SECRET_2 = ${TEST_SECRET_2}" + - export IMAGE_NAME="regtech/sbl/nginx-alpine-TEST" + - export IMAGE_TAG="codebuild" + - export REGISTRY_IMAGE_NAME="ghcr.io/cfpb/${IMAGE_NAME}:${IMAGE_TAG}" + - env | sort + post_build: + commands: + - docker build -t $REGISTRY_IMAGE_NAME -f images/Dockerfile-nginx-alpine + - docker push $REGISTRY_IMAGE_NAME From 16235f67ae6df98c5f4b07500dda5b369a85b0da Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 16:10:20 -0500 Subject: [PATCH 109/147] test buildspec override --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 7d27acc2..c8581750 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -5,7 +5,7 @@ on: branches: [main] jobs: - test1: + cbrunner: env: CLOUDWATCH_LOGGROUP_NAME: '/aws/codebuild/cfpb-regtech-gha-test-1' CLOUDWATCH_LOGSTREAM_NAME: ${{ github.repository }}-${{ github.workflow }}-${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }} From e522a043a8f39559dd9aef5b16533ff0e812086d Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 16:11:40 -0500 Subject: [PATCH 110/147] test buildspec override --- .github/workflows/codebuild_runner_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index c8581750..54683638 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -11,7 +11,7 @@ jobs: CLOUDWATCH_LOGSTREAM_NAME: ${{ github.repository }}-${{ github.workflow }}-${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }} runs-on: - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} - - buildspec-override:true + #- buildspec-override:true steps: - name: 'Checkout GitHub Action' uses: actions/checkout@v4 From 47c9038df00a729786b79becd71ce78d5066fa5e Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 16:19:20 -0500 Subject: [PATCH 111/147] test buildspec override --- .../workflows/codebuild_buildspec_test.yml | 22 ++++++++ .github/workflows/codebuild_runner_test.yml | 50 +++++++------------ 2 files changed, 41 insertions(+), 31 deletions(-) create mode 100644 .github/workflows/codebuild_buildspec_test.yml diff --git a/.github/workflows/codebuild_buildspec_test.yml b/.github/workflows/codebuild_buildspec_test.yml new file mode 100644 index 00000000..261a74b2 --- /dev/null +++ b/.github/workflows/codebuild_buildspec_test.yml @@ -0,0 +1,22 @@ +name: GHACodebuildBuildspecOverride + +on: + pull_request: + branches: [main] + +jobs: + test1: + env: + runs-on: + - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} + - buildspec-override:true + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v4 + + - name: 'Login to GitHub Container Registry' + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 54683638..5e66bc62 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -5,29 +5,25 @@ on: branches: [main] jobs: - cbrunner: + test1: env: CLOUDWATCH_LOGGROUP_NAME: '/aws/codebuild/cfpb-regtech-gha-test-1' CLOUDWATCH_LOGSTREAM_NAME: ${{ github.repository }}-${{ github.workflow }}-${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }} runs-on: - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} - #- buildspec-override:true - steps: + steps: - name: 'Checkout GitHub Action' uses: actions/checkout@v4 - name: echo run: | echo -e "running GHA workflow ${{ github.event.number }}\nbuild: ${{ github.run_id }}\nattempt: ${{ github.run_attempt }}" - - name: create log stream run: | aws logs create-log-stream --log-group-name $CLOUDWATCH_LOGGROUP_NAME --log-stream-name $CLOUDWATCH_LOGSTREAM_NAME - - name: list buckets run: | aws s3api list-buckets --region us-east-1 --output json - - name: put events env: GH_TOKEN: ${{ github.token }} @@ -49,9 +45,7 @@ jobs: } ] EOF - aws logs put-log-events --log-group-name $CLOUDWATCH_LOGGROUP_NAME --log-stream-name $CLOUDWATCH_LOGSTREAM_NAME --log-events file://test_events - - name: get secrets from aws id: get-aws-secret uses: aws-actions/aws-secretsmanager-get-secrets@v2 @@ -60,36 +54,30 @@ jobs: TEST_SECRET_1, cfpb/team/regtech/gha-codebuild-runner/test-secret-1 TEST_SECRET_2, cfpb/team/regtech/gha-codebuild-runner/test-secret-2 TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 + - name: Checkout To Path + uses: actions/checkout@v4 + with: + repository: 'cfpb/regtech-deployments' + ref: 'test/gha-codebuild-runner' + path: 'testing-action' - - name: Secret Masking Inline - run: | - IFS="," read -a var <<< "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_2 }}" - for x in "${var[@]}"; do - echo "::add-mask::$x" - done - #- name: Checkout To Path - # uses: actions/checkout@v4 - # with: - # repository: 'cfpb/regtech-deployments' - # ref: 'test/gha-codebuild-runner' - # path: 'testing-action' + #- name: Secret Masking Inline + # run: | + # IFS="," read -a var <<< "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_2 }}" + # for x in "${var[@]}"; do + # echo "::add-mask::$x" + # done - #- name: Secret Masking via Custom Action - # uses: ./testing-action/.github/actions/mask_secrets - # with: - # secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_3 }}" + - name: Secret Masking via Custom Action + uses: ./testing-action/.github/actions/mask_secrets + with: + secrets: "${{ env.TEST_SECRET_1 }},${{ env.TEST_SECRET_2 }},${{ env.TEST_SECRET_3 }}" - name: check aws secrets id: check-aws-secrets + # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#example-masking-a-string run: | echo -e "show test-secret-1 ${{ env.TEST_SECRET_1 }}" echo -e "show test-secret-2 ${{ env.TEST_SECRET_2 }}" echo -e "show test-secret-3 ${{ env.TEST_SECRET_3 }}" - - - name: 'Login to GitHub Container Registry' - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{github.actor}} - password: ${{secrets.GITHUB_TOKEN}} From ec54a780389c9115cb1dac644f57fa21cadd645e Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 16:19:56 -0500 Subject: [PATCH 112/147] test buildspec override --- .github/workflows/codebuild_buildspec_test.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codebuild_buildspec_test.yml b/.github/workflows/codebuild_buildspec_test.yml index 261a74b2..8654c738 100644 --- a/.github/workflows/codebuild_buildspec_test.yml +++ b/.github/workflows/codebuild_buildspec_test.yml @@ -6,7 +6,6 @@ on: jobs: test1: - env: runs-on: - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} - buildspec-override:true From 713989537c0854b970b7840ac16324100e4a223b Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 16:37:12 -0500 Subject: [PATCH 113/147] test buildspec override --- buildspec.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/buildspec.yml b/buildspec.yml index 9680f306..f6f4cbad 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -10,8 +10,8 @@ env: SMTP_HOST: "${SMTP_CREDS_SECRET}:smtp_server" SMTP_USERNAME: "${SMTP_CREDS_SECRET}:username" TEST_SECRET_1: "cfpb/team/regtech/gha-codebuild-runner/test-secret-1:aa" - TEST_SECRET_2: "cfpb/team/regtech/gha-codebuild-runner/test-secret-1:bb" - TEST_SECRET_3: "cfpb/team/regtech/gha-codebuild-runner/test-secret-1:cc" + TEST_SECRET_2: "cfpb/team/regtech/gha-codebuild-runner/test-secret-2:bb" + TEST_SECRET_3: "cfpb/team/regtech/gha-codebuild-runner/test-secret-3:cc" phases: install: commands: From d38c46f749056a42513bcd15f836931b4bf758ea Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 16:39:28 -0500 Subject: [PATCH 114/147] test buildspec override --- buildspec.