I'm trying to trigger a workflow event in Github.
for some reason, I'm able to GET information about my organization repository workflow but can not use '/dispatches'
Work is based on: https://docs.github.com/en/rest/actions/workflows#create-a-workflow-dispatch-event
Here is the curl code:
curl -X POST \
-H "Accept:application/vnd.github.v3+json" \
-H 'Authorization:token ${{ github.token }}' \
'https://api.github.com/repos/[owner/org]/[repo]/actions/workflows/9999999/dispatches' \
-d '{"event_type":"semantic-release"}'
Getting error:
422 Unprocessable Entity
"message": "Invalid request.\n\nFor 'links/0/schema', nil is not an object.",
"documentation_url": "https://docs.github.com/rest/reference/repos#create-a-repository-dispatch-event"
Am I missing some basic information for this to work and trigger an event?
Instead of trying to call the GitHub API directly, try and use the GitHub CLI gh (that you can install first to test locally).
You can also use GitHub CLI in workflows.
GitHub CLI is preinstalled on all GitHub-hosted runners.
For each step that uses GitHub CLI, you must set an environment variable called GITHUB_TOKEN to a token with the required scopes
It has a gh workflow run, which does create a workflow_dispatch event for a given workflow.
Authenticates first (gh auth login, if you are doing a local test):
# authenticate against github.com by reading the token from a file
$ gh auth login --with-token < mytoken.txt
Examples:
# Run the workflow file 'triage.yml' at the remote's default branch
$ gh workflow run triage.yml
# Run the workflow file 'triage.yml' at a specified ref
$ gh workflow run triage.yml --ref my-branch
# Run the workflow file 'triage.yml' with command line inputs
$ gh workflow run triage.yml -f name=scully -f greeting=hello
# Run the workflow file 'triage.yml' with JSON via standard input
$ echo '{"name":"scully", "greeting":"hello"}' | gh workflow run triage.yml --json
In your case (GitHub Action):
jobs:
push:
runs-on: ubuntu-latest
steps:
- run: gh workflow run triage.yml
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
As explained by hanayama in the comments:
Found out the secrets. GITHUB_TOKEN doesn't work, even with permissions edited for the entire workflow.
Using a personal access token worked.
Related
Hello Github actions community :)
I have a workflow in github actions that I don't quite understand why it is not working.
I am currently using git-secrets to encrypt my credentials using git-secrets and I am trying to decrypt them in the github actions workflow.
This is the code block that I execute when I want to decrypt the files:
- name: Reveal data
run: |
echo
echo 'Before decrypt'
ls -ls
git secret reveal -p ${{ secrets.PASSPHRASE }} -f
echo 'After decrypt'
ls -ls
git secret whoknows
Before decrypt
total 4
4 -rw-r--r-- 1 runner docker 630 Jul 18 09:39 secrets.md.secret
done. all 1 files are revealed.
After decrypt
total 4
4 -rw-r--r-- 1 runner docker 630 Jul 18 09:39 secrets.md.secret
testing#testing.com
According to github actions this works because as you can see the github actions returns 'done. all 1 files are revealed.'. However, as you can see below, no new file is being generated.
Locally it works and I get the decrypted file by running the same command.
How to reproduce it locally:
Install git-secrets
Create a GPG key (gpg --full-generate-key)
Run 'git secret tell email-used-in-the-gpg
Run 'git secret add filename
Run 'git secret hide' to encrypt the file
Run 'rm filename'
Run 'git secret reveal' and pass the password. This will create the decrypted file
How to reproduce it in github actions:
Create a new workflow
Paste this step:
- name: Reveal
run: |
git secret reveal -p ${{ secrets.PASSPHRASE }}
Does anyone have any idea what this is about? Github Workflows does not allow file creation maybe?
Thank you very much in advance and best regards!
This question includes a specific use-case:
I have a private scoped package: #myscope/mypackage
It hosted in Artifactory NPM registry: https://company.jfrog.io/artifactory/api/npm/my-npm-registry/
I need to use my credentials to consume it.
I want to consume it in Github Actions.
How can I do that?
.npmrc
First, you need to configure your access in a local .npmrc file. You can put this file in your source root folder.
always-auth = true
# First, set a different registry URL for your scope
#myscope:registry=https://company.jfrog.io/artifactory/api/npm/my-npm-registry/
# Then, for this scope, you need to set the token
//company.jfrog.io/artifactory/api/npm/my-npm-registry/:_auth = {{your token - see below}}
Token
You need to get the NPM Token from Artifactory (note it isn't your API Key.
