Skip to content

Commit 4d7c1ed

Browse files
neilimeneilime
committed
feat(continuous-integratio): add support for build secrets
Signed-off-by: Emilien Escalle <[email protected]>
1 parent 3cb518b commit 4d7c1ed

File tree

2 files changed

+136
-16
lines changed

2 files changed

+136
-16
lines changed

.github/workflows/continuous-integration.md

Lines changed: 66 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
# GitHub Reusable Workflow: Node.js Continuous Integration
44

55
<div align="center">
6-
<img src="https://opengraph.githubassets.com/5fd994d3cdc848d200848f3b6e7693134d2fdbb92fc8c26a36ed3d12601d2dee/hoverkraft-tech/ci-github-nodejs" width="60px" align="center" alt="Node.js Continuous Integration" />
6+
<img src="https://opengraph.githubassets.com/fd6ff0f289f07764817fe8ee5dc4b9f62ff6d96f3bfca597ac738f864276bfdf/hoverkraft-tech/ci-github-nodejs" width="60px" align="center" alt="Node.js Continuous Integration" />
77
</div>
88

99
---
@@ -42,7 +42,7 @@ Workflow to performs continuous integration steps agains a Node.js project:
4242

4343
## Usage
4444

45-
```yaml
45+
````yaml
4646
name: Node.js Continuous Integration
4747
on:
4848
push:
@@ -54,9 +54,41 @@ permissions:
5454
id-token: write
5555
jobs:
5656
continuous-integration:
57-
uses: hoverkraft-tech/ci-github-nodejs/.github/workflows/continuous-integration.yml@6809332ced7647b3d52300a47d65657283f3395e # 0.16.0
57+
uses: hoverkraft-tech/ci-github-nodejs/.github/workflows/continuous-integration.yml@36c861e31804957f2a85503b8aebe213f35b1235 # feat/continuous-intergration-build-secrets
58+
secrets:
59+
# Secrets to be used during the build step.
60+
# Must be a multi-line env formatted string.
61+
# Example:
62+
# ```txt
63+
# SECRET_EXAMPLE=$\{{ secrets.SECRET_EXAMPLE }}
64+
# ```
65+
build-secrets: ""
5866
with:
5967
# Build parameters. Must be a string or a JSON object.
68+
# For string, provide a list of commands to run during the build step, one per line.
69+
# For JSON object, provide the following properties:
70+
#
71+
# - `commands`: Array of commands to run during the build step.
72+
# - `env`: Object of environment variables to set during the build step.
73+
# - `artifact`: String or array of strings specifying paths to artifacts to upload after the build
74+
#
75+
# Example:
76+
# ```json
77+
# {
78+
# "commands": [
79+
# "build",
80+
# "generate-artifacts"
81+
# ],
82+
# "env": {
83+
# "CUSTOM_ENV_VAR": "value"
84+
# },
85+
# "artifact": [
86+
# "dist/",
87+
# "packages/package-a/build/"
88+
# ]
89+
# }
90+
# ```
91+
#
6092
# Default: `build`
6193
build: build
6294

@@ -87,7 +119,7 @@ jobs:
87119
# Working directory where the dependencies are installed.
88120
# Default: `.`
89121
working-directory: .
90-
```
122+
````
91123