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/buildspec.yml b/buildspec.yml index f6f4cbad..1108d0ab 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -15,7 +15,6 @@ env: phases: install: commands: - - codebuild-init - kubectl version --client=true --output yaml pre_build: commands: From 8220a934ee59fbb6a16909144f3ab763130098a4 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 16:45:26 -0500 Subject: [PATCH 115/147] test buildspec override --- buildspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildspec.yml b/buildspec.yml index 1108d0ab..43a19c8e 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -27,5 +27,5 @@ phases: - env | sort post_build: commands: - - docker build -t $REGISTRY_IMAGE_NAME -f images/Dockerfile-nginx-alpine + - docker build -t $REGISTRY_IMAGE_NAME -f "./images/Dockerfile-nginx-alpine" . - docker push $REGISTRY_IMAGE_NAME From ca2cec0da3c62ce80d37591de933ba66012951d8 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 16:47:08 -0500 Subject: [PATCH 116/147] test buildspec override --- buildspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildspec.yml b/buildspec.yml index 43a19c8e..af40112d 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -21,7 +21,7 @@ phases: - echo "TEST_SECRET_1 = ${TEST_SECRET_1}" - echo "TEST_SECRET_2 = ${TEST_SECRET_2}" - echo "TEST_SECRET_2 = ${TEST_SECRET_2}" - - export IMAGE_NAME="regtech/sbl/nginx-alpine-TEST" + - export IMAGE_NAME="regtech/sbl/nginx-alpine-test" - export IMAGE_TAG="codebuild" - export REGISTRY_IMAGE_NAME="ghcr.io/cfpb/${IMAGE_NAME}:${IMAGE_TAG}" - env | sort From 22e4376beb143a5d7c79537477904797daff09d7 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 16:51:02 -0500 Subject: [PATCH 117/147] test buildspec override --- buildspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildspec.yml b/buildspec.yml index af40112d..82e226b6 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -27,5 +27,5 @@ phases: - env | sort post_build: commands: - - docker build -t $REGISTRY_IMAGE_NAME -f "./images/Dockerfile-nginx-alpine" . + - docker build -t $REGISTRY_IMAGE_NAME -f "images/Dockerfile-nginx-alpine" . - docker push $REGISTRY_IMAGE_NAME From 4598111d8c2b1d8883883af55608d97923aaa1a9 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 16:54:46 -0500 Subject: [PATCH 118/147] test buildspec override --- buildspec.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/buildspec.yml b/buildspec.yml index 82e226b6..453ed2c9 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -27,5 +27,7 @@ phases: - env | sort post_build: commands: - - docker build -t $REGISTRY_IMAGE_NAME -f "images/Dockerfile-nginx-alpine" . - - docker push $REGISTRY_IMAGE_NAME + - pwd + - ls -alt ../ + #- docker build -t $REGISTRY_IMAGE_NAME -f "images/Dockerfile-nginx-alpine" . + #- docker push $REGISTRY_IMAGE_NAME From e2176ba7f037fbd136e6b20b830833e9acb35822 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 17:05:27 -0500 Subject: [PATCH 119/147] test buildspec override --- buildspec.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/buildspec.yml b/buildspec.yml index 453ed2c9..c18a1027 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -29,5 +29,7 @@ phases: commands: - pwd - ls -alt ../ + - ls -alt ../../ + - ls -alt ../../../ #- docker build -t $REGISTRY_IMAGE_NAME -f "images/Dockerfile-nginx-alpine" . #- docker push $REGISTRY_IMAGE_NAME From 0e867d1023677fb83352c71bc7da98a94315bc7f Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 17:21:42 -0500 Subject: [PATCH 120/147] test buildspec override --- buildspec.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/buildspec.yml b/buildspec.yml index c18a1027..e8a6b764 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -29,7 +29,6 @@ phases: commands: - pwd - ls -alt ../ - - ls -alt ../../ - - ls -alt ../../../ + git clone https://github.com/cfpb/regtech-deployments.git #- docker build -t $REGISTRY_IMAGE_NAME -f "images/Dockerfile-nginx-alpine" . #- docker push $REGISTRY_IMAGE_NAME From c5c90492d67a9e9c80cbc68fdf92dc3638cbaef0 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 17:23:43 -0500 Subject: [PATCH 121/147] test buildspec override --- buildspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildspec.yml b/buildspec.yml index e8a6b764..ac63c6c8 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -29,6 +29,6 @@ phases: commands: - pwd - ls -alt ../ - git clone https://github.com/cfpb/regtech-deployments.git + - git clone https://github.com/cfpb/regtech-deployments.git #- docker build -t $REGISTRY_IMAGE_NAME -f "images/Dockerfile-nginx-alpine" . #- docker push $REGISTRY_IMAGE_NAME From fa7a9105c48f86cba22b87e08d0a5c18f976271f Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 17:28:40 -0500 Subject: [PATCH 122/147] test buildspec override --- buildspec.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/buildspec.yml b/buildspec.yml index ac63c6c8..e3e4c98b 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -30,5 +30,5 @@ phases: - pwd - ls -alt ../ - git clone https://github.com/cfpb/regtech-deployments.git - #- docker build -t $REGISTRY_IMAGE_NAME -f "images/Dockerfile-nginx-alpine" . - #- docker push $REGISTRY_IMAGE_NAME + - docker build -t $REGISTRY_IMAGE_NAME -f "regtech-deployments/images/Dockerfile-nginx-alpine" . + - docker push $REGISTRY_IMAGE_NAME From 3e26fda3dffedaf0cb712725d12f18a1246878c7 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 17:36:30 -0500 Subject: [PATCH 123/147] test buildspec override --- buildspec.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/buildspec.yml b/buildspec.yml index e3e4c98b..66467c9d 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -21,9 +21,12 @@ phases: - echo "TEST_SECRET_1 = ${TEST_SECRET_1}" - echo "TEST_SECRET_2 = ${TEST_SECRET_2}" - echo "TEST_SECRET_2 = ${TEST_SECRET_2}" - - export IMAGE_NAME="regtech/sbl/nginx-alpine-test" - - export IMAGE_TAG="codebuild" - - export REGISTRY_IMAGE_NAME="ghcr.io/cfpb/${IMAGE_NAME}:${IMAGE_TAG}" + - export IMAGE_NAME="cfpb/${TEAM_NAMESPACE}/regtech-gha-codebuild-test" + - export IMAGE_TAG=$CODEBUILD_BUILD_NUMBER + - export REGISTRY_IMAGE_NAME="${ECR_ACCOUNT_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}" + #- export IMAGE_NAME="regtech/sbl/nginx-alpine-test" + #- export IMAGE_TAG="codebuild" + #- export GITHUB_IMAGE_NAME="ghcr.io/cfpb/${IMAGE_NAME}:${IMAGE_TAG}" - env | sort post_build: commands: From dfdd1c2cf941094a120dca2b5e4a9716ee50cce5 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Fri, 24 Jan 2025 17:45:46 -0500 Subject: [PATCH 124/147] test buildspec override --- buildspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildspec.yml b/buildspec.yml index 66467c9d..25570f73 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -21,7 +21,7 @@ phases: - echo "TEST_SECRET_1 = ${TEST_SECRET_1}" - echo "TEST_SECRET_2 = ${TEST_SECRET_2}" - echo "TEST_SECRET_2 = ${TEST_SECRET_2}" - - export IMAGE_NAME="cfpb/${TEAM_NAMESPACE}/regtech-gha-codebuild-test" + - export IMAGE_NAME="cfpb/regtech/regtech-gha-codebuild-test" - export IMAGE_TAG=$CODEBUILD_BUILD_NUMBER - export REGISTRY_IMAGE_NAME="${ECR_ACCOUNT_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}" #- export IMAGE_NAME="regtech/sbl/nginx-alpine-test" From 7158e1c841dc7e3f5c8358bb7c34298d0248fd8e Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Mon, 27 Jan 2025 09:18:17 -0500 Subject: [PATCH 125/147] test buildspec override --- buildspec.