-
Notifications
You must be signed in to change notification settings - Fork 2
197 lines (152 loc) · 6.12 KB
/
integration.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
name: Integration Tests
on:
push:
branches:
- master
- main
pull_request:
permissions:
id-token: write
contents: read
# Cancel previous runs for PRs but not pushes to main
concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
lang: [go, rust]
defaults:
run:
working-directory: ${{matrix.lang}}
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
if: ${{ matrix.lang == 'rust'}}
- uses: Swatinem/[email protected]
if: ${{ matrix.lang == 'rust'}}
with:
workspaces: ./rust -> target
- uses: actions/setup-go@v5
if: ${{ matrix.lang == 'go'}}
with:
go-version: ">=1.21.0"
cache-dependency-path: go/go.sum
- name: Run build script for compiled languages
run: "./build.sh"
- name: Upload built binaries
uses: actions/upload-artifact@v4
with:
name: ${{matrix.lang}}
path: ${{matrix.lang}}/vault
tests:
needs: build
runs-on: ubuntu-latest
env:
# VAULT_STACK overwrites default 'vault' for vaults
VAULT_STACK: nitor-vault-integration-testing
# at the moment we store to the values to fixed keys so this needs to have limited concurrency
concurrency: "integration-test"
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_CI_ROLE }}
role-session-name: GitHubVaultIntegrationTests
aws-region: eu-west-1
- uses: actions/checkout@v4
- name: Download artifacts
uses: actions/download-artifact@v4
with:
path: bin
- uses: pnpm/action-setup@v4
with:
version: 9
- uses: actions/setup-node@v4
with:
node-version: 20
cache: "pnpm"
cache-dependency-path: nodejs/pnpm-lock.yaml
- name: Install zip
run: |
sudo apt-get install zip unzip
- name: build node vault
run: pnpm install --frozen-lockfile && pnpm build
working-directory: nodejs
- uses: actions/setup-python@v5
with:
python-version: "3.12"
cache: pip
- name: install python vault
run: python -m pip install .
working-directory: python
- name: add execute rights & run --version for all versions
run: |
chmod +x bin/go/vault bin/rust/vault nodejs/dist/cli/vault.js
vault --version
bin/go/vault --version
bin/rust/vault --version
nodejs/dist/cli/vault.js --version
- name: Store secret with Python
run: vault -s 'secret-python' -v 'sha-${{github.sha}}' -w
- name: Store secret with Go
run: bin/go/vault -s 'secret-go' -v 'sha-${{github.sha}}' -w
- name: Store secret with Rust
run: bin/rust/vault -s 'secret-rust' -v 'sha-${{github.sha}}' -w
- name: Store secret with Nodejs
run: nodejs/dist/cli/vault.js s 'secret-nodejs' 'sha-${{github.sha}}' -w
- name: Validate storing worked Python
run: diff <(vault -l secret-python) <(echo -n sha-${{github.sha}})
- name: Validate Go and Rust secret equality with Python
run: diff <(vault -l secret-go) <(vault -l secret-rust)
- name: Validate Python and Rust secret equality with Go and Nodejs
run: diff <(bin/go/vault -l secret-rust) <(nodejs/dist/cli/vault.js l secret-python)
- name: Validate Go and Python secret equality with Rust and Go
run: diff <(bin/rust/vault -l secret-go) <(bin/go/vault -l secret-python)
- name: Validate Python and Nodejs secret equality with Rust
run: diff <(bin/rust/vault -l secret-python) <(bin/rust/vault -l secret-nodejs)
- name: Validate Rust and Go secret equality with Nodejs
run: diff <(bin/rust/vault -l secret-rust) <(nodejs/dist/cli/vault.js l secret-nodejs)
- name: Delete secret with Python
run: vault -d 'secret-python'
- name: Delete secret with Go
run: bin/go/vault -d 'secret-go'
- name: Delete secret with Rust
run: bin/rust/vault -d 'secret-rust'
- name: Delete secret with Nodejs
run: nodejs/dist/cli/vault.js d 'secret-nodejs'
- name: Verify that keys have been deleted
run: |
bin/rust/vault --exists secret-python | grep doesn\'t
bin/rust/vault --exists secret-go | grep doesn\'t
bin/rust/vault --exists secret-rust | grep doesn\'t
bin/rust/vault --exists secret-nodejs | grep doesn\'t
- name: Create dummy text file
run: echo "Vault test ${{ github.sha }} ${{ github.ref_name }}" > test.txt
- name: Zip the text file
run: zip "secret-${{github.sha}}.zip" test.txt
- name: Store zip file using Python vault
run: vault --store --file "secret-${{github.sha}}.zip"
- name: Lookup the stored zip file and write to output
run: vault -l "secret-${{github.sha}}.zip" > output-python.zip
- name: Extract the retrieved zip file
run: unzip output-python.zip -d extracted-python
- name: Verify the extracted file content
run: diff extracted-python/test.txt test.txt
- name: Delete secret with Python
run: vault -d "secret-${{github.sha}}.zip"
- name: Store zip file using Rust vault
run: bin/rust/vault --store --file "secret-${{github.sha}}.zip"
- name: Lookup the stored zip file and write to output
run: bin/rust/vault -l "secret-${{github.sha}}.zip" > output-rust.zip
- name: Extract the retrieved zip file
run: unzip output-rust.zip -d extracted-rust
- name: Verify the extracted file content
run: diff extracted-rust/test.txt test.txt
- name: Delete secret with Rust
run: bin/rust/vault -d "secret-${{github.sha}}.zip"
- name: Verify that keys have been deleted
run: |
bin/rust/vault --exists secret-${{github.sha}}.zip | grep doesn\'t