Skip to content

Commit 918f8cc

Browse files
committed
fix(github-actions): reenable bundled token for remote configurations
1 parent 407aa5e commit 918f8cc

File tree

6 files changed

+108
-23
lines changed

6 files changed

+108
-23
lines changed

github-actions/bazel/configure-remote/BUILD.bazel

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ ts_library(
1313
# TODO(devversion): Remove this when `ts_library` supports `.mts` extension.
1414
devmode_module = "commonjs",
1515
deps = [
16+
"@npm//@actions/core",
1617
"@npm//@types/node",
1718
],
1819
)

github-actions/bazel/configure-remote/action.yml

Lines changed: 14 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -7,12 +7,19 @@ inputs:
77
description: |
88
If specified, the given `bazelrc` file is being updated to always run
99
with the `--config=remote` flag. Defaults to `.bazelrc.user`
10+
allow_windows_rbe:
11+
default: false
12+
description: |
13+
Whether to allow remote execution to be configured for Windows. By default,
14+
Windows is only configured to leverage remote caching.
15+
google_credential:
16+
description: |
17+
A Google credential to be used as authentication for RBE API usages
18+
trusted_build:
19+
default: false
20+
description: |
21+
Whether the environment should be considerd a trusted build.
1022
1123
runs:
12-
using: composite
13-
steps:
14-
- run: node $GITHUB_ACTION_PATH/configure-remote.cjs
15-
env:
16-
BAZELRC_PATH: ${{ inputs.bazelrc }}
17-
NGAT: 'bKddxrYADouso3haW7lCFA=='
18-
shell: bash
24+
using: 'node20'
25+
main: 'configure-remote.cjs'

github-actions/bazel/configure-remote/configure-remote.cjs

Lines changed: 65 additions & 3 deletions
Large diffs are not rendered by default.

github-actions/bazel/configure-remote/constants.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,6 @@
99
const owner = (process.env.CIRCLE_PROJECT_USERNAME ?? process.env.GITHUB_REPOSITORY_OWNER)!;
1010

1111
export const alg = 'aes-256-gcm';
12-
export const at = 'My6YOu2Le3+lG5WAHgQp8g==';
12+
export const at = 'QwbjZ/z+yDtD+XZjKj9Ynw==';
1313
export const k = owner.padEnd(32, '<');
1414
export const iv = '000003213213123213';
-1 Bytes
Binary file not shown.

github-actions/bazel/configure-remote/index.ts

Lines changed: 27 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -6,37 +6,45 @@
66
* found in the LICENSE file at https://angular.io/license
77
*/
88

9-
// @ts-ignore
9+
// @ts-ignore-next-line
1010
import tokenRaw from './gcp_token.data';
1111
import {k, iv, alg, at} from './constants.js';
1212
import {createDecipheriv} from 'crypto';
1313
import path from 'path';
1414
import fs from 'fs';
1515
import os from 'os';
16+
import {exportVariable, getBooleanInput, getInput} from '@actions/core';
1617

17-
async function main(bazelRcPath: string | undefined) {
18+
async function main() {
1819
const isWindows = os.platform() === 'win32';
19-
const t: Uint8Array = tokenRaw;
20-
const dcip = createDecipheriv(alg, k, iv).setAuthTag(Buffer.from(at, 'base64'));
21-
const dec = dcip.update(t, undefined, 'utf8') + dcip.final('utf8');
20+
const bazelRcPath = getInput('bazelrc', {required: false, trimWhitespace: true});
21+
const allowWindowsRbe = getBooleanInput('allow_windows_rbe', {required: true});
22+
const trustedBuild = getBooleanInput('trusted_build', {required: false});
23+
const credential =
24+
getInput('google_credential', {required: false, trimWhitespace: true}) ||
25+
getEmbeddedCredential();
2226

2327
const destPath = isWindows
2428
? path.join(process.env.APPDATA!, 'gcloud/application_default_credentials.json')
2529
: path.join(process.env.HOME!, '.config/gcloud/application_default_credentials.json');
2630

2731
await fs.promises.mkdir(path.dirname(destPath), {recursive: true});
28-
await fs.promises.writeFile(destPath, dec, 'utf8');
32+
await fs.promises.writeFile(destPath, credential, 'utf8');
33+
34+
const configMode = isWindows && !allowWindowsRbe ? 'remote-cache' : 'remote';
2935

3036
if (bazelRcPath) {
3137
let content = await readFileGracefully(bazelRcPath);
32-
if (isWindows) {
33-
// Set the config to remote-cache as we do not have support for RBE on windows at this time
34-
content += '\nbuild --config=remote-cache';
35-
} else {
36-
content += '\nbuild --config=remote';
38+
content += `\nbuild --config=${configMode}`;
39+
if (trustedBuild) {
40+
content += `\nbuild --config=trusted-build`;
3741
}
3842
await fs.promises.writeFile(bazelRcPath, content, 'utf8');
3943
}
44+
45+
// Expose application credentials as variable. This may not be necessary with the default
46+
// path being used for credentials, but it's helpful when we cross boundaries with e.g. WSL.
47+
exportVariable('GOOGLE_APPLICATION_CREDENTIALS', destPath);
4048
}
4149

4250
async function readFileGracefully(filePath: string): Promise<string> {
@@ -47,7 +55,14 @@ async function readFileGracefully(filePath: string): Promise<string> {
4755
}
4856
}
4957

50-
main(process.env.BAZELRC_PATH).catch((e) => {
58+
/** Extract the embeeded credential from the action. */
59+
function getEmbeddedCredential(): string {
60+
const t: Uint8Array = tokenRaw;
61+
const dcip = createDecipheriv(alg, k, iv).setAuthTag(Buffer.from(at, 'base64'));
62+
return dcip.update(t, undefined, 'utf8') + dcip.final('utf8');
63+
}
64+
65+
main().catch((e) => {
5166
console.error(e);
5267
process.exitCode = 1;
5368
});

0 commit comments

Comments
 (0)