feat(docker-build-images): allows to pass GitHub App token as secret

neilime · neilime · commit 6cf67c89176e · 2025-02-18T09:34:41.000+01:00
Signed-off-by: Emilien Escalle &lt;emilien.escalle@escemi.com&gt;
diff --git a/.github/workflows/__main-ci.yml b/.github/workflows/__main-ci.yml
@@ -24,6 +24,7 @@ concurrency:
 jobs:
   ci:
     uses: ./.github/workflows/__shared-ci.yml
+    secrets: inherit
 
   clean:
     needs: ci
diff --git a/.github/workflows/__pull-request-ci.yml b/.github/workflows/__pull-request-ci.yml
@@ -22,3 +22,4 @@ concurrency:
 jobs:
   ci:
     uses: ./.github/workflows/__shared-ci.yml
+    secrets: inherit
diff --git a/.github/workflows/__shared-ci.yml b/.github/workflows/__shared-ci.yml
@@ -52,3 +52,4 @@ jobs:
     name: Test docker build images
     needs: linter
     uses: ./.github/workflows/__test-workflow-docker-build-images.yml
+    secrets: inherit
diff --git a/.github/workflows/__test-workflow-docker-build-images.yml b/.github/workflows/__test-workflow-docker-build-images.yml
@@ -20,9 +20,10 @@ jobs:
     steps:
       - run: |
           if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then
-            echo "GitHub token secrets is not set"
+            echo "GitHub token secret is not set"
             exit 1
           fi
+
   act:
     needs: arrange
     uses: ./.github/workflows/docker-build-images.yml
@@ -31,6 +32,7 @@ jobs:
       build-secrets: |
         SECRET_REPOSITORY_OWNER=${{ github.repository_owner }}
         SECRET_REPOSITORY=${{ github.repository }}
+      build-secret-github-app-key: ${{ secrets.CI_BOT_APP_PRIVATE_KEY }}
     with:
       # First image is multi arch
       # Second image is mono arch
@@ -71,6 +73,10 @@ jobs:
             }
           }
         ]
+      build-secret-github-app-id: ${{ vars.CI_BOT_APP_ID }}
+      build-secret-github-app-token-env: |
+        SECRET_ENV_GITHUB_APP_TOKEN_1
+        SECRET_ENV_GITHUB_APP_TOKEN_2
 
   assert:
     needs: act
diff --git a/.github/workflows/docker-build-images.md b/.github/workflows/docker-build-images.md
@@ -50,6 +50,14 @@ jobs:
       # See https://github.com/docker/login-action#usage.
       oci-registry-password: ${{ secrets.GITHUB_TOKEN }}
 
+      # List of secrets to expose to the build.
+      # See <https://docs.docker.com/build/ci/github-actions/secrets/>.
+      build-secrets: ""
+
+      # GitHub App private key to generate GitHub token to be passed as build secret env.
+      # See <https://github.com/actions/create-github-app-token>.
+      build-secret-github-app-key: ""
+
     # Optional customizations.
     with:
       # Json array of runner(s) to use.
@@ -88,32 +96,54 @@ jobs:
       #    }
       #  ]
       images: ""
+
+      # Enable Git LFS.
+      # See <https://github.com/actions/checkout?tab=readme-ov-file#usage>.
+      # Default: true
+      lfs: true
+
+      # Environment variable name(s) to pass GitHub token generated by GitHub App.
+      # Can be a multiline string list.
+      # This is useful to pass a generated token to the build, as it is not possible to share generated secrets between jobs.
+      # Needs input `build-secret-github-app-id` and secret `build-secret-github-app-key`.
+      # Default: "GITHUB_APP_TOKEN"
+      build-secret-github-app-token-env: |
+        GITHUB_APP_TOKEN
+
+      # GitHub App ID to generate GitHub token to be passed as build secret env.
+      # See <https://github.com/actions/create-github-app-token>.