Get your Artifactory API Key from your Artifactory profile: https://company.jfrog.io/ui/admin/artifactory/user_profile
Run the next command on your Linux terminal: curl -u {{ ARTIFACTORY_USERNAME }}:{{ ARTIFACTORY_API_KEY }} https://company.jfrog.io/artifactory/api/npm/auth/
Powershell:
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f {{ ARTIFACTORY_USERNAME }},{{ ARTIFACTORY_API_KEY }})))
Invoke-RestMethod -Headers #{Authorization=("Basic {0}" -f $base64AuthInfo)} https://company.jfrog.io/artifactory/api/npm/auth/
You should receive this:
_auth = {{ YOUR_NPM_TOKEN }}
always-auth = true
So now you can take this Token and put it in the .npmrc file above.
Github Actions
How to do all this in Github Actions?
First, save your Jfrog username and API Key in Github Secrets: JFROG_USER & JFROG_PAT.
And you can add the next step to your workflow, after checkout and before yarn/npm install:
- name: npm token
run: |
echo "#myscope:registry=https://company.jfrog.io/artifactory/api/npm/my-npm-registry/" > .npmrc
echo "//company.jfrog.io/artifactory/api/npm/my-npm-registry/:$(curl -u ${{ secrets.JFROG_USER }}:${{ secrets.JFROG_PAT }} https://company.jfrog.io/artifactory/api/npm/auth/)" >> .npmrc
I'm trying to find out if it's possible to add a deploy key with GitHub actions. I have already generates key with ssh-keygen and tried to add it manually which works. But I would like to add my generated key with GitHub actions as well.
In other words I want to do this "GitHub -> repo -> settings -> deploy keys -> add deploy key (the generated key during workflow)" but I want to do it with GitHub actions if it's possible.
This is the workflow that i have created so far:
on:
# Triggers the workflow on push or pull request events but only for the master branch
push:
branches: [ main ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
if: github.event.repository.name != 'testar-deploy-key'
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout#v2
- name: Create deploy key
run: |
# Deploy key
ssh-keygen -m PEM -t rsa -b 4096 -C "mail#mail.com" -o -f id_rsa
#Here i want in someway to add my generated key to the current github repository.
git config --local user.email "action#github.com"
git config --local user.name "GitHub Action"
git add .
git commit -m "Generate SSH"
# Push changes
- name: Push changes
uses: ad-m/github-push-action#master
with:
branch: main
github_token: ${{ secrets.GITHUB_TOKEN }}
So I am pretty stuck yet so close to getting a Google Apps Script project to push and deploy with Clasp through Googles Cloudbuild. So the push and deploy commands come from Googles Clasp cli which requires you to log in with your Google credentials with clasp login. The login will create a file in your home dir called ~/.clasprc.json with your credentials. This is needed to push and deploy. In the cloudbuild.yaml I created a substitution called _CLASPRC to hold the contents of this file and used my own custom image to write it to the container while running the build.
Now for the issue, I get the error below when the push command runs which is basically a not very useful way of saying I'm not logged in or any other error with the .clasprc.json. Since this is the only error I ever get no matter what the problem is, the issue is a bit hard to debug.
Could not read API credentials. Are you logged in globally?
I have tried putting the .clasprc.json in the home dir and the project dir but get the same issue both ways. I'm pretty sure the file is getting written to the projects dir because when I try to run on my local without the .clasp.json it complains it's missing before complaining I'm not logged in. When the .clasp.json is there it only complains I'm not logged in.
The project is just a personal project of mine and it is all open source on Github so here is the link to the actual project if you want some reference to the actual code. My Lil Admin and the builder I used My Builders. However you really don't need the project, to reproduce follow the steps below on your local.
make sure to have a GCP project created and the gcloud cli with Apps Script API enabled
have the clasp cli with npm install -g #google/clasp
clasp login to get a .clasprc.json and auth with GCP
clasp create --title "My Script" --type webapp and take note of the Scripts ID
associate the apps script project with your GCP project
The following steps are the files which lead to the problem. Simply add them to the clasp project created.