92124
<!-- usage:end -->
93125

@@ -97,20 +129,39 @@ jobs:
97129

98130
### Workflow Call Inputs
99131

100-
| **Input** | **Description** | **Required** | **Type** | **Default** |
101-
| ----------------------- | ----------------------------------------------------------------------------------------- | ------------ | ----------- | ------------ |
102-
| **`build`** | Build parameters. Must be a string or a JSON object. | **false** | **string** | `build` |
103-
| **`checks`** | Optional flag to enable check steps. | **false** | **boolean** | `true` |
104-
| **`lint`** | Optional flag to enable linting. | **false** | **boolean** | `true` |
105-
| **`code-ql`** | Code QL analysis language. See <https://github.com/github/codeql-action>. | **false** | **string** | `typescript` |
106-
| **`dependency-review`** | Enable dependency review scan. See <https://github.com/actions/dependency-review-action>. | **false** | **boolean** | `true` |
107-
| **`test`** | Optional flag to enable test. | **false** | **boolean** | `true` |
108-
| **`coverage`** | Specifify code coverage reporter. Supported values: `codecov`. | **false** | **string** | `codecov` |
109-
| **`working-directory`** | Working directory where the dependencies are installed. | **false** | **string** | `.` |
132+
| **Input** | **Description** | **Required** | **Type** | **Default** |
133+
| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------ | ----------- | ------------ |
134+
| **`build`** | Build parameters. Must be a string or a JSON object. | **false** | **string** | `build` |
135+
| | For string, provide a list of commands to run during the build step, one per line. | | | |
136+
| | For JSON object, provide the following properties: | | | |
137+
| | | | | |
138+
| | - `commands`: Array of commands to run during the build step. | | | |
139+
| | - `env`: Object of environment variables to set during the build step. | | | |
140+
| | - `artifact`: String or array of strings specifying paths to artifacts to upload after the build | | | |
141+
| | | | | |
142+
| | Example: | | | |
143+
| | <!-- textlint-disable --><pre lang="json">{&#13; "commands": [&#13; "build",&#13; "generate-artifacts"&#13; ],&#13; "env": {&#13; "CUSTOM_ENV_VAR": "value"&#13; },&#13; "artifact": [&#13; "dist/",&#13; "packages/package-a/build/"&#13; ]&#13;}</pre><!-- textlint-enable --> | | | |
144+
| **`checks`** | Optional flag to enable check steps. | **false** | **boolean** | `true` |
145+
| **`lint`** | Optional flag to enable linting. | **false** | **boolean** | `true` |
146+
| **`code-ql`** | Code QL analysis language. See <https://github.com/github/codeql-action>. | **false** | **string** | `typescript` |
147+
| **`dependency-review`** | Enable dependency review scan. See <https://github.com/actions/dependency-review-action>. | **false** | **boolean** | `true` |
148+
| **`test`** | Optional flag to enable test. | **false** | **boolean** | `true` |
149+
| **`coverage`** | Specifify code coverage reporter. Supported values: `codecov`. | **false** | **string** | `codecov` |
150+
| **`working-directory`** | Working directory where the dependencies are installed. | **false** | **string** | `.` |
110151

111152
<!-- inputs:end -->
112153

113154
<!-- secrets:start -->
155+
156+
## Secrets
157+
158+
| **Secret** | **Description** | **Required** |
159+
| ------------------- | -------------------------------------------------------------------------------------------------------------------- | ------------ |
160+
| **`build-secrets`** | Secrets to be used during the build step. | **false** |
161+
| | Must be a multi-line env formatted string. | |
162+
| | Example: | |
163+
| | <!-- textlint-disable --><pre lang="txt">SECRET_EXAMPLE=$\{{ secrets.SECRET_EXAMPLE }}</pre><!-- textlint-enable --> | |
164+
114165
<!-- secrets:end -->
115166

116167
<!-- outputs:start -->
@@ -133,7 +184,7 @@ on:
133184
134185
jobs:
135186
continuous-integration:
136-
uses: hoverkraft-tech/ci-github-nodejs/.github/workflows/continuous-integration.yml@6809332ced7647b3d52300a47d65657283f3395e # 0.16.0
187+
uses: hoverkraft-tech/ci-github-nodejs/.github/workflows/continuous-integration.yml@36c861e31804957f2a85503b8aebe213f35b1235 # feat/continuous-intergration-build-secrets
137188
permissions:
138189
id-token: write
139190
security-events: write

