From 211883a0a9e15271cd6da588b976f9f738460d65 Mon Sep 17 00:00:00 2001 From: Ryan Brooks Date: Tue, 1 Oct 2024 09:27:37 +0100 Subject: [PATCH] Remove redundant LBHPACKAGESTOKEN from GitHub Actions workflows Historically we've published packages from our local machines, which requires a token to authenticate with the GitHub Packages NuGet Registry. Now we use CI to publish packages there is a GitHub-managed token we can use instead.. > If you're using a registry that supports granular permissions, and your workflow is using a personal access token to authenticate to the registry, then we highly recommend you update your workflow to use the GITHUB_TOKEN. > ~ from https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-with-granular-permissions This change removes both `LBHPACKAGESTOKEN` and `NUGET_KEY` tokens from the GitHub Actions workflow, replacing them where needed with the managed `GITHUB_TOKEN` token that's automatically made available to all jobs. In order to keep the local development/management experience the same, references to `LBHPACKAGESTOKEN` have been kept as-is in the Docker and Docker Compose setup. Docker's documentation [suggests](https://docs.docker.com/reference/dockerfile/#arg) not to use build arguments to pass secrets, so this change updates the `Dockerfile` to use [secret mounts](https://docs.docker.com/build/building/secrets/#secret-mounts), and the recommended way to [manage secrets in docker compose](https://docs.docker.com/compose/how-tos/use-secrets/). Consequences This will allow us to remove the shared secrets in GitHub Actions: - `NUGET_KEY` - `LBHPACKAGESTOKEN` At the same time, this doesn't affect the local development workflow. --- .github/workflows/publish.yml | 10 +++------- Hackney.Shared.HousingSearch.Tests/Dockerfile | 15 ++++++++++----- docker-compose.yml | 11 +++++++++-- 3 files changed, 22 insertions(+), 14 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7d4242b..26cad4e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -9,8 +9,6 @@ jobs: calculate-version: name: Calculate Version runs-on: ubuntu-latest - env: - LBHPACKAGESTOKEN: ${{ secrets.LBHPACKAGESTOKEN }} outputs: version: ${{ steps.gitversion.outputs.nuGetVersionV2 }} steps: @@ -35,8 +33,6 @@ jobs: name: Check code formatting runs-on: ubuntu-latest needs: calculate-version - env: - LBHPACKAGESTOKEN: ${{ secrets.LBHPACKAGESTOKEN }} steps: - name: Checkout uses: actions/checkout@v2 @@ -50,7 +46,7 @@ jobs: runs-on: ubuntu-latest needs: calculate-version env: - LBHPACKAGESTOKEN: ${{secrets.LBHPACKAGESTOKEN }} + LBHPACKAGESTOKEN: ${{secrets.GITHUB_TOKEN }} outputs: version: ${{ needs.calculate-version.outputs.version }} steps: @@ -66,7 +62,7 @@ jobs: runs-on: ubuntu-latest needs: build-and-test env: - LBHPACKAGESTOKEN: ${{secrets.LBHPACKAGESTOKEN }} + LBHPACKAGESTOKEN: ${{secrets.GITHUB_TOKEN }} VERSION: ${{ needs.build-and-test.outputs.version }} steps: - name: Checkout @@ -76,4 +72,4 @@ jobs: - name: Publish the Package run: | cd Hackney.Shared.HousingSearch/bin/Release - dotnet nuget push Hackney.Shared.HousingSearch.*.nupkg -s https://nuget.pkg.github.com/LBHackney-IT/index.json --api-key ${{secrets.NUGET_KEY }} \ No newline at end of file + dotnet nuget push Hackney.Shared.HousingSearch.*.nupkg -s https://nuget.pkg.github.com/LBHackney-IT/index.json --api-key ${{ secrets.GITHUB_TOKEN }} diff --git a/Hackney.Shared.HousingSearch.Tests/Dockerfile b/Hackney.Shared.HousingSearch.Tests/Dockerfile index 7750e4a..7c60493 100644 --- a/Hackney.Shared.HousingSearch.Tests/Dockerfile +++ b/Hackney.Shared.HousingSearch.Tests/Dockerfile @@ -2,9 +2,6 @@ FROM mcr.microsoft.com/dotnet/sdk:6.0 # disable microsoft telematry ENV DOTNET_CLI_TELEMETRY_OPTOUT='true' - -ARG LBHPACKAGESTOKEN -ENV LBHPACKAGESTOKEN=$LBHPACKAGESTOKEN WORKDIR /app # Copy csproj and restore as distinct layers @@ -13,8 +10,16 @@ COPY ./Hackney.Shared.HousingSearch/Hackney.Shared.HousingSearch.csproj ./Hackne COPY ./Hackney.Shared.HousingSearch.Tests/Hackney.Shared.HousingSearch.Tests.csproj ./Hackney.Shared.HousingSearch.Tests/ COPY /nuget.config /root/.nuget/NuGet/NuGet.Config -RUN dotnet restore ./Hackney.Shared.HousingSearch/Hackney.Shared.HousingSearch.csproj -RUN dotnet restore ./Hackney.Shared.HousingSearch.Tests/Hackney.Shared.HousingSearch.Tests.csproj +# We mount secrets so they can't end up in logs or build layers. +# We chain both restore commands so we only make the token available +# once and don't store it elsewhere. +# see: +# - https://docs.docker.com/reference/dockerfile/#arg +# - https://docs.docker.com/compose/how-tos/use-secrets/ +RUN --mount=type=secret,id=LBHPACKAGESTOKEN \ + export LBHPACKAGESTOKEN=$(cat /run/secrets/LBHPACKAGESTOKEN) && \ + dotnet restore ./Hackney.Shared.HousingSearch/Hackney.Shared.HousingSearch.csproj && \ + dotnet restore ./Hackney.Shared.HousingSearch.Tests/Hackney.Shared.HousingSearch.Tests.csproj # Copy everything else and build COPY . . diff --git a/docker-compose.yml b/docker-compose.yml index c1bfffc..a7e4b83 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -6,5 +6,12 @@ services: build: context: . dockerfile: Hackney.Shared.HousingSearch.Tests/Dockerfile - args: - - LBHPACKAGESTOKEN=${LBHPACKAGESTOKEN} + + # Mounts the secret at /run/secrets/LBHPACKAGESTOKEN. + # see https://docs.docker.com/compose/how-tos/use-secrets/#build-secrets + secrets: + - LBHPACKAGESTOKEN + +secrets: + LBHPACKAGESTOKEN: + environment: LBHPACKAGESTOKEN