I'm creating an action that will run tests and lints. However, it's failing in expo setup step with "Error: Parameter 'commandLine' cannot be null or empty.". Token seems to have value, so I'm not sure what's causing this failure.
Run expo/expo-github-action#v7
with:
packager: npm
token: ***
expo-cache: true
eas-cache: true
patch-watchers: true
Skipped installing expo-cli: 'expo-version' not provided.
Skipped installing eas-cli: 'eas-version' not provided.
Validating authenticated account
**Error: Parameter 'commandLine' cannot be null or empty.**
Job
name: Testing
on: [pull_request, push]
jobs:
test:
name: Linting & Testing
runs-on: ubuntu-latest
steps:
- name: Setup reppos
uses: actions/checkout#v3
- name: Setup Node
uses: actions/setup-node#v3
with:
node-version: 16.15.1
- name: Setup Expo
uses: expo/expo-github-action#v7
with:
packager: npm
token: ${{ secrets.MY_TOKEN }}
expo-cache: true
.....
Related
I am working with Github OIDC to login to AWS and Deploy our terraform code, I am stuck on terraform init, most of the solutions on the internet point towards deleting the credentials file or providing the credentials explicitly, I can't do any of those since the credentials file does not exist with OIDC and I don't want to explicitly provide the Access_key and Secret_ID explicitly in the backend moduel either since that could lead to a security risk, Here's my GitHub Deployment file:
name: AWS Terraform Plan & Deploy
on:
push:
paths:
- "infrastructure/**"
# branches-ignore:
# - '**'
pull_request:
env:
tf_actions_working_dir: infrastructure/env/dev-slb-alpha/dev
tf_actions_working_dir_prod: infrastructure/env/prod-slb-prod/prod
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TF_WORKSPACE: "default"
TF_ACTION_COMMENT: 1
plan: "plan.tfplan"
BUCKET_NAME : "slb-dev-terraform-state"
AWS_REGION : "us-east-1"
jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- run: sleep 5 # there's still a race condition for now
- name: Clone Repository (Latest)
uses: actions/checkout#v2
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials#v1
with:
aws-region: us-east-1
role-to-assume: arn:aws:iam::262267462662:role/slb-dev-github-actions-role
role-session-name: GithubActionsSession
# - name: Configure AWS
# run: |
# export AWS_ROLE_ARN=arn:aws:iam::262267462662:role/slb-dev-github-actions-role
# # export AWS_WEB_IDENTITY_TOKEN_FILE=/tmp/awscreds
# export AWS_DEFAULT_REGION=us-east-1
# # echo AWS_WEB_IDENTITY_TOKEN_FILE=$AWS_WEB_IDENTITY_TOKEN_FILE >> $GITHUB_ENV
# echo AWS_ROLE_ARN=$AWS_ROLE_ARN >> $GITHUB_ENV
# echo AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION >> $GITHUB_ENV
- run: aws sts get-caller-identity
setup:
runs-on: ubuntu-latest
environment:
name: Dev
url: https://dev.test.com
name: checkov-action-dev
steps:
- name: Checkout repo
uses: actions/checkout#master
with:
submodules: 'true'
# - name: Add Space to Dev
# run: |
# sysconfig -r proc exec_disable_arg_limit=1
# shell: bash
- name: Run Checkov action
run: |
pip3 install checkov
checkov --directory /infrastructure
id: checkov
# uses: bridgecrewio/checkov-action#master
# with:
# directory: infrastructure/
#skip_check: CKV_AWS_1
# quiet: true
# soft_fail: true
#framework: terraform
tfsec:
name: tfsec
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout#v2
# - name: Terraform security scan
# uses: aquasecurity/tfsec-pr-commenter-action#v0.1.10
# env:
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: tfsec
uses: tfsec/tfsec-sarif-action#master
with:
# sarif_file: tfsec.sarif
github_token: ${{ secrets.INPUT_GITHUB_TOKEN }}
# - name: Upload SARIF file
# uses: github/codeql-action/upload-sarif#v1
# with:
# sarif_file: tfsec.sarif
superlinter:
name: superlinter
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout#v2
- name: Scan Code Base
# uses: github/super-linter#v4
# env:
# VALIDATE_ALL_CODEBASE: false
# # DEFAULT_BRANCH: master
# GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# VALIDATE_TERRAFORM_TERRASCAN: false
uses: terraform-linters/setup-tflint#v1
with:
tflint_version: v0.29.0
terrascan:
name: terrascan
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout#v2
- name: Run Terrascan
id: terrascan
uses: accurics/terrascan-action#v1
with:
iac_type: "terraform"
iac_version: "v15"
policy_type: "aws"
only_warn: true
#iac_dir:
#policy_path:
#skip_rules:
#config_path:
terraform:
defaults:
run:
working-directory: ${{ env.tf_actions_working_dir}}
name: "Terraform"
runs-on: ubuntu-latest
needs: build
steps:
