actions/gradle
1
0
Fork 0
mirror of https://github.com/gradle/actions.git synced 2025-08-19 15:31:28 +08:00
Code Issues Packages Projects Releases Wiki Activity

Set both DEVELOCITY_ACCESS_KEY and GRADLE_ENTERPRISE_ACCESS_KEY env vars (#225)

Browse Source 
Follow up of https://github.com/gradle/actions/pull/224, we now attempt to set both old and new access key env variables to a short lived token.
If a short-lived token cannot be obtained, then:
- DEVELOCITY_ACCESS_KEY is set to an empty string, preventing this from being used.
- GRADLE_ENTERPRISE_ACCESS_KEY is left intact, with a deprecation warning being issued.
This commit is contained in:
Alexis Tual 2024-05-17 23:07:50 +02:00 committed by GitHub
parent db270b9337
commit 96b9cb4988
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 61 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
.github/workflows/integ-test-inject-develocity.yml vendored
View File

@ -67,21 +67,23 @@ jobs:
with: with:
script: | script: |
core.setFailed('No Build Scan detected') core.setFailed('No Build Scan detected')
- name: Check short lived token - name: Check short lived token (DEVELOCITY_ACCESS_KEY)
if: ${{ matrix.plugin-version == '3.17.3' }}
run: "[ ${#DEVELOCITY_ACCESS_KEY} -gt 500 ] || (echo 'DEVELOCITY_ACCESS_KEY does not look like a short lived token'; exit 1)" run: "[ ${#DEVELOCITY_ACCESS_KEY} -gt 500 ] || (echo 'DEVELOCITY_ACCESS_KEY does not look like a short lived token'; exit 1)"
- name: Check short lived token (GRADLE_ENTERPRISE_ACCESS_KEY)
run: "[ ${#GRADLE_ENTERPRISE_ACCESS_KEY} -gt 500 ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY does not look like a short lived token'; exit 1)"
inject-develocity-with-access-key: inject-develocity-with-access-key:
env: env:
DEVELOCITY_INJECTION_ENABLED: true DEVELOCITY_INJECTION_ENABLED: true
DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com' DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com'
DEVELOCITY_PLUGIN_VERSION: 3.17.3 DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0' DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
strategy: strategy:
fail-fast: false fail-fast: false
matrix: matrix:
gradle: [current, 7.6.2, 6.9.4, 5.6.4] gradle: [current, 7.6.2, 6.9.4, 5.6.4]
os: ${{fromJSON(inputs.runner-os)}} os: ${{fromJSON(inputs.runner-os)}}
plugin-version: [3.16.2, 3.17.3]
runs-on: ${{ matrix.os }} runs-on: ${{ matrix.os }}
steps: steps:
- name: Checkout sources - name: Checkout sources
@ -105,8 +107,10 @@ jobs:
id: gradle id: gradle
working-directory: .github/workflow-samples/no-ge working-directory: .github/workflow-samples/no-ge
run: gradle help run: gradle help
- name: Check short lived token - name: Check short lived token (DEVELOCITY_ACCESS_KEY)
run: "[ ${#DEVELOCITY_ACCESS_KEY} -gt 500 ] || (echo 'DEVELOCITY_ACCESS_KEY does not look like a short lived token'; exit 1)" run: "[ ${#DEVELOCITY_ACCESS_KEY} -gt 500 ] || (echo 'DEVELOCITY_ACCESS_KEY does not look like a short lived token'; exit 1)"
- name: Check short lived token (GRADLE_ENTERPRISE_ACCESS_KEY)
run: "[ ${#GRADLE_ENTERPRISE_ACCESS_KEY} -gt 500 ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY does not look like a short lived token'; exit 1)"
- name: Check Build Scan url - name: Check Build Scan url
if: ${{ !steps.gradle.outputs.build-scan-url }} if: ${{ !steps.gradle.outputs.build-scan-url }}
uses: actions/github-script@v7 uses: actions/github-script@v7
@ -118,10 +122,17 @@ jobs:
env: env:
DEVELOCITY_INJECTION_ENABLED: true DEVELOCITY_INJECTION_ENABLED: true
DEVELOCITY_URL: 'https://localhost:3333/' DEVELOCITY_URL: 'https://localhost:3333/'
DEVELOCITY_PLUGIN_VERSION: 3.17.3 DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }}
DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0' DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0'
# Access key also set as an env var, we want to check it does not leak # Access key also set as an env var, we want to check it does not leak
GRADLE_ENTERPRISE_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }}
strategy:
fail-fast: false
matrix:
gradle: [ current, 7.6.2, 6.9.4, 5.6.4 ]
os: ${{fromJSON(inputs.runner-os)}}
plugin-version: [ 3.16.2, 3.17.3 ]
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout sources - name: Checkout sources
@ -144,5 +155,7 @@ jobs:
id: gradle id: gradle
working-directory: .github/workflow-samples/no-ge working-directory: .github/workflow-samples/no-ge
run: gradle help run: gradle help
- name: Check access key is blank - name: Check access key is blank (DEVELOCITY_ACCESS_KEY)
run: "[ \"${DEVELOCITY_ACCESS_KEY}\" == \"\" ] || (echo 'DEVELOCITY_ACCESS_KEY has leaked!'; exit 1)" run: "[ \"${DEVELOCITY_ACCESS_KEY}\" == \"\" ] || (echo 'DEVELOCITY_ACCESS_KEY has leaked!'; exit 1)"
- name: Check access key is not blank (GRADLE_ENTERPRISE_ACCESS_KEY)
run: "[ \"${GRADLE_ENTERPRISE_ACCESS_KEY}\" != \"\" ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY is still supported in v3!'; exit 1)"

