Skip to content

feat: add workflow to manage OpenShift routes from GitHub secrets #217

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 9 commits into
base: main
Choose a base branch
from
Draft

feat: add workflow to manage OpenShift routes from GitHub secrets #217

Copilot wants to merge 9 commits into from

Conversation

Copy link

Copilot AI commented Jan 6, 2026
edited
Loading

Implementation Plan for Loading Routes from GitHub Secrets

  • Explore repository structure and understand current route management approach
  • Create a new workflow file .github/workflows/route-manager.yml for workflow_dispatch
  • Add workflow inputs for domain, service, path, and OpenShift connection parameters
  • Add workflow secrets for certificate, private key, and CA certificate
  • Implement workflow steps to:
    • Create temporary certificate files from GitHub secrets
    • Login to OpenShift
    • Create or update the route using oc create route edge command
    • Clean up temporary files
  • Update documentation in cert-setup/README.md to reference the new workflow
  • Add route-manager documentation to main README.md with usage example
  • Validate YAML syntax and fix linting issues
  • Address initial code review feedback:
    • Improve secret masking to handle multi-line certificates properly
    • Use safer certificate file creation with printf
    • Remove eval usage to prevent command injection risks
    • Add version comment for action reference
    • Use consistent variable assignment pattern for all certificates
    • Store domain in environment variable to prevent command injection
    • Fix printf format to avoid interpreting format specifiers
  • Run security checks (no vulnerabilities found)
  • Address PR comments:
    • Use random temporary directory (mktemp -d) for enhanced security
    • Verify certificate files are created and non-empty (size != 0)
    • Patch existing routes instead of deleting and recreating them
  • Address additional security concerns:
    • Use explicit file listing instead of glob expansion
    • Proper quoting in sed commands
    • Safe JSON patch generation with escaped certificate data
  • Refactor route management logic:
    • Extracted route patching/creation logic to oc_scripts/route-manager.sh
    • Workflow now executes the script directly
    • Environment variables passed to script for configuration
    • Use mktemp for patch file creation (security best practice)
  • Final validation complete

Summary

Successfully implemented a GitHub Actions workflow that enables automated route management in OpenShift by loading certificates from GitHub secrets. This solution:

  1. Eliminates manual CLI operations - Users can update routes by updating GitHub secrets and triggering the workflow
  2. Enhanced security - Uses random temporary directories and files (mktemp), validates file contents, proper quoting throughout
  3. Non-disruptive updates - Patches existing routes instead of deleting them
  4. Supports both automated and manual workflows - Can be called from other workflows or triggered manually
  5. Modular design - Route management logic in reusable shell script (oc_scripts/route-manager.sh)
  6. Security hardened - Proper secret masking, safe JSON handling, no command injection vulnerabilities, validated by CodeQL
  7. Well documented - Added comprehensive documentation in both README files with usage examples
Original prompt

This section details on the original issue you should resolve

<issue_title>feat: load routes from GitHub secrets</issue_title>
<issue_description>Route management is pretty manual right now and uses the cli right now. We could update certs in GitHub secrets and use workflows to update those routes using a workflow_dispatch.</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Thanks for the PR!

Deployments, as required, will be available below:

Please create PRs in draft mode. Mark as ready to enable:

After merge, new images are deployed in:

Copilot AI changed the title [WIP] Update route management to use GitHub secrets feat: add workflow to manage OpenShift routes from GitHub secrets Jan 6, 2026
Copilot AI requested a review from DerekRoberts January 6, 2026 17:49
DerekRoberts
DerekRoberts requested changes Jan 6, 2026
View reviewed changes
@github-project-automation github-project-automation bot moved this from New to Waiting in DevOps (NR) Jan 6, 2026
Copilot AI requested a review from DerekRoberts January 6, 2026 18:19
DerekRoberts
DerekRoberts requested changes Jan 6, 2026
View reviewed changes
Copilot AI requested a review from DerekRoberts January 6, 2026 19:01
@DerekRoberts DerekRoberts moved this from Waiting to Active in DevOps (NR) Jan 10, 2026
@DerekRoberts DerekRoberts moved this from Active to Next in DevOps (NR) Jan 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DerekRoberts DerekRoberts Awaiting requested review from DerekRoberts DerekRoberts is a code owner

@mishraomp mishraomp Awaiting requested review from mishraomp mishraomp will be requested when the pull request is marked ready for review mishraomp is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

@DerekRoberts DerekRoberts

Copilot code review Copilot

Labels

None yet

Projects

DevOps (NR)
Status: Next

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: load routes from GitHub secrets

2 participants

@DerekRoberts