Skip to content

Commit 99ffa10

Browse files
neilimeneilime
committed
feat(continuous-integratio): add support for build secrets
Signed-off-by: Emilien Escalle <[email protected]>
1 parent 3cb518b commit 99ffa10

File tree

1 file changed

+45
-0
lines changed

1 file changed

+45
-0
lines changed

.github/workflows/continuous-integration.yml

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -50,6 +50,16 @@ on:
5050
type: string
5151
required: false
5252
default: "."
53+
secrets:
54+
build-secrets:
55+
description: |
56+
Secrets to be used during the build step.
57+
Must be a multi-line env formatted string.
58+
Example:
59+
```txt
60+
SECRET_EXAMPLE=$\{{ secrets.SECRET_EXAMPLE }}
61+
```
62+
required: false
5363

5464
permissions:
5565
contents: read
@@ -89,6 +99,7 @@ jobs:
8999
contents: read
90100
id-token: write
91101
outputs:
102+
build-env: ${{ steps.build-variables.outputs.env }}
92103
build-commands: ${{ steps.build-variables.outputs.commands }}
93104
build-artifact: ${{ steps.build-variables.outputs.artifact }}
94105
steps:
@@ -122,6 +133,7 @@ jobs:
122133
const buildInput = `${{ inputs.build }}`.trim();
123134
124135
let commands = [];
136+
let env = {};
125137
126138
// Build input can be json or string
127139
try {
@@ -130,6 +142,7 @@ jobs:
130142
commands = build;
131143
} else {
132144
commands = build.commands ?? ["build"];
145+
env = build.env ?? {};
133146
134147
if (build.artifact) {
135148
if(typeof build.artifact === 'string') {
@@ -159,6 +172,7 @@ jobs:
159172
}
160173
161174
core.setOutput('commands', sanitizedCommands.join('\n'));
175+
core.setOutput('env', JSON.stringify(env));
162176
163177
lint:
164178
name: 👕 Lint
@@ -238,6 +252,37 @@ jobs:
238252
gatsby
239253
storybook
240254
255+
- if: needs.setup.outputs.build-commands
256+
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
257+
env:
258+
BUILD_ENV: ${{ needs.setup.outputs.build-env }}
259+
BUILD_SECRETS: ${{ secrets.build-secrets }}
260+
with:
261+
script: |
262+
const envInput = process.env.BUILD_ENV || '{}';
263+
264+
let buildEnv = {};
265+
266+
try {
267+
buildEnv = JSON.parse(envInput);
268+
} catch (e) {
269+
core.setFailed(`Invalid build env JSON: ${e.message}`);
270+
}
271+
272+
for (const [key, value] of Object.entries(buildEnv)) {
273+
core.exportVariable(key, value);
274+
}
275+
276+
const secretsInput = process.env.BUILD_SECRETS || '';
277+
for (const line of secretsInput.split('\n').map(line => line.trim()).filter(Boolean)) {
278+
const [key, ...rest] = line.split('=');
279+
if (!key || !rest.length) {
280+
return core.setFailed(`Invalid build secrets format: ${line}`);
281+
}
282+
const value = rest.join('=');
283+
core.exportVariable(key.trim(), value.trim());
284+
}
285+
241286
- if: needs.setup.outputs.build-commands
242287
working-directory: ${{ inputs.working-directory }}
243288
run: |

0 commit comments

Comments
 (0)