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/buildspec.yml b/buildspec.yml index 25570f73..90b4fd39 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -34,4 +34,7 @@ phases: - ls -alt ../ - git clone https://github.com/cfpb/regtech-deployments.git - docker build -t $REGISTRY_IMAGE_NAME -f "regtech-deployments/images/Dockerfile-nginx-alpine" . - - docker push $REGISTRY_IMAGE_NAME + # push fails to ecr. needs creds. + # push also fails to ghcr, get token doesn't work error. + #- docker push $REGISTRY_IMAGE_NAME + - aws sts get-caller-identity From 819e44820ad57eba819d1ee965fe3def3dd3438b Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Mon, 27 Jan 2025 09:25:52 -0500 Subject: [PATCH 126/147] test buildspec override --- buildspec.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/buildspec.yml b/buildspec.yml index 90b4fd39..99d1d491 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -23,7 +23,8 @@ phases: - echo "TEST_SECRET_2 = ${TEST_SECRET_2}" - export IMAGE_NAME="cfpb/regtech/regtech-gha-codebuild-test" - export IMAGE_TAG=$CODEBUILD_BUILD_NUMBER - - export REGISTRY_IMAGE_NAME="${ECR_ACCOUNT_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}" + #- export REGISTRY_IMAGE_NAME="${ECR_ACCOUNT_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}" + - export REGISTRY_IMAGE_NAME="${IMAGE_NAME}:${IMAGE_TAG} #- export IMAGE_NAME="regtech/sbl/nginx-alpine-test" #- export IMAGE_TAG="codebuild" #- export GITHUB_IMAGE_NAME="ghcr.io/cfpb/${IMAGE_NAME}:${IMAGE_TAG}" From e9392da1ce0c4bf7845b4be6a325512eabc757d1 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Mon, 27 Jan 2025 09:37:59 -0500 Subject: [PATCH 127/147] test buildspec override --- buildspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildspec.yml b/buildspec.yml index 99d1d491..9256f5bb 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -24,7 +24,7 @@ phases: - export IMAGE_NAME="cfpb/regtech/regtech-gha-codebuild-test" - export IMAGE_TAG=$CODEBUILD_BUILD_NUMBER #- export REGISTRY_IMAGE_NAME="${ECR_ACCOUNT_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}" - - export REGISTRY_IMAGE_NAME="${IMAGE_NAME}:${IMAGE_TAG} + - export REGISTRY_IMAGE_NAME="${IMAGE_NAME}:${IMAGE_TAG}" #- export IMAGE_NAME="regtech/sbl/nginx-alpine-test" #- export IMAGE_TAG="codebuild" #- export GITHUB_IMAGE_NAME="ghcr.io/cfpb/${IMAGE_NAME}:${IMAGE_TAG}" From a47208233b915dc649f1f2d06074bf51960e6442 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Mon, 27 Jan 2025 10:12:44 -0500 Subject: [PATCH 128/147] testing buildspec override --- buildspec.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/buildspec.yml b/buildspec.yml index 9256f5bb..91b98c3f 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -39,3 +39,4 @@ phases: # push also fails to ghcr, get token doesn't work error. #- docker push $REGISTRY_IMAGE_NAME - aws sts get-caller-identity + - aws ecr list-images --repository-name cfpb/regtech/sbl-filing-api From d81a9d8fc6c529f7bf50ae11d61870bfc049c7fb Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Mon, 27 Jan 2025 10:30:40 -0500 Subject: [PATCH 129/147] intentional failure --- buildspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildspec.yml b/buildspec.yml index 91b98c3f..e44100f3 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -24,7 +24,7 @@ phases: - export IMAGE_NAME="cfpb/regtech/regtech-gha-codebuild-test" - export IMAGE_TAG=$CODEBUILD_BUILD_NUMBER #- export REGISTRY_IMAGE_NAME="${ECR_ACCOUNT_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}" - - export REGISTRY_IMAGE_NAME="${IMAGE_NAME}:${IMAGE_TAG}" + - export REGISTRY_IMAGE_NAME="/${IMAGE_NAME}:${IMAGE_TAG}" #- export IMAGE_NAME="regtech/sbl/nginx-alpine-test" #- export IMAGE_TAG="codebuild" #- export GITHUB_IMAGE_NAME="ghcr.io/cfpb/${IMAGE_NAME}:${IMAGE_TAG}" From 5f51443ad7b65e7bfc8e648071c6f638a39a56e9 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Mon, 27 Jan 2025 14:57:23 -0500 Subject: [PATCH 130/147] start documenting the findings --- GHA_Codebuild_Runner.md | 79 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 79 insertions(+) create mode 100644 GHA_Codebuild_Runner.md diff --git a/GHA_Codebuild_Runner.md b/GHA_Codebuild_Runner.md new file mode 100644 index 00000000..f6ad9975 --- /dev/null +++ b/GHA_Codebuild_Runner.md @@ -0,0 +1,79 @@ +## Overview +This document serves as a documented reference to findings found when evaluating `AWS Codebuild Projects` as `Github Action Runners` +All testing and evaluation was done in the `regtech/devpub` IAM account. + + +### Components and Use Cases Evaluated + +- Codebuild project runner for Github Pull Requests +- Log outputs for both AWS Codebuild and Github workflows +- AWS Secrets access from the github action workflow +- AWS Role and Codebuild runner scaling and scope +- Creating Cloudwatch log streams and generating Cloudwatch log events from github actioon workflows +- Reporting Codebuild status back to Github Source +- Passing in `buildspec.yml` (overriding) from GHA to Codebuild project +- Codebuild Runner Project Role and Permissions + +### AWS Setup +This section outlines the configurations made in the AWS console to implement the testing that was performed. + +1. Create new Codebuild Project. [Referenced](https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html) + + +### Github Setup +This section outlines the configurations made in Github to implement the testing that was performed. +`cfpb/regtech-deployments` was used for this testing. +[Reference Source Repository/Branch](https://github.com/cfpb/regtech-deployments/tree/test/gha-codebuild-runner) + +1. A prerequisite for creating a Codebuild project using Github as the source was to have a Personal Access Token (PAT) configured in the Github account. I used my github account `thetoolsmith` which is configured in the CFPB Github Org. +The PAT needs to be configured with some required options. [Here](https://docs.aws.amazon.com/codebuild/latest/userguide/access-tokens-github.html) is a reference. +1. Created a test `buildspec.yml` in `regtech-deployments` + +### Log Output Codebuild vs Github + + +### Testing Secrets and Masking in Github Workflow +Github Secrets are automatically transformed into environment variable and automatically masked. This is the default behavior in Github Actions for Github Secrets. + +There is no apparent issues with Github Secrets being seen from the Codebuild project runner output. +***Logs on the Codebuild side do not include any of the log output from the Github action workflow run.