.github/workflows/continuous-integration.yml

Lines changed: 70 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,31 @@ on:
1111
workflow_call:
1212
inputs:
1313
build:
14-
description: Build parameters. Must be a string or a JSON object.
14+
description: |
15+
Build parameters. Must be a string or a JSON object.
16+
For string, provide a list of commands to run during the build step, one per line.
17+
For JSON object, provide the following properties:
18+
19+
- `commands`: Array of commands to run during the build step.
20+
- `env`: Object of environment variables to set during the build step.
21+
- `artifact`: String or array of strings specifying paths to artifacts to upload after the build
22+
23+
Example:
24+
```json
25+
{
26+
"commands": [
27+
"build",
28+
"generate-artifacts"
29+
],
30+
"env": {
31+
"CUSTOM_ENV_VAR": "value"
32+
},
33+
"artifact": [
34+
"dist/",
35+
"packages/package-a/build/"
36+
]
37+
}
38+
```
1539
type: string
1640
required: false
1741
default: "build"
@@ -50,6 +74,16 @@ on:
5074
type: string
5175
required: false
5276
default: "."
77+
secrets:
78+
build-secrets:
79+
description: |
80+
Secrets to be used during the build step.
81+
Must be a multi-line env formatted string.
82+
Example:
83+
```txt
84+
SECRET_EXAMPLE=$\{{ secrets.SECRET_EXAMPLE }}
85+
```
86+
required: false
5387

5488
permissions:
5589
contents: read
@@ -89,6 +123,7 @@ jobs:
89123
contents: read
90124
id-token: write
91125
outputs:
126+
build-env: ${{ steps.build-variables.outputs.env }}
92127
build-commands: ${{ steps.build-variables.outputs.commands }}
93128
build-artifact: ${{ steps.build-variables.outputs.artifact }}
94129
steps:
@@ -122,6 +157,7 @@ jobs:
122157
const buildInput = `${{ inputs.build }}`.trim();
123158
124159
let commands = [];
160+
let env = {};
125161
126162
// Build input can be json or string
127163
try {
@@ -130,6 +166,7 @@ jobs:
130166
commands = build;
131167
} else {
132168
commands = build.commands ?? ["build"];
169+
env = build.env ?? {};
133170
134171
if (build.artifact) {
135172
if(typeof build.artifact === 'string') {
@@ -159,6 +196,7 @@ jobs:
159196
}
160197
161198
core.setOutput('commands', sanitizedCommands.join('\n'));
199+
core.setOutput('env', JSON.stringify(env));
162200
163201
lint:
164202
name: 👕 Lint
@@ -238,6 +276,37 @@ jobs:
238276
gatsby
239277
storybook
240278
279+
- if: needs.setup.outputs.build-commands
280+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
281+
env:
282+
BUILD_ENV: ${{ needs.setup.outputs.build-env }}
283+
BUILD_SECRETS: ${{ secrets.build-secrets }}
284+
with:
285+
script: |
286+
const envInput = process.env.BUILD_ENV || '{}';
287+
288+
let buildEnv = {};
289+
290+
try {
291+
buildEnv = JSON.parse(envInput);
292+
} catch (e) {
293+
core.setFailed(`Invalid build env JSON: ${e.message}`);
294+
}
295+
296+
for (const [key, value] of Object.entries(buildEnv)) {
297+
core.exportVariable(key, value);
298+
}
299+
300+
const secretsInput = process.env.BUILD_SECRETS || '';
301+
for (const line of secretsInput.split('\n').map(line => line.trim()).filter(Boolean)) {
302+
const [key, ...rest] = line.split('=');
303+
if (!key || !rest.length) {
304+
return core.setFailed(`Invalid build secrets format: ${line}`);
305+
}
306+
const value = rest.join('=');
307+
core.exportVariable(key.trim(), value.trim());
308+
}
309+
241310
- if: needs.setup.outputs.build-commands
242311
working-directory: ${{ inputs.working-directory }}
243312
run: |

0 commit comments

Comments
 (0)