- name: Clone Repository (Latest)
uses: actions/checkout#v2
if: github.event.inputs.git-ref == ''
- name: Clone Repository (Custom Ref)
uses: actions/checkout#v2
if: github.event.inputs.git-ref != ''
with:
ref: ${{ github.event.inputs.git-ref }}
- name: Setup Terraform
uses: hashicorp/setup-terraform#v1
with:
terraform_version: 1.1.2
- name: Terraform Format
id: fmt
run: terraform fmt -check
- name: Terraform Init
id: init
run: |
# # cat ~/.aws/crendentials
# # export AWS_PROFILE=pki-aws-informatics
# aws configure list-profiles
#terraform init -backend-config="bucket=slb-dev-terraform-state"
terraform init -backend-config="access_key=${{ env.AWS_ACCESS_KEY_ID}}" -backend-config="secret_key=${{ env.AWS_SECRET_ACCESS_KEY}}"
terraform init --backend-config="access_key=${{ env.AWS_ACCESS_KEY_ID}}" --backend-config="secret_key=${{ env.AWS_SECRET_ACCESS_KEY}}"
- name: Terraform Validate
id: validate
run: terraform validate -no-color
- name: Terraform Plan
id: plan
run: terraform plan -var-file="terraform.tfvars" -out=${{ env.plan }}
- uses: actions/github-script#0.9.0
if: github.event_name == 'pull_request'
env:
PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
with:
github-token: ${{ secrets.INPUT_GITHUB_TOKEN }}
script: |
const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
#### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
#### Terraform Validation 🤖${{ steps.validate.outputs.stdout }}
#### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
<details><summary>Show Plan</summary>
\`\`\`${process.env.PLAN}\`\`\`
</details>
*Pusher: #${{ github.actor }}, Action: \`${{ github.event_name }}\`, Working Directory: \`${{ env.tf_actions_working_dir }}\`, Workflow: \`${{ github.workflow }}\`*`;
github.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
As you can see I have tried it a couple of ways and still end up with the same error, which is , I have made sure that the profile we using is correct,I also cannot proivde credentials in the init command itself,it is validating to the correct profile since it is fetching the correct arn for the profile I need it to work on, I also read somewhere that the credentials for aws profiles and S3 could be different and if that is the case how can I integrate OIDC in ythat project, not sure what or where I might be going wrong otherwise, appreciate any help or headers,
I can't give advice specific to Github (since I'm using Bitbucket), but if you're using OIDC for access to AWS from your SCM of choice the same principals apply. The S3 backend for Terraform itself doesn't allow specifying any of the normal configuration for OIDC, but you can set this with environment variables and have it work:
AWS_WEB_IDENTITY_TOKEN_FILE=<web-identity-token-file>
AWS_ROLE_ARN=arn:aws:iam::<account-id>:role/<role-name>
For Bitbucket Pipelines users:
Specify oidc: true in your pipelines config
Write the OIDC token file using e.g. echo $BITBUCKET_STEP_OIDC_TOKEN > $(pwd)/web-identity-token
Export the environment variables as above
I've split my S3 backend storage away from the account that has resources, so will need to look at configuring the actual AWS provider separately - it does have options for assume_role.web_identity_token_file and assume_role.role_arn
I am trying to build a docker image and pushing it to gcp artifactory. But it is failing in the github actions. Here is my workflow yaml file:
on:
push:
branches:
- main
- featurev1
name: Build and Deploy to Cloud Run
env:
REGION: 'europe-west1'
PROJECT_ID: 'myproject'
CLUSTER_NAME: 'myproject-cluster'
LOCATION: 'europe-west1'
ZONE: 'europe-west1'
ARTIFACT_REGISTRY: 'myproject-cust-seg'
TARGET_ENV: 'INT'
NAMESPACE: 'integration'
jobs:
deploy:
runs-on: [ self-hosted ]
# Add "id-token" with the intended permissions.
#permissions:
# contents: 'read'
# id-token: 'write'
steps:
- name: Checkout
uses: actions/checkout#v2
- name: Setup gcloud environment
uses: google-github-actions/setup-gcloud#v0
with:
service_account_key: ${{ secrets.INT_PLATFORM_SERVICE_ACCOUNT_KEY }}
project_id: ${{ env.PROJECT_ID }}
# Alternative option - authentication via credentials json
#- id: 'auth'
# uses: 'google-github-actions/auth#v0'
# with:
# credentials_json: ${{ secrets.INT_PLATFORM_SERVICE_ACCOUNT_KEY }}
- name: Authorize Docker push
run: gcloud auth configure-docker
- name: Build and Push Container
env:
GIT_TAG: ${{ github.run_id }}
run: |-
docker build -t $LOCATION-docker.pkg.dev/$PROJECT_ID/$ARTIFACT_REGISTRY/custapi:$TARGET_ENV-v$GIT_TAG .
