feat: adds an environment variable option for token

To simplify running locally in headless mode, an environment variable would be suitable over piping to standard input. This also simplifies the action entrypoint scripts. Signed-off-by: Jennifer Power <[email protected]>
RedHatProductSecurity · May 3, 2024 · e143ffc · e143ffc
1 parent 9997a49
commit e143ffc
Show file tree

Hide file tree

Showing 7 changed files with 32 additions and 50 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -192,5 +192,5 @@ cat my-token.txt | podman secret create repo-secret -
 4. Run the container
 
 ```bash
-podman run --entrypoint /entrypoint.sh --secret repo-secret,type=env,target=GITHUB_TOKEN --env-file=envfile -v my-trestle-space:/data -w /data localhost:5000/trestlebot:latest
+podman run --entrypoint /entrypoint.sh --secret repo-secret,type=env,target=TRESTLEBOT_REPO_ACCESS_TOKEN --env-file=envfile -v my-trestle-space:/data -w /data localhost:5000/trestlebot:latest
 ```
diff --git a/actions/autosync/auto-sync-entrypoint.sh b/actions/autosync/auto-sync-entrypoint.sh
@@ -42,14 +42,4 @@ if [[ ${INPUT_VERBOSE} == true ]]; then
     command+=" --verbose"
 fi
 
-# Only set the token value when is a target branch so pull requests can be created
-if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
-  if [[ -z ${GITHUB_TOKEN} ]]; then
-    echo "Set the GITHUB_TOKEN env variable."
-    exit 1
-  fi
-
-  command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
-fi
-
 eval "${command}"
diff --git a/actions/create-cd/create-cd-entrypoint.sh b/actions/create-cd/create-cd-entrypoint.sh
@@ -36,14 +36,4 @@ if [[ ${INPUT_DRY_RUN} == true ]]; then
     command+=" --dry-run"
 fi
 
-# Only set the token value when is a target branch so pull requests can be created
-if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
-  if [[ -z ${GITHUB_TOKEN} ]]; then
-    echo "Set the GITHUB_TOKEN env variable."
-    exit 1
-  fi
-
-  command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
-fi
-
 eval "${command}"
diff --git a/actions/rules-transform/rules-transform-entrypoint.sh b/actions/rules-transform/rules-transform-entrypoint.sh
@@ -31,15 +31,4 @@ if [[ ${INPUT_DRY_RUN} == true ]]; then
     command+=" --dry-run"
 fi
 
-
-# Only set the token value when is a target branch so pull requests can be created
-if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
-  if [[ -z ${GITHUB_TOKEN} ]]; then
-    echo "Set the GITHUB_TOKEN env variable."
-    exit 1
-  fi
-
-  command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
-fi
-
 eval "${command}"
diff --git a/actions/sync-upstreams/sync-upstreams-entrypoint.sh b/actions/sync-upstreams/sync-upstreams-entrypoint.sh
@@ -39,14 +39,4 @@ if [[ ${INPUT_SKIP_VALIDATION} == true ]]; then
     command+=" --skip-validation"
 fi
 
-# Only set the token value when is a target branch so pull requests can be created
-if [[ -n ${INPUT_TARGET_BRANCH} ]]; then
-  if [[ -z ${GITHUB_TOKEN} ]]; then
-    echo "Set the GITHUB_TOKEN env variable."
-    exit 1
-  fi
-
-  command+=" --with-token - <<<\"${GITHUB_TOKEN}\""
-fi
-
 eval "${command}"
diff --git a/tests/trestlebot/entrypoints/test_entrypoint_base.py b/tests/trestlebot/entrypoints/test_entrypoint_base.py
@@ -35,6 +35,24 @@ def test_set_git_provider_with_github() -> None:
         assert isinstance(provider, GitHub)
 
 
+@patch.dict(
+    "os.environ",
+    {"GITHUB_ACTIONS": "true", "TRESTLEBOT_REPO_ACCESS_TOKEN": "fake_token"},
+)
+def test_set_git_provider_with_github_no_stdin() -> None:
+    """Test set_git_provider function in Entrypoint Base for GitHub Actions"""
+    with patch("sys.stdin", return_value=StringIO("fake_token")):
+        provider: Optional[GitProvider]
+        args = argparse.Namespace(
+            target_branch="main",
+            with_token=False,
+            git_provider_type="",
+            git_server_url="",
+        )
+        provider = EntrypointBase.set_git_provider(args=args)
+        assert isinstance(provider, GitHub)
+
+
 @patch.dict(
     "os.environ",
     {
@@ -105,8 +123,8 @@ def test_set_provider_with_no_token() -> None:
     args = argparse.Namespace(target_branch="main", with_token=False)
     with pytest.raises(
         EntrypointInvalidArgException,
-        match="Invalid args --with-token: with-token flag must be set to read from "
-        "standard input when using target-branch",
+        match="Invalid args --with-token: with-token flag must be set to read from standard input "
+        "or use TRESTLEBOT_REPO_ACCESS_TOKEN environment variable when using target-branch",
     ):
         EntrypointBase.set_git_provider(args=args)
 

diff --git a/trestlebot/entrypoints/entrypoint_base.py b/trestlebot/entrypoints/entrypoint_base.py
@@ -14,6 +14,7 @@
 
 import argparse
 import logging
+import os
 import sys
 from typing import List, Optional
 
@@ -167,14 +168,18 @@ def set_git_provider(args: argparse.Namespace) -> Optional[GitProvider]:
         git_provider: Optional[GitProvider] = None
         if args.target_branch is not None:
             if not args.with_token:
-                raise EntrypointInvalidArgException(
-                    "--with-token",
-                    "with-token flag must be set to read from standard input when "
-                    "using target-branch",
-                )
+                # Attempts to read from env var
+                access_token = os.environ.get("TRESTLEBOT_REPO_ACCESS_TOKEN", "")
+                if not access_token:
+                    raise EntrypointInvalidArgException(
+                        "--with-token",
+                        "with-token flag must be set to read from standard input or use "
+                        "TRESTLEBOT_REPO_ACCESS_TOKEN environment variable when using target-branch",
+                    )
             else:
-                access_token = sys.stdin.read().strip()
+                access_token = sys.stdin.read()
             try:
+                access_token = access_token.strip()
                 git_provider_type = args.git_provider_type
                 git_server_url = args.git_server_url
                 git_provider = GitProviderFactory.provider_factory(