*** + +However..... +Since the Github Workflow runner is not running in the context of an AWS Role, there is the capability for secrets to be pulled out of SecretsManager vi a Github Action workflow. ***THESE SECRETS ARE NOT MASKED BY DEFAULT!*** + +The good thing is that we do not need to setup and establish AWS credentials in the Github action workflow since it's running with a runner in the context of a role that will determine what AWS services and permissions are allowed from the GHA workflow. + +For testing, we used the `aws-actions/aws-secretsmanager-get-secrets@v2` action plugin in our GHA workflow. +The [plugin](https://github.com/aws-actions/aws-secretsmanager-get-secrets) is referenced in the [AWS documentation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_github.html) for managing secrets from GHA workflows. + +With the plugin, we can simply specify the AWS Secrets we would like to retreive. The Action automatically creates these secrets and the values as environment variables adding them to the github env context. They are in `plain-text`. +There is a method provided by GHA to mask these. It's an odd filter mechanism, `::add-mask::`, that needs to be passed to shell echo IMMEDIATLEY after the secret is retreived in order to prevent secrets values from leaking and appearing in the Girhub workflow run log output. + +The process requires 2 build steps. One to get the secrets and another to pass it to `::add-mask::`. +``` +- name: get secrets from aws + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + TEST_SECRET_1, cfpb/team/regtech/gha-codebuild-runner/test-secret-1 +- name: mask the secrets + run: | + echo "::add-mask::${{ env.TEST_SECRET_1 }}" +``` + +From the point where you ***mask*** the secret through the rest of the workflow job, the secret will be masked. + +IF we are getting many secrets, we can pass in the `secret-ids` list easily. But, we will need to write a function to iterate over all the retreived secrets and assure each one is passed to `::add-mask:;`. +It's not a very user-freindly or smart way to handle secrets. The Action plugin, should just mask them automatically! + +We did extensive testing around this to deternine the best way this could be used. Not much options. We tried wrapping both the get and the masking build steps into a Custom Composite Action, but that doesn't make the process anymore easy or secure. + +A decision will need to be made if the `aws-actions/aws-secretsmanager-get-secrets@v2` action should be used. We could not allow the Codebuild Project runner role access to SecretsManager which would prevent GHA workflows from being able to pull aws secrets. + + +### Misc + +Passing `Github Action` vaiable to `Codebuild`, you can use the `env-vars-for-codebuild` option in the [AWS Codebuild Marketplace Action](https://github.com/marketplace/actions/aws-codebuild-run-build-action-for-github-actions#aws-codebuild-run-build-for-github-actions) for Github Actions. +This Marketplace Action also provides auto-triggering Codebuild from Github pull requests, mergers etc... + + From 57bdcea9f7490ff69b00846cabb7bee0888a7e03 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Mon, 27 Jan 2025 16:06:42 -0500 Subject: [PATCH 131/147] revert intentional fail --- GHA_Codebuild_Runner.md | 21 +++++++++++++++++++-- buildspec.yml | 2 +- 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/GHA_Codebuild_Runner.md b/GHA_Codebuild_Runner.md index f6ad9975..1691f673 100644 --- a/GHA_Codebuild_Runner.md +++ b/GHA_Codebuild_Runner.md @@ -17,8 +17,14 @@ All testing and evaluation was done in the `regtech/devpub` IAM account. ### AWS Setup This section outlines the configurations made in the AWS console to implement the testing that was performed. -1. Create new Codebuild Project. [Referenced](https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html) - +- Create new Codebuild Project `cfpb-regtech-gha-test-1`. [Referenced](https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html) + - Create github PAT for AWS webhook and codebuild credential (github account) + - Create new Service Role for codebuild project `cfpb-dev-regtech-codebuild-gha-test` + - Create new SecretsManager Secret for PAT `cfpb/team/regtech/gha-codebuild-runner-test` +- Create Custom inline policy for the role `RegtechCodeBuildGHARunner`. + - this policy was started from the builtin `AWSCodeBuildDeveloperAccess` policy and upadated as needed. +- Create Cloudformation log group +- ### Github Setup This section outlines the configurations made in Github to implement the testing that was performed. @@ -30,7 +36,18 @@ The PAT needs to be configured with some required options. [Here](https://docs.a 1. Created a test `buildspec.yml` in `regtech-deployments` ### Log Output Codebuild vs Github +Each side of this itegration keep its own logs. Neither Github Action or Codebuild logs are exposed on the other end. +This is a good thing. +All actions taken in GHA workflow, including reading secrets from AWS, are logged only to the GHA output. Nothing shows on the Cloudformation logs. +Example from GHA workflow kicking off the Codebuild Runner..... +``` +> 2025-01-17T21:14:03.906Z +> 2025-01-17 21:14:01Z: Running job: test1 +> 2025-01-17 21:14:01Z: Running job: test1 +> 2025-01-17T21:14:21.926Z +> 2025-01-17 21:14:21Z: Job test1 completed with result: Succeeded +``` ### Testing Secrets and Masking in Github Workflow Github Secrets are automatically transformed into environment variable and automatically masked. This is the default behavior in Github Actions for Github Secrets. diff --git a/buildspec.yml b/buildspec.yml index e44100f3..91b98c3f 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -24,7 +24,7 @@ phases: - export IMAGE_NAME="cfpb/regtech/regtech-gha-codebuild-test" - export IMAGE_TAG=$CODEBUILD_BUILD_NUMBER #- export REGISTRY_IMAGE_NAME="${ECR_ACCOUNT_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}" - - export REGISTRY_IMAGE_NAME="/${IMAGE_NAME}:${IMAGE_TAG}" + - export REGISTRY_IMAGE_NAME="${IMAGE_NAME}:${IMAGE_TAG}" #- export IMAGE_NAME="regtech/sbl/nginx-alpine-test" #- export IMAGE_TAG="codebuild" #- export GITHUB_IMAGE_NAME="ghcr.io/cfpb/${IMAGE_NAME}:${IMAGE_TAG}" From f9c7396d1ddc7e8a073b0b39167b05527b157afc Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Mon, 27 Jan 2025 17:25:39 -0500 Subject: [PATCH 132/147] add more content to eval --- GHA_Codebuild_Runner.md | 76 +++++++++++++++++++++++++++++++++++++---- 1 file changed, 69 insertions(+), 7 deletions(-) diff --git a/GHA_Codebuild_Runner.md b/GHA_Codebuild_Runner.md index 1691f673..9030b14b 100644 --- a/GHA_Codebuild_Runner.md +++ b/GHA_Codebuild_Runner.md @@ -2,6 +2,7 @@ This document serves as a documented reference to findings found when evaluating `AWS Codebuild Projects` as `Github Action Runners` All testing and evaluation was done in the `regtech/devpub` IAM account. +--- ### Components and Use Cases Evaluated @@ -14,31 +15,42 @@ All testing and evaluation was done in the `regtech/devpub` IAM account. - Passing in `buildspec.yml` (overriding) from GHA to Codebuild project - Codebuild Runner Project Role and