+      build-secret-github-app-id: ""
 ```
 
 <!-- end usage -->
 <!-- start secrets -->
 
 ## Secrets
 
-| **Secret**                             | **Description**                                                                                                                                                  |
-| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **<code>oci-registry-password</code>** | Password or GitHub token (`packages:read` and `packages:write` scopes) used to log against the OCI registry. See <https://github.com/docker/login-action#usage>. |
+| **Secret**                                   | **Description**                                                                                                                                                  | **Required** |
+| -------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ |
+| **<code>oci-registry-password</code>**       | Password or GitHub token (`packages:read` and `packages:write` scopes) used to log against the OCI registry. See <https://github.com/docker/login-action#usage>. | **true**     |
+| **<code>build-secrets</code>**               | List of secrets to expose to the build. See <https://docs.docker.com/build/ci/github-actions/secrets/>.                                                          | **false**    |
+| **<code>build-secret-github-app-key</code>** | GitHub App private key to generate GitHub token to be passed as build secret env. See <https://github.com/actions/create-github-app-token>.                      | **false**    |
 
 <!-- end secrets -->
+<!-- markdownlint-disable MD013 -->
 <!-- start inputs -->
 
 ## Inputs
 
-| **Input**                              | **Description**                                                                                                                                                                                                                                                                                | **Default**                                 | **Required** |
-| -------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------- | ------------ |
-| **<code>runs-on</code>**               | Json array of runner(s) to use. See <https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job>                                                                                                                                                                              | <code>["ubuntu-latest"]</code>              | **false**    |
-| **<code>oci-registry</code>**          | OCI registry where to pull and push images                                                                                                                                                                                                                                                     | <code>ghcr.io</code>                        | **false**    |
-| **<code>oci-registry-username</code>** | Username used to log against the OCI registry. See <https://github.com/docker/login-action#usage>                                                                                                                                                                                              | <code>${{ github.repository_owner }}</code> | **false**    |
-| **<code>images</code>**                | Images to build parameters.                                                                                                                                                                                                                                                                    |                                             | **true**     |
-|                                        | Example: <code>[{ "name": "application", "context": ".", "dockerfile": "./docker/application/Dockerfile", "target": "prod", "build-args": { "APP_PATH": "./application/", "PROD_MODE": "true" }, "platforms": ["linux/amd64", { "name": "darwin/amd64", "runs-on": "macos-latest" }] }]</code> |                                             |              |
-| **<code>lfs</code>**                   | Enable Git LFS. See <https://github.com/actions/checkout?tab=readme-ov-file#usage>.                                                                                                                                                                                                            | <code>true</code>                           | **false**    |
+| **Input**                                          | **Description**                                                                                                                                                                                                                                                                                                                                                                     | **Default**                                 | **Required** | **Type**    |
+| -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------- | ------------ | ----------- |
+| **<code>runs-on</code>**                           | Json array of runner(s) to use. See <https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job>                                                                                                                                                                                                                                                                   | <code>["ubuntu-latest"]</code>              | **false**    | **string**  |
+| **<code>oci-registry</code>**                      | OCI registry where to pull and push images                                                                                                                                                                                                                                                                                                                                          | <code>ghcr.io</code>                        | **false**    | **string**  |
+| **<code>oci-registry-username</code>**             | Username used to log against the OCI registry. See <https://github.com/docker/login-action#usage>                                                                                                                                                                                                                                                                                   | <code>${{ github.repository_owner }}</code> | **false**    | **string**  |
+| **<code>images</code>**                            | Images to build parameters. Json array of objects. Example: [{ "name": "application", "context": ".", "dockerfile": "./docker/application/Dockerfile", "target": "prod", "build-args": { "APP_PATH": "./application/", "PROD_MODE": "true" }, "secret-envs": { "GH_TOKEN": "GITHUB_TOKEN" }, "platforms": ["linux/amd64", { "name": "darwin/amd64", "runs-on": "macos-latest" }] }] |                                             | **true**     | **string**  |
+| **<code>lfs</code>**                               | Enable Git LFS. See <https://github.com/actions/checkout?tab=readme-ov-file#usage>.                                                                                                                                                                                                                                                                                                 | <code>true</code>                           | **false**    | **boolean** |
+| **<code>build-secret-github-app-token-env</code>** | Environment variable name(s) to pass GitHub token generated by GitHub App. Can be a multiline string list. This is useful to pass a generated token to the build, as it is not possible to share generated secrets between jobs. Needs input `build-secret-github-app-id` and secret `build-secret-github-app-key`.                                                                 | <code>GITHUB_APP_TOKEN</code>               | **false**    | **string**  |
+| **<code>build-secret-github-app-id</code>**        | GitHub App ID to generate GitHub token to be passed as build secret env. See <https://github.com/actions/create-github-app-token>.                                                                                                                                                                                                                                                  |                                             | **false**    | **string**  |
 
 <!-- end inputs -->
+<!-- markdownlint-enable MD013 -->
 
 ### Images entry parameters
 
diff --git a/.github/workflows/docker-build-images.yml b/.github/workflows/docker-build-images.yml
@@ -86,6 +86,21 @@ on: # yamllint disable-line rule:truthy
         type: boolean
         default: true
         required: false
+      build-secret-github-app-token-env:
+        description: |
+          Environment variable name(s) to pass GitHub token generated by GitHub App.
