@@ -32,30 +32,31 @@ jobs:
3232 local n=0
3333 until [ $n -ge 5 ]; do
3434 "$@" && return 0
35- n=$((n+1)); echo "::warning::Retry $n/5..."; sleep $((n*5))
35+ n=$((n+1)); echo "::warning::Retry $n/5..." >&2 ; sleep $((n*5))
3636 done
3737 return 1
3838 }
3939
40- ACCESS_TOKEN="$(
41- retry curl -fsS -X POST "${KMS_URL}/api/v1/auth/universal-auth/login" \
40+ kms_login() {
41+ curl -fsS -X POST "${KMS_URL}/api/v1/auth/universal-auth/login" \
4242 -H "Content-Type: application/json" \
4343 -d "$(jq -nc --arg cid "$KMS_CLIENT_ID" --arg cs "$KMS_CLIENT_SECRET" \
4444 '{clientId: $cid, clientSecret: $cs}')" \
45- | jq -r '.accessToken'
46- )"
45+ | jq -re '.accessToken'
46+ }
4747
48+ ACCESS_TOKEN="$(retry kms_login)"
4849 [ -n "${ACCESS_TOKEN}" ] && [ "${ACCESS_TOKEN}" != "null" ] || {
4950 echo "::error::Failed to authenticate to Hanzo KMS"; exit 1; }
5051
5152 fetch_secret() {
52- retry curl -fsS "${KMS_URL}/api/v3/secrets/raw/${1}?workspaceSlug=gitops&environment=prod&secretPath=/ci&viewSecretValue=true&include_imports=true" \
53+ curl -fsS "${KMS_URL}/api/v3/secrets/raw/${1}?workspaceSlug=gitops&environment=prod&secretPath=/ci&viewSecretValue=true&include_imports=true" \
5354 -H "Authorization: Bearer ${ACCESS_TOKEN}" \
54- | jq -r '.secret.secretValue'
55+ | jq -re '.secret.secretValue'
5556 }
5657
5758 for name in DOCKERHUB_USERNAME DOCKERHUB_TOKEN DIGITALOCEAN_ACCESS_TOKEN; do
58- val="$(fetch_secret "$name")"
59+ val="$(retry fetch_secret "$name")"
5960 [ -n "$val" ] && [ "$val" != "null" ] || { echo "::error::Missing KMS secret $name"; exit 1; }
6061 echo "::add-mask::${val}"
6162 echo "${name}=${val}" >> "$GITHUB_OUTPUT"
@@ -124,24 +125,30 @@ jobs:
124125 local n=0
125126 until [ $n -ge 5 ]; do
126127 "$@" && return 0
127- n=$((n+1)); echo "::warning::Retry $n/5..."; sleep $((n*5))
128+ n=$((n+1)); echo "::warning::Retry $n/5..." >&2 ; sleep $((n*5))
128129 done
129130 return 1
130131 }
131132
132- ACCESS_TOKEN="$(
133- retry curl -fsS -X POST "${KMS_URL}/api/v1/auth/universal-auth/login" \
133+ kms_login() {
134+ curl -fsS -X POST "${KMS_URL}/api/v1/auth/universal-auth/login" \
134135 -H "Content-Type: application/json" \
135136 -d "$(jq -nc --arg cid "$KMS_CLIENT_ID" --arg cs "$KMS_CLIENT_SECRET" \
136137 '{clientId: $cid, clientSecret: $cs}')" \
137- | jq -r '.accessToken'
138- )"
138+ | jq -re '.accessToken'
139+ }
139140
141+ ACCESS_TOKEN="$(retry kms_login)"
140142 [ -n "${ACCESS_TOKEN}" ] && [ "${ACCESS_TOKEN}" != "null" ] || {
141143 echo "::error::Failed to authenticate to Hanzo KMS"; exit 1; }
142144
143- val="$(retry curl -fsS "${KMS_URL}/api/v3/secrets/raw/DIGITALOCEAN_ACCESS_TOKEN?workspaceSlug=gitops&environment=prod&secretPath=/ci&viewSecretValue=true&include_imports=true" \
144- -H "Authorization: Bearer ${ACCESS_TOKEN}" | jq -r '.secret.secretValue')"
145+ fetch_do_token() {
146+ curl -fsS "${KMS_URL}/api/v3/secrets/raw/DIGITALOCEAN_ACCESS_TOKEN?workspaceSlug=gitops&environment=prod&secretPath=/ci&viewSecretValue=true&include_imports=true" \
147+ -H "Authorization: Bearer ${ACCESS_TOKEN}" \
148+ | jq -re '.secret.secretValue'
149+ }
150+
151+ val="$(retry fetch_do_token)"
145152 [ -n "$val" ] && [ "$val" != "null" ] || { echo "::error::Missing KMS secret DIGITALOCEAN_ACCESS_TOKEN"; exit 1; }
146153 echo "::add-mask::${val}"
147154 echo "DIGITALOCEAN_ACCESS_TOKEN=${val}" >> "$GITHUB_OUTPUT"
@@ -159,4 +166,3 @@ jobs:
159166 kubectl -n hanzo set image statefulset/postgres \
160167 postgres=ghcr.io/hanzoai/sql:latest
161168 kubectl -n hanzo rollout status statefulset/postgres --timeout=120s
162-
0 commit comments