Permissions +--- + ### AWS Setup This section outlines the configurations made in the AWS console to implement the testing that was performed. - Create new Codebuild Project `cfpb-regtech-gha-test-1`. [Referenced](https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html) - Create github PAT for AWS webhook and codebuild credential (github account) - Create new Service Role for codebuild project `cfpb-dev-regtech-codebuild-gha-test` - - Create new SecretsManager Secret for PAT `cfpb/team/regtech/gha-codebuild-runner-test` + - Create new SecretsManager Secret for PAT `cfpb/team/regtech/gha-codebuild-runner-test` + - Required to set Webhook `WORKFLOW_JOB_QUEUED` for all runners. - Create Custom inline policy for the role `RegtechCodeBuildGHARunner`. - this policy was started from the builtin `AWSCodeBuildDeveloperAccess` policy and upadated as needed. - Create Cloudformation log group -- +- Created custom Cloudwatch streams and log events from GHA workflow. + +> **NOTE** IAM Roles are region based. We will need a minimum of one Codebuild Runner Role configured for each region. Decisions will need to be made based on implementation requirments for how the runner roles are to be used. Options such as a role per product, per team, per repo etc... should be considered. In addition to the scope of Runner Roles, we need to determine what permissions are needed for each Role. Permission requirements might also determine how many roles we need. Limited risk of secrets expose and such can be achieved by controlling the role permission policies. + +--- ### Github Setup This section outlines the configurations made in Github to implement the testing that was performed. -`cfpb/regtech-deployments` was used for this testing. +`cfpb/regtech-deployments` was used for this testing. [Reference Source Repository/Branch](https://github.com/cfpb/regtech-deployments/tree/test/gha-codebuild-runner) -1. A prerequisite for creating a Codebuild project using Github as the source was to have a Personal Access Token (PAT) configured in the Github account. I used my github account `thetoolsmith` which is configured in the CFPB Github Org. +- Prerequisite for creating a Codebuild project using Github as the source was to have a Personal Access Token (PAT) configured in the Github account. I used my github account `thetoolsmith` which is configured in the CFPB Github Org. The PAT needs to be configured with some required options. [Here](https://docs.aws.amazon.com/codebuild/latest/userguide/access-tokens-github.html) is a reference. -1. Created a test `buildspec.yml` in `regtech-deployments` +- Created a test `buildspec.yml` in `regtech-deployments` + - tested ECR access, Github Container Registry Access and some other basic things + +--- ### Log Output Codebuild vs Github Each side of this itegration keep its own logs. Neither Github Action or Codebuild logs are exposed on the other end. This is a good thing. +##### From the Github Side All actions taken in GHA workflow, including reading secrets from AWS, are logged only to the GHA output. Nothing shows on the Cloudformation logs. Example from GHA workflow kicking off the Codebuild Runner..... ``` @@ -48,6 +60,19 @@ Example from GHA workflow kicking off the Codebuild Runner..... > 2025-01-17T21:14:21.926Z > 2025-01-17 21:14:21Z: Job test1 completed with result: Succeeded ``` +That ↑ is pretty much all we get in GHA logs when kicking off a job that has many steps but is running on a Codebuild project Runner. + +##### From the Codebuild Side +All codebuild project actions are logged to Cloudwatch. +We created the Cloudwatch Log Group `/aws/codebuild/cfpb-regtech-gha-test-1` through AWS console. +All codebuild (runner) instances create logstreams for each `codebuild build run`. The streams can be matched up to the unique identifier in the build run name. +The basis high level Codebuild Steps are logged and whatever the `buildspec.yml` is doing if that was set as an override. See Overriding Buildspec Section. + +> **NOTE** There will be one `codebuild build run` in the history for each GHA ***Job*** executed during a single Github Action workflow run. In our test, 3 GHA jobs were run each time the workflow run ocurred (update to the pull request). + +> **WARNING** There is no easy visual way to match up a failed `Build run` in the codebuild UI with the matching Github Action Workflow **JOB**. For troubleshooting, you must click on the failed build run in the codebuild run history, and analyze the output to determine which github action workflow job caused it. The Github Action Job specific identifiers are not available on the AWS Codebuild project runner side. This makes sense being that nothing output from GHA workflow is logged on the Codebuild side. + +--- ### Testing Secrets and Masking in Github Workflow Github Secrets are automatically transformed into environment variable and automatically masked. This is the default behavior in Github Actions for Github Secrets. @@ -83,14 +108,51 @@ From the point where you ***mask*** the secret through the rest of the workflow IF we are getting many secrets, we can pass in the `secret-ids` list easily. But, we will need to write a function to iterate over all the retreived secrets and assure each one is passed to `::add-mask:;`. It's not a very user-freindly or smart way to handle secrets. The Action plugin, should just mask them automatically! -We did extensive testing around this to deternine the best way this could be used. Not much options. We tried wrapping both the get and the masking build steps into a Custom Composite Action, but that doesn't make the process anymore easy or secure. +We did extensive testing around this to determine the best way this could be used. Not much options. We tried wrapping both the get and the masking build steps into a Custom Composite Action, but that doesn't make the process anymore easy or secure. A decision will need to be made if the `aws-actions/aws-secretsmanager-get-secrets@v2` action should be used. We could not allow the Codebuild Project runner role access to SecretsManager which would prevent GHA workflows from being able to pull aws secrets. +--- + +### Performance +Without doing high scale performance testing, initial observations are that this implementation is pretty quick and snappy. +It's a matter of seconds before the codebuild runner starts from a new pr commit or whatever trigger we use. + +I didn't notice any lag compared to using Github Action default public runners. + +There is a 20 concurrent runner limit which is a default in AWS. This can be bumped as needed. +No testing was done on running more that one runner at a time for this initial analysis. + +We didn't experience any hang on either the codebuild or github side. + +##### Codebuild status via Github +By default, we do not get any status updates from Codebuild runs in the Github workflow run logs when passing in `buildspec.yml` override. [Buildspec Override Reference](https://docs.aws.amazon.com/codebuild/latest/userguide/action-runner.html) + +As