+          Can be a multiline string list.
+          This is useful to pass a generated token to the build, as it is not possible to share generated secrets between jobs.
+          Needs input `build-secret-github-app-id` and secret `build-secret-github-app-key`.
+        type: string
+        required: false
+        default: "GITHUB_APP_TOKEN"
+      build-secret-github-app-id:
+        description: |
+          GitHub App ID to generate GitHub token to be passed as build secret env.
+          See <https://github.com/actions/create-github-app-token>.
+        required: false
+        type: string
     secrets:
       oci-registry-password:
         description: |
@@ -97,6 +112,11 @@ on: # yamllint disable-line rule:truthy
           List of secrets to expose to the build.
           See <https://docs.docker.com/build/ci/github-actions/secrets/>.
         required: false
+      build-secret-github-app-key:
+        description: |
+          GitHub App private key to generate GitHub token to be passed as build secret env.
+          See <https://github.com/actions/create-github-app-token>.
+        required: false
 
 permissions:
   contents: read
@@ -322,6 +342,43 @@ jobs:
           echo "self-workflow" >> .gitignore
           echo "self-workflow" >> .dockerignore
 
+      - uses: actions/create-github-app-token@v1
+        if: inputs.build-secret-github-app-id
+        id: generate-token
+        with:
+          app-id: ${{ inputs.build-secret-github-app-id }}
+          private-key: ${{ secrets.build-secret-github-app-key }}
+
+      - id: prepare-secret-envs
+        uses: actions/github-script@v7.0.1
+        with:
+          script: |
+            const githubAppTokenEnvName = 'GITHUB_APP_TOKEN';
+
+            let secretEnvs = `${{ matrix.image.secret-envs }}`;
+            const githubAppToken = `${{ steps.generate-token.outputs.token }}`;
+
+            if (!githubAppToken) {
+              if (secretEnvs) {
+                core.setOutput('secret-envs', secretEnvs);
+              }
+              return;
+            }
+
+            core.exportVariable(githubAppTokenEnvName, githubAppToken);
+
+            const buildSecretGithubAppTokenEnv = `${{ inputs.build-secret-github-app-token-env }}`;
+            if (!buildSecretGithubAppTokenEnv) {
+              throw new Error(`"build-secret-github-app-token-env" input is missing`);
+            }
+
+            secretEnvs += '\n' + buildSecretGithubAppTokenEnv
+              .split('\n')
+              .filter(Boolean)
+              .map(key => `${key}=${githubAppTokenEnvName}`).join('\n');
+
+            core.setOutput('secret-envs', secretEnvs);
+
       - id: build
         uses: ./self-workflow/actions/docker/build-image
         with:
@@ -336,7 +393,7 @@ jobs:
           build-args: ${{ matrix.image.build-args }}
           target: ${{ matrix.image.target }}
           platform: ${{ matrix.image.platform }}
-          secret-envs: ${{ matrix.image.secret-envs }}
+          secret-envs: ${{ steps.prepare-secret-envs.outputs.secret-envs }}
           secrets: ${{ secrets.build-secrets }}
 
       # FIXME: Set built images infos in file to be uploaded as artifacts, because github action does not handle job outputs for matrix