6. Here is the entrypoint for my Clasp Builder Image:
builder/clasp_ci.sh
#!/bin/bash
# if there is a _CLASPRC var and no .clasprc.json file
if [ ! -z "${_CLASPRC}" -a ! -f "${HOME}/.clasprc.json" ]; then
echo $_CLASPRC > "$HOME/.clasprc.json"
fi
# if there is a _SCRIPT_ID and PROJECT_ID and no .clasp.json file
if [ ! -z "${_SCRIPT_ID}" -a ! -z "$PROJECT_ID" -a ! -f ".clasp.json" ]; then
cat > '.clasp.json' << EOF
{"scriptId":"$_SCRIPT_ID","projectId": "$PROJECT_ID"}
EOF
fi
# pass args to clasp
clasp "$#"
The builders dockerfile
builder/Dockerfile
# use Node LTS (Boron)
FROM node:8.16.1
COPY clasp_ci.sh /usr/local/bin/clasp_ci
# install Clasp CLI
RUN npm install -g #google/clasp && \
chmod +x /usr/local/bin/clasp_ci
ENTRYPOINT ["/usr/local/bin/clasp_ci"]
now the cloudbuild to push the clasp builder
builder/cloudbuild.yaml
steps:
- name: 'gcr.io/cloud-builders/docker'
args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/clasp', '.' ]
images:
- 'gcr.io/$PROJECT_ID/clasp'
my cloudbuild ci for an apps script project. If you're making a new project to follow along you don't need the build steps nor the dir key in the push and deploy steps. This is pretty specific to the project in the links to my project above.
cloudbuild.yaml
steps:
- id: install
name: 'gcr.io/cloud-builders/npm'
args: ['install']
- id: build-server
name: 'gcr.io/cloud-builders/npm'
args: ['run','gas']
env:
- 'NODE_ENV=production'
- id: build-client
name: 'gcr.io/cloud-builders/npm'
args: ['run','prod']
env:
- 'NODE_ENV=production'
- id: push
name: 'gcr.io/$PROJECT_ID/clasp'
dir: './dist/gas'
args: ['push','-f']
- id: deploy
name: 'gcr.io/$PROJECT_ID/clasp'
dir: './dist/gas'
args: ['deploy','$TAG_NAME']
substitutions:
_CLASPRC: 'your clasp rc file in your home dir after logging in locally'
_SCRIPT_ID: 'your script id of the apps script project to deploy to'
Here is the command to load the builder. Make sure to replace yourproject with your actual project ID.
cd builder && gcloud builds submit --project yourproject --config=cloudbuild.yaml .
the command to finally get the error. Make sure to replace yourproject with your actual project ID and your_script_id with your actual script ID you took note of in step 4.
gcloud builds submit --project yourproject --config=cloudbuild.yaml . \
--substitutions=_CLASPRC="$(cat $HOME/.clasprc.json)" \
--substitutions=_SCRIPT_ID="your_script_id"
I have also tried using the credentials created from logging in with OAuth but I got the same exact error. However this may be useful in solving the issue. Docs for Clasp Run with OAuth
Hopefully someone can help me get this working. If so, this would be the first documentation online for a Cloudbuild CI with Apps Script and Clasp since I can't find anyone doing this anywhere. I have found some links using travis and jenkins but what they are doing for some reason does not work. Does anyone see what something that I'm not? What am I missing here?!?!
Some other somewhat related or never solved issues:
https://github.com/google/clasp/issues/524
https://github.com/google/clasp/blob/master/tests/README.md
https://github.com/google/clasp/issues/225
https://github.com/gazf/google-apps-script-ci-starter
OK, so after a bunch of debugging I find out the cloudbuild substitution variables do not translate to environment variables in the container. You have to manually set the environment variables to the substitution variables and then the container will get the variables it needs.
