From 4e98607a38008bfd78af6344ff4c01d25acb663c Mon Sep 17 00:00:00 2001 From: Alexis Tual Date: Thu, 16 May 2024 13:26:58 +0200 Subject: [PATCH] Set both DEVELOCITY_ACCESS_KEY and GRADLE_ENTERPRISE_ACCESS_KEY env vars --- .../integ-test-inject-develocity.yml | 36 +++++++++++++++---- sources/src/configuration.ts | 7 +++- sources/src/develocity/short-lived-token.ts | 13 ++++--- 3 files changed, 43 insertions(+), 13 deletions(-) diff --git a/.github/workflows/integ-test-inject-develocity.yml b/.github/workflows/integ-test-inject-develocity.yml index a41b141..0c1b909 100644 --- a/.github/workflows/integ-test-inject-develocity.yml +++ b/.github/workflows/integ-test-inject-develocity.yml @@ -67,21 +67,28 @@ jobs: with: script: | core.setFailed('No Build Scan detected') - - name: Check short lived token - if: ${{ matrix.plugin-version == '3.17.3' }} + - name: Check short lived token (DEVELOCITY_ACCESS_KEY) run: "[ ${#DEVELOCITY_ACCESS_KEY} -gt 500 ] || (echo 'DEVELOCITY_ACCESS_KEY does not look like a short lived token'; exit 1)" + - name: Check short lived token (GRADLE_ENTERPRISE_ACCESS_KEY) + run: "[ ${#GRADLE_ENTERPRISE_ACCESS_KEY} -gt 500 ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY does not look like a short lived token'; exit 1)" inject-develocity-with-access-key: env: DEVELOCITY_INJECTION_ENABLED: true DEVELOCITY_URL: 'https://ge.solutions-team.gradle.com' - DEVELOCITY_PLUGIN_VERSION: 3.17.3 + DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }} DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0' strategy: fail-fast: false matrix: gradle: [current, 7.6.2, 6.9.4, 5.6.4] os: ${{fromJSON(inputs.runner-os)}} + plugin-version: [3.16.2, 3.17.3] + include: + - plugin-version: 3.16.2 + accessKeyEnv: GRADLE_ENTERPRISE_ACCESS_KEY + - plugin-version: 3.17.3 + accessKeyEnv: DEVELOCITY_ACCESS_KEY runs-on: ${{ matrix.os }} steps: - name: Checkout sources @@ -105,8 +112,10 @@ jobs: id: gradle working-directory: .github/workflow-samples/no-ge run: gradle help - - name: Check short lived token + - name: Check short lived token (DEVELOCITY_ACCESS_KEY) run: "[ ${#DEVELOCITY_ACCESS_KEY} -gt 500 ] || (echo 'DEVELOCITY_ACCESS_KEY does not look like a short lived token'; exit 1)" + - name: Check short lived token (GRADLE_ENTERPRISE_ACCESS_KEY) + run: "[ ${#GRADLE_ENTERPRISE_ACCESS_KEY} -gt 500 ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY does not look like a short lived token'; exit 1)" - name: Check Build Scan url if: ${{ !steps.gradle.outputs.build-scan-url }} uses: actions/github-script@v7 @@ -118,10 +127,21 @@ jobs: env: DEVELOCITY_INJECTION_ENABLED: true DEVELOCITY_URL: 'https://localhost:3333/' - DEVELOCITY_PLUGIN_VERSION: 3.17.3 + DEVELOCITY_PLUGIN_VERSION: ${{ matrix.plugin-version }} DEVELOCITY_CCUD_PLUGIN_VERSION: '2.0' # Access key also set as an env var, we want to check it does not leak - DEVELOCITY_ACCESS_KEY: ${{ secrets.DEVELOCITY_ACCESS_KEY }} + ${{matrix.accessKeyEnv}}: ${{ secrets.DEVELOCITY_ACCESS_KEY }} + strategy: + fail-fast: false + matrix: + gradle: [ current, 7.6.2, 6.9.4, 5.6.4 ] + os: ${{fromJSON(inputs.runner-os)}} + plugin-version: [ 3.16.2, 3.17.3 ] + include: + - plugin-version: 3.16.2 + accessKeyEnv: GRADLE_ENTERPRISE_ACCESS_KEY + - plugin-version: 3.17.3 + accessKeyEnv: DEVELOCITY_ACCESS_KEY runs-on: ubuntu-latest steps: - name: Checkout sources @@ -144,5 +164,7 @@ jobs: id: gradle working-directory: .github/workflow-samples/no-ge run: gradle help - - name: Check access key is blank + - name: Check access key is blank (DEVELOCITY_ACCESS_KEY) run: "[ \"${DEVELOCITY_ACCESS_KEY}\" == \"\" ] || (echo 'DEVELOCITY_ACCESS_KEY has leaked!'; exit 1)" + - name: Check access key is blank (GRADLE_ENTERPRISE_ACCESS_KEY) + run: "[ \"${GRADLE_ENTERPRISE_ACCESS_KEY}\" == \"\" ] || (echo 'GRADLE_ENTERPRISE_ACCESS_KEY has leaked!'; exit 1)" diff --git a/sources/src/configuration.ts b/sources/src/configuration.ts index fe83e0c..8cacb28 100644 --- a/sources/src/configuration.ts +++ b/sources/src/configuration.ts @@ -201,7 +201,12 @@ export class BuildScanConfig { } getDevelocityAccessKey(): string { - return core.getInput('develocity-access-key') || process.env['DEVELOCITY_ACCESS_KEY'] || '' + return ( + core.getInput('develocity-access-key') || + process.env['DEVELOCITY_ACCESS_KEY'] || + process.env['GRADLE_ENTERPRISE_ACCESS_KEY'] || + '' + ) } getDevelocityTokenExpiry(): string { diff --git a/sources/src/develocity/short-lived-token.ts b/sources/src/develocity/short-lived-token.ts index 148323e..708d731 100644 --- a/sources/src/develocity/short-lived-token.ts +++ b/sources/src/develocity/short-lived-token.ts @@ -7,27 +7,30 @@ export async function setupToken( enforceUrl: string | undefined, develocityUrl: string | undefined ): Promise { - const develocityAccesskeyEnvVar = 'DEVELOCITY_ACCESS_KEY' if (develocityAccessKey) { try { core.debug('Fetching short-lived token...') const tokens = await getToken(enforceUrl, develocityUrl, develocityAccessKey, develocityTokenExpiry) if (tokens != null && !tokens.isEmpty()) { - core.debug(`Got token(s), setting the ${develocityAccesskeyEnvVar} env var`) + core.debug(`Got token(s), setting the access key env vars`) const token = tokens.raw() core.setSecret(token) - core.exportVariable(develocityAccesskeyEnvVar, token) + exportAccessKeyEnvVars(token) } else { // In case of not being able to generate a token we set the env variable to empty to avoid leaks - core.exportVariable(develocityAccesskeyEnvVar, '') + exportAccessKeyEnvVars('') } } catch (e) { - core.exportVariable(develocityAccesskeyEnvVar, '') + exportAccessKeyEnvVars('') core.warning(`Failed to fetch short-lived token, reason: ${e}`) } } } +function exportAccessKeyEnvVars(value: string): void { + ;['DEVELOCITY_ACCESS_KEY', 'GRADLE_ENTERPRISE_ACCESS_KEY'].forEach(key => core.exportVariable(key, value)) +} + export async function getToken( enforceUrl: string | undefined, serverUrl: string | undefined,