diff --git a/tests/application/Dockerfile b/tests/application/Dockerfile
@@ -26,18 +26,39 @@ ARG BUILD_REPOSITORY
 RUN test -n "$BUILD_REPOSITORY" || (echo "Error: BUILD_REPOSITORY is not set" && exit 1);
 RUN test "$BUILD_REPOSITORY" = "$EXPECTED_REPOSITORY" || (echo "Error: BUILD_REPOSITORY is not \"$EXPECTED_REPOSITORY\"" && exit 1);
 
-# Test that secrets are passed
-RUN --mount=type=secret,id=SECRET_REPOSITORY_OWNER test -f /run/secrets/SECRET_REPOSITORY_OWNER || (echo "Error: SECRET_REPOSITORY_OWNER is not set" && exit 1);
-RUN --mount=type=secret,id=SECRET_REPOSITORY_OWNER test "$(cat /run/secrets/SECRET_REPOSITORY_OWNER)" = "$EXPECTED_REPOSITORY_OWNER" || (echo "Error: SECRET_REPOSITORY_OWNER is not \"$EXPECTED_REPOSITORY_OWNER\"" && exit 1);
+RUN cat >test.sh <<EOF
+
+assertSecretExists() {
+  local secretName="\$1"
+  test -f "/run/secrets/\$secretName" || {
+    echo "Error: \$secretName is not set"
+    exit 1
+  }
+}
+
+assertSecretEquals() {
+  local secretName="\$1"
+  local expectedValue="\$2"
 
-RUN --mount=type=secret,id=SECRET_REPOSITORY test -f /run/secrets/SECRET_REPOSITORY || (echo "Error: SECRET_REPOSITORY is not set" && exit 1);
-RUN --mount=type=secret,id=SECRET_REPOSITORY test "$(cat /run/secrets/SECRET_REPOSITORY)" = "$EXPECTED_REPOSITORY" || (echo "Error: SECRET_REPOSITORY is not \"$EXPECTED_REPOSITORY\"" && exit 1);
+  assertSecretExists "\$secretName"
+
+  test "\$(cat /run/secrets/"\$secretName")" = "\$expectedValue" || {
+    echo "Error: \$secretName is not \"\$expectedValue\""
+    exit 1
+  }
+}
+EOF
+
+# Test that secrets are passed
+RUN --mount=type=secret,id=SECRET_REPOSITORY_OWNER . test.sh && assertSecretEquals SECRET_REPOSITORY_OWNER "$EXPECTED_REPOSITORY_OWNER";
+RUN --mount=type=secret,id=SECRET_REPOSITORY . test.sh && assertSecretEquals SECRET_REPOSITORY "$EXPECTED_REPOSITORY";
 
 # Test that secret envs are passed
-RUN --mount=type=secret,id=SECRET_ENV_REPOSITORY_OWNER test -f /run/secrets/SECRET_ENV_REPOSITORY_OWNER || (echo "Error: SECRET_ENV_REPOSITORY_OWNER is not set" && exit 1);
-RUN --mount=type=secret,id=SECRET_ENV_REPOSITORY_OWNER test "$(cat /run/secrets/SECRET_ENV_REPOSITORY_OWNER)" = "$EXPECTED_REPOSITORY_OWNER" || (echo "Error: SECRET_ENV_REPOSITORY_OWNER is not \"$EXPECTED_REPOSITORY_OWNER\"" && exit 1);
+RUN --mount=type=secret,id=SECRET_ENV_REPOSITORY_OWNER . test.sh && assertSecretEquals SECRET_ENV_REPOSITORY_OWNER "$EXPECTED_REPOSITORY_OWNER";
+RUN --mount=type=secret,id=SECRET_ENV_REPOSITORY . test.sh && assertSecretEquals SECRET_ENV_REPOSITORY "$EXPECTED_REPOSITORY";
 
-RUN --mount=type=secret,id=SECRET_ENV_REPOSITORY test -f /run/secrets/SECRET_ENV_REPOSITORY || (echo "Error: SECRET_ENV_REPOSITORY is not set" && exit 1);
-RUN --mount=type=secret,id=SECRET_ENV_REPOSITORY test "$(cat /run/secrets/SECRET_ENV_REPOSITORY)" = "$EXPECTED_REPOSITORY" || (echo "Error: SECRET_ENV_REPOSITORY is not \"$EXPECTED_REPOSITORY\"" && exit 1);
+# Test that the github app token secrets are passed
+RUN --mount=type=secret,id=SECRET_ENV_GITHUB_APP_TOKEN_1 . test.sh && assertSecretExists SECRET_ENV_GITHUB_APP_TOKEN_1;
+RUN --mount=type=secret,id=SECRET_ENV_GITHUB_APP_TOKEN_2 . test.sh && assertSecretExists SECRET_ENV_GITHUB_APP_TOKEN_2;
 
 USER test
