From 245e8e6b91bfb08ffd03faea4b17cd78a23d02ea Mon Sep 17 00:00:00 2001 From: Alexis Tual Date: Fri, 17 May 2024 11:44:42 +0200 Subject: [PATCH] Do not clear `GRADLE_ENTERPRISE_ACCESS_KEY` env var and output a deprecation warning --- .../workflows/integ-test-inject-develocity.yml | 4 ++-- docs/deprecation-upgrade-guide.md | 15 ++++++++++----- docs/setup-gradle.md | 5 +++-- sources/src/configuration.ts | 7 +++++-- sources/src/develocity/short-lived-token.ts | 18 +++++++++++++++--- 5 files changed, 35 insertions(+), 14 deletions(-) diff --git a/.github/workflows/integ-test-inject-develocity.yml b/.github/workflows/integ-test-inject-develocity.yml index 56ac29a..8437fce 100644 --- a/.github/workflows/integ-test-inject-develocity.yml +++ b/.github/workflows/integ-test-inject-develocity.yml @@ -157,5 +157,5 @@ jobs: run: gradle help - name: Check access key is blank (DEVELOCITY_ACCESS_KEY) run: "[ \"${DEVELOCITY_ACCESS_KEY}\" == \"\" ] || (echo 'DEVELOCITY_ACCESS_KEY has leaked!'; exit 1)" - - name: Check access key is blank (GRADLE_ENTERPRISE_ACCESS_KEY) - run: "[ \"${GRADLE_ENTERPRISE_ACCESS_KEY}\" == \"\" ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY has leaked!'; exit 1)" + - name: Check access key is not blank (GRADLE_ENTERPRISE_ACCESS_KEY) + run: "[ \"${GRADLE_ENTERPRISE_ACCESS_KEY}\" != \"\" ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY is still supported in v3!'; exit 1)" diff --git a/docs/deprecation-upgrade-guide.md b/docs/deprecation-upgrade-guide.md index d2d66cb..6a454ad 100644 --- a/docs/deprecation-upgrade-guide.md +++ b/docs/deprecation-upgrade-guide.md @@ -1,9 +1,9 @@ # Deprecation upgrade guide -As these actions evolve, certain inputs, behaviour and usages are deprecated for removal. +As these actions evolve, certain inputs, behaviour and usages are deprecated for removal. Deprecated functionality will be fully supported during the current major release, and will be -removed in the next major release. -Users will receive a deprecation warning when they rely on deprecated functionality, +removed in the next major release. +Users will receive a deprecation warning when they rely on deprecated functionality, prompting them to update their workflows. ## The action `gradle/gradle-build-action` has been replaced by `gradle/actions/setup-gradle` @@ -25,10 +25,10 @@ with ## The action `gradle/wrapper-validation-action` has been replaced by `gradle/actions/wrapper-validation` -To facilitate ongoing development, the `wrapper-validation-action` action implementation has been merged into +To facilitate ongoing development, the `wrapper-validation-action` action implementation has been merged into the https://github.com/gradle/actions repository, and the `gradle/wrapper-validation-action` has been replaced by the `gradle/actions/wrapper-validation` action. -As of `v3.x`, the `gradle/wrapper-validation-action` and `gradle/actions/wrappper-validation` actions are +As of `v3.x`, the `gradle/wrapper-validation-action` and `gradle/actions/wrappper-validation` actions are functionally identical, and are released with the same versions. In a future major version (likely `v4.x`) we will stop releasing new versions of `gradle/wrapper-validation-action`: @@ -143,3 +143,8 @@ to this: build-scan-terms-of-use-agree: "yes" ``` These deprecated build-scan parameters are scheduled to be removed in `setup-gradle@v4` and `dependency-submission@v4`. + +## The GRADLE_ENTERPRISE_ACCESS_KEY env var is deprecated +Gradle Enterprise has been renamed to Develocity starting from Gradle plugin 3.17 and Develocity server 2024.1. +In v4 release of the action, it will require setting the access key with the `develocity-access-key` input and Develocity 2024.1 at least to generate short-lived tokens. +If those requirements are not met, the `GRADLE_ENTERPRISE_ACCESS_KEY` env var will be cleared out and build scan publication or other authenticated Develocity operations won't be possible. diff --git a/docs/setup-gradle.md b/docs/setup-gradle.md