the aws documentation states, codebuild project runners use `buildspec` as well. So you override some of the codebuild phases by passing in a custom `buildspec.yml` from the Github source repo. But, you cannot use the BUILD phase. + +> **NOTE** When passing in buildspec from the source github repo, if it fails during the build run in Codebuild, we do NOT get that failure back on the Github side. The GHA workflow run will show Success. This could lead to some false positve github workflow runs. There are a couple configuration options in Codebuild Projects that talk about providing status back to the provider. This will require some addition research. It appears that we need to configure [api calls](https://docs.github.com/en/rest/pulls/pulls?apiVersion=2022-11-28#update-a-pull-request) to update the Pull Request or other that is triggering the Codebuild run. + +##### Report Codebuild Status back to Github +- https://docs.aws.amazon.com/codebuild/latest/userguide/change-project.html +- https://docs.aws.amazon.com/codebuild/latest/userguide/access-tokens-github.html + +##### Access Tokens +As noted above, a Github Access Token is required in the Codebuild Project Configuration when creating a Runner project. +This token allows for the AWS to Github webhooks. So the token must have the repo webhook (or higher) permissions along with everything else that it might need. + +This token does ***NOT*** grant Codebuild runner (or the IAM role) access to Github Container Registry. +We also noticed that a GHA workflow that is authenticated to GHCR by way of doing a Login in the workflow, does not persist on the Codebuild side when executing a `buildspec.yml` passed in as override. + +The `buildspec.yml` runs ion the context of the Codebuild project Service Role, but access to the Github Container Registry from within the `buildspec.yml` is not allowed by default even when the Github Action workflow that is passing in the `buildspec.yml` has authenticated to the GHCR. +This was a little unexpected. + +If there is a use case for us to build and perform other tasks on an image that will be published to Github Container Registry, we will still need to authenticate to GHCR from within the `buildspec.yml` code. + +--- ### Misc -Passing `Github Action` vaiable to `Codebuild`, you can use the `env-vars-for-codebuild` option in the [AWS Codebuild Marketplace Action](https://github.com/marketplace/actions/aws-codebuild-run-build-action-for-github-actions#aws-codebuild-run-build-for-github-actions) for Github Actions. +For passing `Github Action` variables to `Codebuild`, you can use the `env-vars-for-codebuild` option in the [AWS Codebuild Marketplace Action](https://github.com/marketplace/actions/aws-codebuild-run-build-action-for-github-actions#aws-codebuild-run-build-for-github-actions) for Github Actions. This Marketplace Action also provides auto-triggering Codebuild from Github pull requests, mergers etc... From 0da73e4f6d7850033126f540d848d83fef8365fc Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Mon, 27 Jan 2025 17:35:59 -0500 Subject: [PATCH 133/147] add more content to eval --- GHA_Codebuild_Runner.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/GHA_Codebuild_Runner.md b/GHA_Codebuild_Runner.md index 9030b14b..9906af3e 100644 --- a/GHA_Codebuild_Runner.md +++ b/GHA_Codebuild_Runner.md @@ -43,6 +43,10 @@ This section outlines the configurations made in Github to implement the testing The PAT needs to be configured with some required options. [Here](https://docs.aws.amazon.com/codebuild/latest/userguide/access-tokens-github.html) is a reference. - Created a test `buildspec.yml` in `regtech-deployments` - tested ECR access, Github Container Registry Access and some other basic things +- Created multiple GHA workflows to test basic actions + - AWS Secrets reading and masking + - AWS cli commands + - Custom Composite Actions --- From 78a365d3e8a8fffab5a2f63324f22f035c30cd6b Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Mon, 27 Jan 2025 17:37:26 -0500 Subject: [PATCH 134/147] add more content to eval --- GHA_Codebuild_Runner.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/GHA_Codebuild_Runner.md b/GHA_Codebuild_Runner.md index 9906af3e..c5ba2a8b 100644 --- a/GHA_Codebuild_Runner.md +++ b/GHA_Codebuild_Runner.md @@ -42,6 +42,8 @@ This section outlines the configurations made in Github to implement the testing - Prerequisite for creating a Codebuild project using Github as the source was to have a Personal Access Token (PAT) configured in the Github account. I used my github account `thetoolsmith` which is configured in the CFPB Github Org. The PAT needs to be configured with some required options. [Here](https://docs.aws.amazon.com/codebuild/latest/userguide/access-tokens-github.html) is a reference. - Created a test `buildspec.yml` in `regtech-deployments` + - buildspec overriding in the codebuild runner project + - passing github context into codebuild via buildspec - tested ECR access, Github Container Registry Access and some other basic things - Created multiple GHA workflows to test basic actions - AWS Secrets reading and masking From c63b1e8e59b9ae6beccc0ae8ea300c64b0c4ec37 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Mon, 27 Jan 2025 17:39:32 -0500 Subject: [PATCH 135/147] add more content to eval --- GHA_Codebuild_Runner.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/GHA_Codebuild_Runner.md b/GHA_Codebuild_Runner.md index c5ba2a8b..b417f05b 100644 --- a/GHA_Codebuild_Runner.md +++ b/GHA_Codebuild_Runner.md @@ -87,7 +87,7 @@ There is no apparent issues with Github Secrets being seen from the Codebuild pr ***Logs on the Codebuild side do not include any of the log output from the Github action workflow run.*** However..... -Since the Github Workflow runner is not running in the context of an AWS Role, there is the capability for secrets to be pulled out of SecretsManager vi a Github Action workflow. ***THESE SECRETS ARE NOT MASKED BY DEFAULT!*** +Since the Github Workflow runner is running in the context of an AWS Role, there is the capability for secrets to be pulled out of SecretsManager vi a Github Action workflow. ***THESE SECRETS ARE NOT MASKED BY DEFAULT!*** The good thing is that we do not need to setup and establish AWS credentials in the Github action workflow since it's running with a runner in the context of a role that will determine what AWS services and permissions are allowed from the GHA workflow. From a55463bc3a6c2dde0eb1b2eb7fba3c766ba20e97 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Mon, 27 Jan 2025 17:46:31 -0500 Subject: [PATCH 136/147] add more content to eval --- GHA_Codebuild_Runner.