Containerize baton-temporalcloud connector #116
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| pull_request: | |
| paths-ignore: | |
| - "README.md" | |
| env: | |
| TEST_NAMESPACE_NAME: "ci-test" | |
| jobs: | |
| go-lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Run linters | |
| uses: golangci/golangci-lint-action@v8 | |
| with: | |
| version: latest | |
| args: --timeout=3m | |
| - name: Check Config | |
| run: | | |
| make generate | |
| if ! git diff --exit-code pkg/config/conf.gen.go; then | |
| echo "pkg/config/conf.gen.go is out of sync. Please run 'make generate' and commit the changes." | |
| exit 1 | |
| fi | |
| go-test: | |
| strategy: | |
| matrix: | |
| platform: [ubuntu-latest] | |
| runs-on: ${{ matrix.platform }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install Go | |
| if: success() | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: go tests | |
| run: go test -v -covermode=count -json ./... > test.json | |
| - name: annotate go tests | |
| if: always() | |
| uses: guyarb/golang-test-annotations@v0.5.1 | |
| with: | |
| test-results: test.json | |
| setup-temporal-cloud: | |
| runs-on: ubuntu-latest | |
| env: | |
| TEMPORAL_CLOUD_API_KEY: ${{ secrets.TEMPORAL_CLOUD_API_KEY }} | |
| AUTO_CONFIRM: true | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: "1.1.7" | |
| - run: | | |
| terraform init -input=false | |
| working-directory: dev | |
| name: "Initialize Terraform" | |
| - run: | | |
| terraform apply -auto-approve -input=false | |
| working-directory: dev | |
| id: apply | |
| name: "Create test namespace" | |
| - name: "Upload state" | |
| if: ${{ success() }} | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: state | |
| path: dev/terraform.tfstate | |
| retention-days: 1 | |
| overwrite: true | |
| test: | |
| runs-on: ubuntu-latest | |
| needs: | |
| - setup-temporal-cloud | |
| env: | |
| BATON_API_KEY: ${{ secrets.TEMPORAL_CLOUD_API_KEY }} | |
| CONNECTOR_GRANT: 'namespace:ci-test.iv3js:read:user' | |
| CONNECTOR_IMMUTABLE_ENTITLEMENT: 'account-role:iv3js-owner:member' | |
| CONNECTOR_ENTITLEMENT: 'namespace:ci-test.iv3js:read' | |
| CONNECTOR_PRINCIPAL_TYPE: 'user' | |
| USER_EMAIL: "ci-test@${{ secrets.TEST_EMAIL_DOMAIN}}" | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Install Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version-file: 'go.mod' | |
| - name: Build baton-temporalcloud | |
| run: go build ./cmd/baton-temporalcloud | |
| - name: Run baton-temporalcloud | |
| run: ./baton-temporalcloud | |
| - name: Install baton | |
| uses: conductorone/github-workflows/actions/get-baton@v2 | |
| - name: provision user | |
| run: | | |
| ./baton-temporalcloud && ./baton-temporalcloud --create-account-profile '{"email": "${{ env.USER_EMAIL }}"}' | |
| - uses: mathiasvr/command-output@v2.0.0 | |
| name: Check user was provisioned | |
| id: user | |
| with: | |
| run: | | |
| ./baton-temporalcloud && baton resources --resource-type=user --output-format=json | jq --exit-status --raw-output '.resources | map(if .resource.displayName == "${{ env.USER_EMAIL }}" then .resource.id.resource else empty end) | if length == 1 then .[0] else null end' | tr -d "\n" | |
| - name: list grants | |
| run: | | |
| ./baton-temporalcloud && baton grants | |
| - name: Grant entitlement | |
| env: | |
| PRINCIPAL_ID: ${{ steps.user.outputs.stdout }} | |
| run: | | |
| ./baton-temporalcloud && ./baton-temporalcloud --grant-entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --grant-principal="$PRINCIPAL_ID" --grant-principal-type="${{ env.CONNECTOR_PRINCIPAL_TYPE }}" | |
| - name: list grants | |
| run: | | |
| ./baton-temporalcloud && baton grants | |
| - name: Check grant was granted | |
| run: | | |
| ./baton-temporalcloud && baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | jq --exit-status '.grants[].principal.id.resource == env.PRINCIPAL_ID' | |
| env: | |
| PRINCIPAL_ID: ${{ steps.user.outputs.stdout }} | |
| - name: Revoke grants | |
| run: ./baton-temporalcloud && ./baton-temporalcloud --revoke-grant="${{ env.CONNECTOR_GRANT }}:$PRINCIPAL_ID" | |
| env: | |
| PRINCIPAL_ID: ${{ steps.user.outputs.stdout }} | |
| - name: Check grant was revoked | |
| run: ./baton-temporalcloud && baton grants --entitlement="${{ env.CONNECTOR_ENTITLEMENT }}" --output-format=json | jq --exit-status 'if .grants then .grants[]?.principal.id.resource != env.PRINCIPAL_ID else . end' | |
| env: | |
| PRINCIPAL_ID: ${{ steps.user.outputs.stdout }} | |
| - name: Attempt to grant immutable grant | |
| # CLI will return a non-zero code here, but we want to continue anyway | |
| run: | | |
| ./baton-temporalcloud && (./baton-temporalcloud --grant-entitlement="${{ env.CONNECTOR_IMMUTABLE_ENTITLEMENT }}" --grant-principal="$PRINCIPAL_ID" --grant-principal-type="${{ env.CONNECTOR_PRINCIPAL_TYPE }}" || true) | |
| env: | |
| PRINCIPAL_ID: ${{ steps.user.outputs.stdout }} | |
| - name: Check immutable grant was not granted | |
| env: | |
| PRINCIPAL_ID: ${{ steps.user.outputs.stdout }} | |
| run: | | |
| ./baton-temporalcloud && baton grants --entitlement="${{ env.CONNECTOR_IMMUTABLE_ENTITLEMENT }}" --output-format=json | jq --exit-status '.grants | map(if .principal.id.resource == env.PRINCIPAL_ID then .principal else empty end) | length == 0' | |
| - name: Deprovision user | |
| env: | |
| PRINCIPAL_ID: ${{ steps.user.outputs.stdout }} | |
| run: | | |
| ./baton-temporalcloud && ./baton-temporalcloud --delete-resource="$PRINCIPAL_ID" --delete-resource-type=user | |
| - name: Check user was deprovisioned | |
| env: | |
| PRINCIPAL_ID: ${{ steps.user.outputs.stdout }} | |
| run: | | |
| ./baton-temporalcloud && baton resources --resource-type=user --output-format=json | jq --exit-status '.resources | map(if .resource.id.resource == env.PRINCIPAL_ID then .resource else empty end) | length == 0' | |
| teardown-temporal-cloud: | |
| runs-on: ubuntu-latest | |
| env: | |
| TEMPORAL_CLOUD_API_KEY: ${{ secrets.TEMPORAL_CLOUD_API_KEY }} | |
| AUTO_CONFIRM: true | |
| needs: | |
| - test | |
| if: success() || failure() | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Terraform | |
| uses: hashicorp/setup-terraform@v3 | |
| with: | |
| terraform_version: "1.1.7" | |
| - run: | | |
| terraform init -input=false | |
| working-directory: dev | |
| name: "Initialize Terraform" | |
| - name: "Get state" | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: state | |
| path: dev/ | |
| - name: "Delete test namesapce" | |
| run: | | |
| terraform apply -destroy -auto-approve -input=false | |
| working-directory: dev |