5
docs/deprecation-upgrade-guide.md
View File

@ -143,3 +143,8 @@ to this:
build-scan-terms-of-use-agree: "yes" build-scan-terms-of-use-agree: "yes"
``` ```
These deprecated build-scan parameters are scheduled to be removed in `setup-gradle@v4` and `dependency-submission@v4`. These deprecated build-scan parameters are scheduled to be removed in `setup-gradle@v4` and `dependency-submission@v4`.
## The GRADLE_ENTERPRISE_ACCESS_KEY env var is deprecated
Gradle Enterprise has been renamed to Develocity starting from Gradle plugin 3.17 and Develocity server 2024.1.
In v4 release of the action, it will require setting the access key with the `develocity-access-key` input and Develocity 2024.1 at least to generate short-lived tokens.
If those requirements are not met, the `GRADLE_ENTERPRISE_ACCESS_KEY` env var will be cleared out and build scan publication or other authenticated Develocity operations won't be possible.

5
docs/setup-gradle.md
View File

@ -747,8 +747,9 @@ This access key will be used during the action execution to get a short-lived to
### Short-lived access tokens ### Short-lived access tokens
Develocity access keys are long-lived, creating risks if they are leaked. To avoid this, users can use short-lived access tokens to authenticate with Develocity. Access tokens can be used wherever an access key would be used. Access tokens are only valid for the Develocity instance that created them. Develocity access keys are long-lived, creating risks if they are leaked. To avoid this, users can use short-lived access tokens to authenticate with Develocity. Access tokens can be used wherever an access key would be used. Access tokens are only valid for the Develocity instance that created them.
If a short-lived token fails to be retrieved (for example, if the Develocity server version is lower than `2024.1`), no access key will be set. If a short-lived token fails to be retrieved (for example, if the Develocity server version is lower than `2024.1`):
In that case, Develocity authenticated operations like build cache read/write and build scan publication will fail without failing the build. - if a `GRADLE_ENTERPRISE_ACCESS_KEY` env var has been set, we're falling back to it with a deprecation warning
- otherwise no access key env var will be set. In that case Develocity authenticated operations like build cache read/write and build scan publication will fail without failing the build.
For more information on short-lived tokens, see [Develocity API documentation](https://docs.gradle.com/develocity/api-manual/#short_lived_access_tokens). For more information on short-lived tokens, see [Develocity API documentation](https://docs.gradle.com/develocity/api-manual/#short_lived_access_tokens).
## Configuring Develocity injection ## Configuring Develocity injection

10
sources/src/configuration.ts
View File

@ -188,6 +188,9 @@ export enum JobSummaryOption {
} }
export class BuildScanConfig { export class BuildScanConfig {
static DevelocityAccessKeyEnvVar = 'DEVELOCITY_ACCESS_KEY'
static GradleEnterpriseAccessKeyEnvVar = 'GRADLE_ENTERPRISE_ACCESS_KEY'
getBuildScanPublishEnabled(): boolean { getBuildScanPublishEnabled(): boolean {
return getBooleanInput('build-scan-publish') && this.verifyTermsOfUseAgreement() return getBooleanInput('build-scan-publish') && this.verifyTermsOfUseAgreement()
} }