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/GHA_Codebuild_Runner.md b/GHA_Codebuild_Runner.md index b417f05b..40ef66ee 100644 --- a/GHA_Codebuild_Runner.md +++ b/GHA_Codebuild_Runner.md @@ -95,7 +95,7 @@ For testing, we used the `aws-actions/aws-secretsmanager-get-secrets@v2` action The [plugin](https://github.com/aws-actions/aws-secretsmanager-get-secrets) is referenced in the [AWS documentation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/retrieving-secrets_github.html) for managing secrets from GHA workflows. With the plugin, we can simply specify the AWS Secrets we would like to retreive. The Action automatically creates these secrets and the values as environment variables adding them to the github env context. They are in `plain-text`. -There is a method provided by GHA to mask these. It's an odd filter mechanism, `::add-mask::`, that needs to be passed to shell echo IMMEDIATLEY after the secret is retreived in order to prevent secrets values from leaking and appearing in the Girhub workflow run log output. +There is a method provided by GHA to mask these. It's an odd filter mechanism, `::add-mask::`, that needs to be passed to shell echo IMMEDIATLEY after the secret is retreived in order to prevent secrets values from leaking and appearing in the Github workflow run log output. The process requires 2 build steps. One to get the secrets and another to pass it to `::add-mask::`. ``` @@ -111,7 +111,7 @@ The process requires 2 build steps. One to get the secrets and another to pass i From the point where you ***mask*** the secret through the rest of the workflow job, the secret will be masked. -IF we are getting many secrets, we can pass in the `secret-ids` list easily. But, we will need to write a function to iterate over all the retreived secrets and assure each one is passed to `::add-mask:;`. +If we are getting many secrets, we can pass in the `secret-ids` list easily. But, we will need to write a function to iterate over all the retreived secrets and assure each one is passed to `::add-mask:;`. It's not a very user-freindly or smart way to handle secrets. The Action plugin, should just mask them automatically! We did extensive testing around this to determine the best way this could be used. Not much options. We tried wrapping both the get and the masking build steps into a Custom Composite Action, but that doesn't make the process anymore easy or secure. @@ -149,7 +149,7 @@ This token allows for the AWS to Github webhooks. So the token must have the rep This token does ***NOT*** grant Codebuild runner (or the IAM role) access to Github Container Registry. We also noticed that a GHA workflow that is authenticated to GHCR by way of doing a Login in the workflow, does not persist on the Codebuild side when executing a `buildspec.yml` passed in as override. -The `buildspec.yml` runs ion the context of the Codebuild project Service Role, but access to the Github Container Registry from within the `buildspec.yml` is not allowed by default even when the Github Action workflow that is passing in the `buildspec.yml` has authenticated to the GHCR. +The `buildspec.yml` runs in the context of the Codebuild project Service Role, but access to the Github Container Registry from within the `buildspec.yml` is not allowed by default even when the Github Action workflow that is passing in the `buildspec.yml` has authenticated to the GHCR. This was a little unexpected. If there is a use case for us to build and perform other tasks on an image that will be published to Github Container Registry, we will still need to authenticate to GHCR from within the `buildspec.yml` code. @@ -159,6 +159,6 @@ If there is a use case for us to build and perform other tasks on an image that ### Misc For passing `Github Action` variables to `Codebuild`, you can use the `env-vars-for-codebuild` option in the [AWS Codebuild Marketplace Action](https://github.com/marketplace/actions/aws-codebuild-run-build-action-for-github-actions#aws-codebuild-run-build-for-github-actions) for Github Actions. -This Marketplace Action also provides auto-triggering Codebuild from Github pull requests, mergers etc... +This Marketplace Action also provides auto-triggering Codebuild project without using codebuild runners from Github pull requests, mergers etc... From fe11e6de5ff34028db14e10f3cbd2bccdd219aec Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Tue, 28 Jan 2025 10:06:35 -0500 Subject: [PATCH 137/147] change test image --- buildspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildspec.yml b/buildspec.yml index 91b98c3f..8516fad8 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -34,7 +34,7 @@ phases: - pwd - ls -alt ../ - git clone https://github.com/cfpb/regtech-deployments.git - - docker build -t $REGISTRY_IMAGE_NAME -f "regtech-deployments/images/Dockerfile-nginx-alpine" . + - docker build -t $REGISTRY_IMAGE_NAME -f "regtech-deployments/images/Dockerfile-alpine" . # push fails to ecr. needs creds. # push also fails to ghcr, get token doesn't work error. #- docker push $REGISTRY_IMAGE_NAME From 7537d6e4cdebdcc3698f41a4d433f6455028927c Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Tue, 28 Jan 2025 17:41:59 -0500 Subject: [PATCH 138/147] force trigger --- .github/workflows/codebuild_runner_test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/codebuild_runner_test.yml b/.github/workflows/codebuild_runner_test.yml index 5e66bc62..66f4df6c 100644 --- a/.github/workflows/codebuild_runner_test.yml +++ b/.github/workflows/codebuild_runner_test.yml @@ -17,6 +17,7 @@ jobs: - name: echo run: | + echo "trigger pr" echo -e "running GHA workflow ${{ github.event.number }}\nbuild: ${{ github.run_id }}\nattempt: ${{ github.run_attempt }}" - name: create log stream run: | From 672cb47b9cf68e5d55582ce314140113e5a3f78d Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Wed, 29 Jan 2025 13:41:54 -0500 Subject: [PATCH 139/147] add aws secret oneoff test --- .../workflows/codebuild_runner_aws_secret.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 .github/workflows/codebuild_runner_aws_secret.yml diff --git a/.github/workflows/codebuild_runner_aws_secret.yml b/.github/workflows/codebuild_runner_aws_secret.yml new file mode 100644 index 00000000..fb8b0bf6 --- /dev/null +++ b/.github/workflows/codebuild_runner_aws_secret.yml @@ -0,0 +1,29 @@ +name: CodebuildRunnerAWSSecret + +on: + pull_request: + branches: [main] + +jobs: + test1: + env: + runs-on: + - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} + steps: + - name: 'Checkout GitHub Action' + uses: actions/checkout@v4 + + - name: get secrets from aws + id: get-aws-secret + uses: aws-actions/aws-secretsmanager-get-secrets@v2 + with: + secret-ids: | + TEST_SECRET_1, cfpb/team/regtech/gha-codebuild-runner/test-secret-1 + TEST_SECRET_2, cfpb/team/regtech/gha-codebuild-runner/test-secret-2 + TEST_SECRET_3,arn:aws:secretsmanager:us-east-1:099248080076:secret:cfpb/team/regtech/gha-codebuild-runner/test-secret-3-9lVad8 + - name: check aws secrets + id: check-aws-secrets + run: | + echo -e "show test-secret-1 ${{ env.TEST_SECRET_1 }}" + echo -e "show test-secret-2 ${{ env.TEST_SECRET_2 }}" + echo -e "show test-secret-3 ${{ env.TEST_SECRET_3 }}" From e86f1a004f4685ea66d60f1caa15a69efa785941 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Wed, 29 Jan 2025 13:42:50 -0500 Subject: [PATCH 140/147] add aws secret oneoff test --- .github/workflows/codebuild_runner_aws_secret.