Skip to content

Commit 793d420

Browse files
alatieraalatiera
committed
ci: Use JWTs instead of CI cert for authentication
1 parent 866b18b commit 793d420

File tree

1 file changed

+23
-35
lines changed

1 file changed

+23
-35
lines changed

.github/workflows/build.yml

Lines changed: 23 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -22,22 +22,20 @@ jobs:
2222
build:
2323
runs-on: ubuntu-24.04
2424
permissions:
25-
# FIXME: Make the build with JWT work
26-
# id-token: write
25+
id-token: write
2726
contents: read
2827
packages: write
2928
steps:
3029
- name: Checkout repository
3130
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
3231

33-
# FIXME: Make the build with JWT work
34-
# - name: Get JWT token
35-
# uses: actions/github-script@v7
36-
# with:
37-
# script: |
38-
# const fs = require('fs');
39-
# const token = await core.getIDToken('cache.projectbluefin.io')
40-
# fs.writeFileSync('bluefin.token', token, { mode: 0o600 });
32+
- name: Get JWT token
33+
uses: actions/github-script@v7
34+
with:
35+
script: |
36+
const fs = require('fs');
37+
const token = await core.getIDToken('cache.projectbluefin.io')
38+
fs.writeFileSync('bluefin.token', token, { mode: 0o644 });
4139
4240
- name: Setup Just
4341
uses: extractions/setup-just@f8a3cce218d9f83db3a2ecd90e41ac3de6cdfd9b # v3
@@ -56,15 +54,10 @@ jobs:
5654
# - cache-buildtrees: never -> save disk (we only need final artifacts)
5755
#
5856
- name: Generate BuildStream CI config
59-
env:
60-
CASD_CLIENT_CERT: ${{ vars.CASD_CLIENT_CERT }}
61-
CASD_CLIENT_KEY: ${{ secrets.CASD_CLIENT_KEY }}
6257
run: |
6358
mkdir -p logs
6459
6560
# Setup certificate for pushing to the cache
66-
echo "$CASD_CLIENT_CERT" > client.crt
67-
echo "$CASD_CLIENT_KEY" > client.key
6861
cat > buildstream-ci.conf <<'BSTCONF'
6962
scheduler:
7063
on-error: continue
@@ -84,67 +77,63 @@ jobs:
8477
8578
BSTCONF
8679
87-
if [[ -n "$CASD_CLIENT_CERT" ]] && [[ -n "$CASD_CLIENT_ΚΕΥ" ]]; then
80+
# FIXME: handle token not existing, like on forks
81+
if true; then
8882
cat >> buildstream-ci.conf <<'BSTCONFPUSH'
8983
artifacts:
9084
servers:
91-
- url: https://cache.projectbluefin.io:11002
85+
- url: https://cache.projectbluefin.io:11004
9286
push: true
9387
connection-config:
9488
keepalive-time: 60
9589
retry-limit: 5
9690
retry-delay: 1000
9791
request-timeout: 180
9892
auth:
99-
client-key: /src/client.key
100-
client-cert: /src/client.crt
93+
access-token: ~/src/bluefin.token
10194
10295
source-caches:
10396
servers:
104-
- url: https://cache.projectbluefin.io:11002
97+
- url: https://cache.projectbluefin.io:11004
10598
push: true
10699
connection-config:
107100
keepalive-time: 60
108101
retry-limit: 5
109102
retry-delay: 1000
110103
request-timeout: 180
111104
auth:
112-
client-key: /src/client.key
113-
client-cert: /src/client.crt
105+
access-token: ~/src/bluefin.token
114106
115107
cache:
116108
storage-service:
117-
url: https://cache.projectbluefin.io:11002
109+
url: https://cache.projectbluefin.io:11004
118110
connection-config:
119111
keepalive-time: 60
120112
retry-limit: 5
121113
retry-delay: 1000
122114
request-timeout: 180
123115
auth:
124-
client-key: /src/client.key
125-
client-cert: /src/client.crt
116+
access-token: ~/src/bluefin.token
126117
127118
remote-execution:
128119
execution-service:
129-
url: https://cache.projectbluefin.io:11002
120+
url: https://cache.projectbluefin.io:11004
130121
connection-config:
131122
keepalive-time: 60
132123
retry-limit: 5
133124
retry-delay: 1000
134125
request-timeout: 180
135126
auth:
136-
client-key: /src/client.key
137-
client-cert: /src/client.crt
127+
access-token: ~/src/bluefin.token
138128
action-cache-service:
139-
url: https://cache.projectbluefin.io:11002
129+
url: https://cache.projectbluefin.io:11004
140130
connection-config:
141131
keepalive-time: 60
142132
retry-limit: 5
143133
retry-delay: 1000
144134
request-timeout: 180
145135
auth:
146-
client-key: /src/client.key
147-
client-cert: /src/client.crt
136+
access-token: ~/src/bluefin.token
148137
BSTCONFPUSH
149138
fi
150139
@@ -192,10 +181,9 @@ jobs:
192181
just lint
193182
194183
# Delete jwt token just in case
195-
# FIXME: Make the build with JWT work
196-
# - name: Delete token
197-
# if: always()
198-
# run: rm -f bluefin.token
184+
- name: Delete token
185+
if: always()
186+
run: rm -f bluefin.token
199187

200188
# ── Upload build logs ─────────────────────────────────────────────
201189
# Always upload, even on failure, so build failures can be diagnosed.

0 commit comments

Comments
 (0)