@ -201,7 +204,12 @@ export class BuildScanConfig {
} }
getDevelocityAccessKey(): string { getDevelocityAccessKey(): string {
return core.getInput('develocity-access-key') || process.env['DEVELOCITY_ACCESS_KEY'] || '' return (
core.getInput('develocity-access-key') ||
process.env[BuildScanConfig.DevelocityAccessKeyEnvVar] ||
process.env[BuildScanConfig.GradleEnterpriseAccessKeyEnvVar] ||
''
)
} }
getDevelocityTokenExpiry(): string { getDevelocityTokenExpiry(): string {

25
sources/src/develocity/short-lived-token.ts
View File

@ -1,5 +1,7 @@
import * as httpm from 'typed-rest-client/HttpClient' import * as httpm from 'typed-rest-client/HttpClient'
import * as core from '@actions/core' import * as core from '@actions/core'
import {BuildScanConfig} from '../configuration'
import {recordDeprecation} from '../deprecation-collector'
export async function setupToken( export async function setupToken(
develocityAccessKey: string, develocityAccessKey: string,
@ -7,27 +9,40 @@ export async function setupToken(
enforceUrl: string | undefined, enforceUrl: string | undefined,
develocityUrl: string | undefined develocityUrl: string | undefined
): Promise<void> { ): Promise<void> {
const develocityAccesskeyEnvVar = 'DEVELOCITY_ACCESS_KEY'
if (develocityAccessKey) { if (develocityAccessKey) {
try { try {
core.debug('Fetching short-lived token...') core.debug('Fetching short-lived token...')
const tokens = await getToken(enforceUrl, develocityUrl, develocityAccessKey, develocityTokenExpiry) const tokens = await getToken(enforceUrl, develocityUrl, develocityAccessKey, develocityTokenExpiry)
if (tokens != null && !tokens.isEmpty()) { if (tokens != null && !tokens.isEmpty()) {
core.debug(`Got token(s), setting the ${develocityAccesskeyEnvVar} env var`) core.debug(`Got token(s), setting the access key env vars`)
const token = tokens.raw() const token = tokens.raw()
core.setSecret(token) core.setSecret(token)
core.exportVariable(develocityAccesskeyEnvVar, token) exportAccessKeyEnvVars(token)
} else { } else {
// In case of not being able to generate a token we set the env variable to empty to avoid leaks // In case of not being able to generate a token we set the env variable to empty to avoid leaks
core.exportVariable(develocityAccesskeyEnvVar, '') clearAccessKeyEnvVarsWithDeprecationWarning()
} }
} catch (e) { } catch (e) {
core.exportVariable(develocityAccesskeyEnvVar, '') clearAccessKeyEnvVarsWithDeprecationWarning()
core.warning(`Failed to fetch short-lived token, reason: ${e}`) core.warning(`Failed to fetch short-lived token, reason: ${e}`)
} }
} }
} }
function exportAccessKeyEnvVars(value: string): void {
;[BuildScanConfig.DevelocityAccessKeyEnvVar, BuildScanConfig.GradleEnterpriseAccessKeyEnvVar].forEach(key =>
core.exportVariable(key, value)
)
}
function clearAccessKeyEnvVarsWithDeprecationWarning(): void {
if (process.env[BuildScanConfig.GradleEnterpriseAccessKeyEnvVar]) {
// We do not clear the GRADLE_ENTERPRISE_ACCESS_KEY env var in v3, to let the users upgrade to DV 2024.1
recordDeprecation(`The ${BuildScanConfig.GradleEnterpriseAccessKeyEnvVar} env var is deprecated`)
}
core.exportVariable(BuildScanConfig.DevelocityAccessKeyEnvVar, '')
}
export async function getToken( export async function getToken(
enforceUrl: string | undefined, enforceUrl: string | undefined,
serverUrl: string | undefined, serverUrl: string | undefined,