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_aws_secret.yml b/.github/workflows/codebuild_runner_aws_secret.yml index fb8b0bf6..900f4e5c 100644 --- a/.github/workflows/codebuild_runner_aws_secret.yml +++ b/.github/workflows/codebuild_runner_aws_secret.yml @@ -6,7 +6,6 @@ on: jobs: test1: - env: runs-on: - codebuild-cfpb-regtech-gha-test-1-${{ github.run_id }}-${{ github.run_attempt }} steps: From 57c93e0cad6d972a069389acd515a193b5c1cab0 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Wed, 29 Jan 2025 13:46:39 -0500 Subject: [PATCH 141/147] add aws secret oneoff test --- .github/workflows/codebuild_runner_aws_secret.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/codebuild_runner_aws_secret.yml b/.github/workflows/codebuild_runner_aws_secret.yml index 900f4e5c..7535bf3c 100644 --- a/.github/workflows/codebuild_runner_aws_secret.yml +++ b/.github/workflows/codebuild_runner_aws_secret.yml @@ -26,3 +26,7 @@ jobs: echo -e "show test-secret-1 ${{ env.TEST_SECRET_1 }}" echo -e "show test-secret-2 ${{ env.TEST_SECRET_2 }}" echo -e "show test-secret-3 ${{ env.TEST_SECRET_3 }}" + echo -e "::add-mask::${{ env.TEST_SECRET_1 }} <---masked" + echo -e "::add-mask::${{ env.TEST_SECRET_2 }} <---masked" + echo -e "::add-mask::${{ env.TEST_SECRET_3 }} <---masked" + From d25c48a0224149da427bc43bf32a08d982534845 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Wed, 29 Jan 2025 13:50:10 -0500 Subject: [PATCH 142/147] add aws secret oneoff test --- .github/workflows/codebuild_runner_aws_secret.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/.github/workflows/codebuild_runner_aws_secret.yml b/.github/workflows/codebuild_runner_aws_secret.yml index 7535bf3c..9532f9c5 100644 --- a/.github/workflows/codebuild_runner_aws_secret.yml +++ b/.github/workflows/codebuild_runner_aws_secret.yml @@ -23,10 +23,7 @@ jobs: - name: check aws secrets id: check-aws-secrets run: | - echo -e "show test-secret-1 ${{ env.TEST_SECRET_1 }}" - echo -e "show test-secret-2 ${{ env.TEST_SECRET_2 }}" - echo -e "show test-secret-3 ${{ env.TEST_SECRET_3 }}" - echo -e "::add-mask::${{ env.TEST_SECRET_1 }} <---masked" - echo -e "::add-mask::${{ env.TEST_SECRET_2 }} <---masked" - echo -e "::add-mask::${{ env.TEST_SECRET_3 }} <---masked" + echo "::add-mask::${{ env.TEST_SECRET_1 }}" + echo "::add-mask::${{ env.TEST_SECRET_2 }}" + echo -e "::add-mask::${{ env.TEST_SECRET_3 }}" From 10af98152cca25ef22c6c774efbf797a51ef5b53 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Wed, 29 Jan 2025 13:54:03 -0500 Subject: [PATCH 143/147] add aws secret oneoff test --- .github/workflows/codebuild_runner_aws_secret.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/codebuild_runner_aws_secret.yml b/.github/workflows/codebuild_runner_aws_secret.yml index 9532f9c5..aa5d4cdc 100644 --- a/.github/workflows/codebuild_runner_aws_secret.yml +++ b/.github/workflows/codebuild_runner_aws_secret.yml @@ -25,5 +25,5 @@ jobs: run: | echo "::add-mask::${{ env.TEST_SECRET_1 }}" echo "::add-mask::${{ env.TEST_SECRET_2 }}" - echo -e "::add-mask::${{ env.TEST_SECRET_3 }}" + echo "this causes the mask to break ::add-mask::${{ env.TEST_SECRET_3 }}" From 05c368c6545074d164ad15db10da86e87ad21c02 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Mon, 3 Feb 2025 17:01:43 -0500 Subject: [PATCH 144/147] testing --- buildspec.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/buildspec.yml b/buildspec.yml index 8516fad8..0eea5d87 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -15,6 +15,7 @@ env: phases: install: commands: + - codebuild-init - kubectl version --client=true --output yaml pre_build: commands: @@ -23,20 +24,19 @@ phases: - echo "TEST_SECRET_2 = ${TEST_SECRET_2}" - export IMAGE_NAME="cfpb/regtech/regtech-gha-codebuild-test" - export IMAGE_TAG=$CODEBUILD_BUILD_NUMBER - #- export REGISTRY_IMAGE_NAME="${ECR_ACCOUNT_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}" - - export REGISTRY_IMAGE_NAME="${IMAGE_NAME}:${IMAGE_TAG}" - #- export IMAGE_NAME="regtech/sbl/nginx-alpine-test" - #- export IMAGE_TAG="codebuild" + - export REGISTRY_IMAGE_NAME="${ECR_ACCOUNT_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}" #- export GITHUB_IMAGE_NAME="ghcr.io/cfpb/${IMAGE_NAME}:${IMAGE_TAG}" - env | sort post_build: commands: - pwd - ls -alt ../ - - git clone https://github.com/cfpb/regtech-deployments.git - - docker build -t $REGISTRY_IMAGE_NAME -f "regtech-deployments/images/Dockerfile-alpine" . + - docker pull docker pull ghcr.io/cfpb/regtech/sbl/python-ubi8:latest + - docker tag ghcr.io/cfpb/regtech/sbl/python-ubi8:latest $REGISTRY_IMAGE_NAME + #- git clone https://github.com/cfpb/regtech-deployments.git + #- docker build -t $REGISTRY_IMAGE_NAME -f "regtech-deployments/images/Dockerfile-alpine" . # push fails to ecr. needs creds. # push also fails to ghcr, get token doesn't work error. #- docker push $REGISTRY_IMAGE_NAME - - aws sts get-caller-identity - - aws ecr list-images --repository-name cfpb/regtech/sbl-filing-api + #- aws sts get-caller-identity + #- aws ecr list-images --repository-name cfpb/regtech/sbl-filing-api From a6cf801ffed0ef2ecb06c8f1ccab16554132036a Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Tue, 4 Feb 2025 16:21:33 -0500 Subject: [PATCH 145/147] testing --- buildspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildspec.yml b/buildspec.yml index 0eea5d87..61be21a4 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -21,7 +21,7 @@ phases: commands: - echo "TEST_SECRET_1 = ${TEST_SECRET_1}" - echo "TEST_SECRET_2 = ${TEST_SECRET_2}" - - echo "TEST_SECRET_2 = ${TEST_SECRET_2}" + - echo "TEST_SECRET_3 = ${TEST_SECRET_3}" - export IMAGE_NAME="cfpb/regtech/regtech-gha-codebuild-test" - export IMAGE_TAG=$CODEBUILD_BUILD_NUMBER - export REGISTRY_IMAGE_NAME="${ECR_ACCOUNT_REGISTRY}/${IMAGE_NAME}:${IMAGE_TAG}" From 3a673ccd37398c992a59190b324b1f6a518d2ace Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Tue, 4 Feb 2025 17:14:02 -0500 Subject: [PATCH 146/147] testing --- buildspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildspec.yml b/buildspec.yml index 61be21a4..b1363d56 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -15,7 +15,7 @@ env: phases: install: commands: - - codebuild-init + #- codebuild-init - kubectl version --client=true --output yaml pre_build: commands: From b274736111940d10cee314e5eb1c44109027b3c2 Mon Sep 17 00:00:00 2001 From: Bruno <15909838+thetoolsmith@users.noreply.github.com> Date: Tue, 4 Feb 2025 17:19:58 -0500 Subject: [PATCH 147/147] testing --- buildspec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/buildspec.yml b/buildspec.yml index b1363d56..29b6d706 100644 --- a/buildspec.yml +++ b/buildspec.yml @@ -31,7 +31,7 @@ phases: commands: - pwd - ls -alt ../ - - docker pull docker pull ghcr.io/cfpb/regtech/sbl/python-ubi8:latest + - docker pull ghcr.io/cfpb/regtech/sbl/python-ubi8:latest - docker tag ghcr.io/cfpb/regtech/sbl/python-ubi8:latest $REGISTRY_IMAGE_NAME #- git clone https://github.com/cfpb/regtech-deployments.git #- docker build -t $REGISTRY_IMAGE_NAME -f "regtech-deployments/images/Dockerfile-alpine" .