Here is the updated CI Entry point:
builder/clasp_si.sh
#!/bin/bash
if [ ! -z "${CLASPRC}" -a ! -f "${HOME}/.clasprc.json" ]; then
echo $CLASPRC > "${HOME}/.clasprc.json"
fi
if [ ! -z "${SCRIPT_ID}" -a ! -z "$PROJECT_ID" -a ! -f ".clasp.json" ]; then
cat > '.clasp.json' << EOF
{"scriptId":"$SCRIPT_ID","projectId": "$PROJECT_ID"}
EOF
fi
clasp "$#"
and then the updated cloudbuild config:
cloudbuild.yaml
steps:
- id: install
name: 'gcr.io/cloud-builders/npm'
args: ['install']
- id: build-server
name: 'gcr.io/cloud-builders/npm'
args: ['run','gas']
env:
- 'NODE_ENV=production'
- id: build-client
name: 'gcr.io/cloud-builders/npm'
args: ['run','prod']
env:
- 'NODE_ENV=production'
- id: push
name: 'gcr.io/$PROJECT_ID/clasp'
dir: './dist/gas'
args: ['push','-f']
env:
- 'CLASPRC=$_CLASPRC'
- 'SCRIPT_ID=$_SCRIPT_ID'
- 'PROJECT_ID=$PROJECT_ID'
- id: deploy
name: 'gcr.io/$PROJECT_ID/clasp'
dir: './dist/gas'
args: ['deploy','$TAG_NAME']
env:
- 'CLASPRC=$_CLASPRC'
- 'SCRIPT_ID=$_SCRIPT_ID'
- 'PROJECT_ID=$PROJECT_ID'
substitutions:
_CLASPRC: 'your clasp rc file in your home dir after logging in locally'
_SCRIPT_ID: 'your script id of the apps script project to deploy to'
I have an OpenShift 3.9 build configuration my_bc and a secret my_secret of type kubernetes.io/ssh-auth. The secret was created like so:
oc create secret generic my_secret \
--type=kubernetes.io/ssh-auth \
--from-file=key
I have installed it as source secret into my_bc, and oc get bc/my_bc -o yaml reveals this spec:
source:
contextDir: ...
git:
uri: ...
sourceSecret:
name: my_secret
type: Git
As such, it is already effective in the sense that the OpenShift builder can pull from my private Git repository and produce an image with its Docker strategy.
I would now like to add my_secret also as an input secret to my_bc. My understanding is that this would not only allow the builder to make use of it (as source secret), but would allow other components inside the build to pick it up as well (as input secret). E.g. for the Docker strategy, it would exist in WORKDIR.
The documentation explains this with an example that adds the input secret when a build configuration is created:
oc new-build \
openshift/nodejs-010-centos7~https://github.com/openshift/nodejs-ex.git \
--build-secret secret-npmrc
Now the corresponding spec refers to the secret under secrets (not: sourceSecret), presumably because it is now an input secret (not: source secret).
source:
git:
uri: https://github.com/openshift/nodejs-ex.git
secrets:
- destinationDir: .
secret:
name: secret-npmrc
type: Git
oc set build-secret apparently allows adding source secrets (as well as push and pull secrets -- these are for interacting with container registries) to a build configuration with command line argument --source (as well as --push/--pull), but what about input secrets? I did not find out yet.
So I have these questions:
How can I add my_secret as input secret to an existing build configuration such as my_bc?
Where would the input secret show up at build time , e.g. under which path could a Dockerfile pick up the private key that is stored in my_secret?
This procedure now works for me (thanks to #GrahamDumpleton for his guidance):
leave build configuration's source secret as is for now; get bc/my_bc -o jsonpath='{.spec.source.sourceSecret}' reports map[name:my_secret] (w/o path)
add input secret to build configuration at .spec.source.secrets with YAML corresponding to oc explain bc.spec.source.secrets: oc edit bc/my_bc
sanity checks: oc get bc/my_bc -o jsonpath='{.spec.source.secrets}' reports [map[destinationDir:secret secret:map[name:my_secret]]]; oc describe bc/my_bc | grep 'Source Secret:' reports Source Secret: my_secret (no path) and oc describe bc/my_bc | grep "Build Secrets:" reports Build Secrets: my_secret->secret
access secret inside Dockerfile in a preliminary way: COPY secret/ssh-privatekey secret/my_secret, RUN chmod 0640 secret/my_secret; adjust ssh-privatekey if necessary (as suggested by oc get secret/my_secret -o jsonpath='{.data}' | sed -ne 's/^map\[\(.*\):.*$/\1/p')
rebuild and redeploy image
sanity check: oc exec -it <pod> -c my_db file /secret/my_secret reports /secret/my_secret: PEM RSA private key (the image's WORKDIR is /)
In the comments to the question it mentions to patch the BuildConfig. Here is a patch that works on v3.11.0:
$cat patch.json
{
"spec": {
"source": {
"secrets": [
{
"secret": {
"name": "secret-npmrc"
},
"destinationDir": "/etc"
}
]
}
}
}
$ oc patch -n your-eng bc/tag-realworld -p "$(<patch.json)"
buildconfig "tag-realworld" patched