index 61348d7..55f935b 100644 --- a/docs/setup-gradle.md +++ b/docs/setup-gradle.md @@ -747,8 +747,9 @@ This access key will be used during the action execution to get a short-lived to ### Short-lived access tokens Develocity access keys are long-lived, creating risks if they are leaked. To avoid this, users can use short-lived access tokens to authenticate with Develocity. Access tokens can be used wherever an access key would be used. Access tokens are only valid for the Develocity instance that created them. -If a short-lived token fails to be retrieved (for example, if the Develocity server version is lower than `2024.1`), no access key will be set. -In that case, Develocity authenticated operations like build cache read/write and build scan publication will fail without failing the build. +If a short-lived token fails to be retrieved (for example, if the Develocity server version is lower than `2024.1`): + - if a `GRADLE_ENTERPRISE_ACCESS_KEY` env var has been set, we're falling back to it with a deprecation warning + - otherwise no access key env var will be set. In that case Develocity authenticated operations like build cache read/write and build scan publication will fail without failing the build. For more information on short-lived tokens, see [Develocity API documentation](https://docs.gradle.com/develocity/api-manual/#short_lived_access_tokens). ## Configuring Develocity injection diff --git a/sources/src/configuration.ts b/sources/src/configuration.ts index 8cacb28..ba4552a 100644 --- a/sources/src/configuration.ts +++ b/sources/src/configuration.ts @@ -188,6 +188,9 @@ export enum JobSummaryOption { } export class BuildScanConfig { + static DevelocityAccessKeyEnvVar = 'DEVELOCITY_ACCESS_KEY' + static GradleEnterpriseAccessKeyEnvVar = 'GRADLE_ENTERPRISE_ACCESS_KEY' + getBuildScanPublishEnabled(): boolean { return getBooleanInput('build-scan-publish') && this.verifyTermsOfUseAgreement() } @@ -203,8 +206,8 @@ export class BuildScanConfig { getDevelocityAccessKey(): string { return ( core.getInput('develocity-access-key') || - process.env['DEVELOCITY_ACCESS_KEY'] || - process.env['GRADLE_ENTERPRISE_ACCESS_KEY'] || + process.env[BuildScanConfig.DevelocityAccessKeyEnvVar] || + process.env[BuildScanConfig.GradleEnterpriseAccessKeyEnvVar] || '' ) } diff --git a/sources/src/develocity/short-lived-token.ts b/sources/src/develocity/short-lived-token.ts index 708d731..a0bfdb6 100644 --- a/sources/src/develocity/short-lived-token.ts +++ b/sources/src/develocity/short-lived-token.ts @@ -1,5 +1,7 @@ import * as httpm from 'typed-rest-client/HttpClient' import * as core from '@actions/core' +import {BuildScanConfig} from '../configuration' +import {recordDeprecation} from '../deprecation-collector' export async function setupToken( develocityAccessKey: string, @@ -18,17 +20,27 @@ export async function setupToken( exportAccessKeyEnvVars(token) } else { // In case of not being able to generate a token we set the env variable to empty to avoid leaks - exportAccessKeyEnvVars('') + clearAccessKeyEnvVarsWithDeprecationWarning() } } catch (e) { - exportAccessKeyEnvVars('') + clearAccessKeyEnvVarsWithDeprecationWarning() core.warning(`Failed to fetch short-lived token, reason: ${e}`) } } } function exportAccessKeyEnvVars(value: string): void { - ;['DEVELOCITY_ACCESS_KEY', 'GRADLE_ENTERPRISE_ACCESS_KEY'].forEach(key => core.exportVariable(key, value)) + ;[BuildScanConfig.DevelocityAccessKeyEnvVar, BuildScanConfig.GradleEnterpriseAccessKeyEnvVar].forEach(key => + core.exportVariable(key, value) + ) +} + +function clearAccessKeyEnvVarsWithDeprecationWarning(): void { + if (process.env[BuildScanConfig.GradleEnterpriseAccessKeyEnvVar]) { + // We do not clear the GRADLE_ENTERPRISE_ACCESS_KEY env var in v3, to let the users upgrade to DV 2024.1 + recordDeprecation(`The ${BuildScanConfig.GradleEnterpriseAccessKeyEnvVar} env var is deprecated`) + } + core.exportVariable(BuildScanConfig.DevelocityAccessKeyEnvVar, '') } export async function getToken(