oidckv/.github/workflows/oidckv.yml at main · ideasyncratic/oidckv · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# Logs into Azure with OIDC, fetches the Totango api secret, runs the index.js
# 1. OIDC docs: https://learn.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux
#   a. create app
#      az ad app create --display-name oidckvApp # save "appId" value as $appId
#   b. create service principal
#      az ad sp create --id $appId # save "id" value as $assigneeObjectId
#   c. create role assignment
#      az role assignment create --role "Key Vault Secrets User" \
#        --scope "/subscriptions/123-xyz/resourceGroups/oidc-kv-xyz/providers/Microsoft.KeyVault/vaults/oidc-kv1-xyz" \
#        --assignee-object-id $assigneeObjectId --assignee-principal-type ServicePrincipal
#   d. set subject claim
#     az ad app federated-credential create --id $appId --parameters '{
#       "name": "oidckv-cred",
#       "issuer": "https://token.actions.githubusercontent.com",
#       "subject": "repository_owner:ORG_NAME:job_workflow_ref:/jmassardo/issues-to-totango/.github/workflows/issues-to-totango-oidc.yml@refs/heads/main",
#       "description": "Credential for ORG_NAME/issues-to-totango workflow",
#       "audiences": [ "api://AzureADTokenExchange" ] }'
#   e. In the env section below, set AZURE_CLIENT_ID to the $appId and set AZURE_TENANT_ID and AZURE_SUBSCRIPTION_ID
#
# 2. Use like:
#   name: Run oidckv workflow
#   on:
#     issue_comment:
#       types: [created]
#   jobs:
#     call-workflow-passing-data:
#       uses: jmassardo/issues-to-totango/.github/workflows/issues-to-totango-oidckv.yml@main
#       with: ...
#
# 3. Set OIDC subject to include shared workflow and org
#   # org default
#   curl -L \
#     -X PUT \
#     -H "Accept: application/vnd.github+json" \
#     -H "Authorization: Bearer $password"\
#     -H "X-GitHub-Api-Version: 2022-11-28" \
#     https://api.github.com/orgs/ORG_NAME/actions/oidc/customization/sub \
#     -d '{"include_claim_keys":["repository_owner","job_workflow_ref"]}'
#
#   # update existing repos
#   curl -L \
#     -X PUT \
#     -H "Accept: application/vnd.github+json" \
#     -H "Authorization: Bearer $password"\
#     -H "X-GitHub-Api-Version: 2022-11-28" \
#     https://api.github.com/repos/ORG_NAME/REPO_NAME/actions/oidc/customization/sub \
#     -d '{"use_default":false,"include_claim_keys":["repository_owner","job_workflow_ref"]}'
#
#   produces a subject claim like:
#    subject claim - repository_owner:ORG_NAME:job_workflow_ref:jmassardo/issues-to-totango/.github/workflows/issues-to-totango-oidckv.yml@refs/heads/main
#

name: 'Issues to Totango'

on:
  workflow_call:
    inputs:
      ACCOUNT_ID:
        description: 'Customer account id'
        required: true
        type: "string"
      ACTIVITY_TYPE:
        description: 'Type from the `Success Flow` section'
        required: true
        type: "string"
      TOUCHPOINT_TYPE:
        description: 'The id value of the touchpoint type.'
        required: true
        type: "string"
      TOUCHPOINT_TAGS:
        description: 'The id value of the touchpoint reason.'
        required: true
        type: "string"
      TASK_ASSIGNEE:
        description: 'The email value used for testing - will be changed later after testing'
        type: "string"
      AZURE_SUBSCRIPTION_ID:
        description: 'Azure subscription id.'
        required: true
        type: "string"
      AZURE_TENANT_ID:
        description: 'Azure AD tenant ID'
        required: true
        type: "string"
      AZURE_CLIENT_ID:
        description: 'Azure app client id'
        required: true
        type: "string"
      AZURE_VAULT_NAME:
        description: 'Azure key vault name e.g. "totangokv1"'
        required: true
        type: "string"
      AZURE_KEY_NAME:
        description: 'Azure key vault secret name e.g. "totango-api-key". Will be saved to the environment as "APP_TOKEN"'
        required: true
        type: "string"

jobs:
  process-issue:
    permissions:
      issues: write
      id-token: write
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - uses: actions/setup-node@v3
      with:
        node-version: 18
    - uses: azure/login@v1
      with:
        client-id: ${{ inputs.AZURE_CLIENT_ID }}
        tenant-id: ${{ inputs.AZURE_TENANT_ID }}
        subscription-id: ${{ inputs.AZURE_SUBSCRIPTION_ID }}
    - name: Get APP_TOKEN secret
      run: |
        secret=$(az keyvault secret show --name ${{ inputs.AZURE_KEY_NAME }} --vault-name ${{ inputs.AZURE_VAULT_NAME }} --query value --output tsv)
        echo "::add-mask::$secret"
        echo "APP_TOKEN=$secret" >> "$GITHUB_ENV"
    - name: Set env vars from input
      run: |
        echo "ACCOUNT_ID=${{ inputs.ACCOUNT_ID }}" >> "$GITHUB_ENV"
        echo "ACTIVITY_TYPE=${{ inputs.ACTIVITY_TYPE }}" >> "$GITHUB_ENV"
        echo "TOUCHPOINT_TYPE=${{ inputs.TOUCHPOINT_TYPE }}" >> "$GITHUB_ENV"
        echo "TOUCHPOINT_TAGS=${{ inputs.TOUCHPOINT_TAGS }}" >> "$GITHUB_ENV"
        echo "TASK_ASSIGNEE=${{ inputs.TASK_ASSIGNEE }}" "$GITHUB_ENV"
    - name: curl with token
      run: |
        curl -L -X POST -H "Accept: application/vnd.github+json" -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/ideasyncratic/oidckv-user/issues/2/labels -d '{"labels":["bug"]}'
    - name: run issues-to-totango
      run: node -e 'console.log(require("crypto").createHash("md5").update(process.env.APP_TOKEN).digest("hex"))'