docker push $LOCATION-docker.pkg.dev/$PROJECT_ID/$ARTIFACT_REGISTRY/custapi:$TARGET_ENV-v$GIT_TAG
But I have an error:
Run google-github-actions/setup-gcloud#v0
Error: google-github-actions/setup-gcloud failed with: failed to execute command gcloud --quiet config set project myproject: WARNING: Could not setup log file in /home/master/.config/gcloud/logs, (Could not create directory [/home/master/.config/gcloud/logs/2022.02.10]: Permission denied.
Please verify that you have permissions to write to the parent directory..
The configuration directory may not be writable. To learn more, see https://cloud.google.com/sdk/docs/configurations#creating_a_configuration
ERROR: (gcloud.config.set) Failed to create the default configuration. Ensure your have the correct permissions on: [/home/master/.config/gcloud/configurations].
Could not create directory [/home/master/.config/gcloud/configurations]: Permission denied.
Please verify that you have permission to write to the parent directory.
Right now I have used the service key json file as secret in GitHub actions as keyless authentication will be done in the near future, after the successful pilot of phase 1. So you could find the details above.
Here I have mentioned runs-on as "self-hosted" which is our onpremise github action runner.
I'm trying to pass in confidential info into a bash script that is part of our cloud build process
I've followed the CloudBuild docs to try set it all up.
After many many different tires copied the docker example as a test even that is not working.
Here is what I have at the moment
*gcloud secrets list*
NAME CREATED REPLICATION_POLICY LOCATIONS
SECRET1 2021-08-18T04:37:47 automatic -
SECRET2 2021-08-18T04:38:11 automatic -
*gcloud secrets versions access latest --secret="SECRET1"*
Secret2Value
*gcloud secrets versions access latest --secret="SECRET2"*
Secret2Value
**cloudbuild.yaml**
steps:
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: ['-c', 'docker login --username=$$USERNAME --password=$$PASSWORD']
secretEnv: ['USERNAME', 'PASSWORD']
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/SECRET1/versions/1
env: 'PASSWORD'
- versionName: projects/$PROJECT_ID/secrets/SECRET2/versions/latest
env: 'USERNAME'
My understanding was that it would substituite the value of SECRET1 and SECRET2 into the USERNAME and PASSWORD envs but I'm getting $USERNAME and $PASSWORD
Arguments
bash -c docker login --username=$USERNAME --password=$PASSWORD
Feels like I've missed something simple yet fundamental
== Update ==
Here is the full build log
FETCHSOURCE
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint:
hint: git config --global init.defaultBranch <name>
hint:
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint:
hint: git branch -m <name>
Initialized empty Git repository in /workspace/.git/
From https://source.developers.google.com/p/amiti-plex-can- dev/r/bitbucket_noldortech_amiti-payments
* branch a72363459d9ff5bed31411e960cc3e021febc322 -> FETCH_HEAD
HEAD is now at a723634 Secrets test 1
BUILD
Already have image (with digest): gcr.io/cloud-builders/docker
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get "https://registry-1.docker.io/v2/": unauthorized: incorrect username or password
ERROR
ERROR: build step 0 "gcr.io/cloud-builders/docker" failed: step exited with non-zero status: 1
== Update 2==
After testing the echo commands below, I switched over to using a script, which is what I actually need.
**Yaml File:**
steps:
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: ['-c', 'echo Username=$$USERNAME && echo Password=$$PASSWORD']
secretEnv: ['USERNAME', 'PASSWORD']
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: ['cloudbuilds/script.sh', '$$USERNAME', '$$PASSWORD']
secretEnv: ['USERNAME', 'PASSWORD']
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/SECRET1/versions/1
env: 'PASSWORD'
- versionName: projects/$PROJECT_ID/secrets/SECRET2/versions/latest
env: 'USERNAME'
**Script:**
#/bin/bash
secretVar1="$1"
secretVar2="$2"
printf "\n\nVARIABLES\nSecret1: $secretVar1\nSecret2: $secretVar2\n\n"
**Build Log:**
BUILD
Starting Step #0
Step #0: Already have image (with digest): gcr.io/cloud-builders/docker
Step #0: Username=Secret2Value
Step #0: Password=Secret1Value
Finished Step #0
Starting Step #1
Step #1: Already have image (with digest): gcr.io/cloud-builders/docker
Step #1:
Step #1:
Step #1: VARIABLES
Step #1: Secret1: $USERNAME
Step #1: Secret2: $PASSWORD
Step #1:
Finished Step #1
PUSH
DONE
Finally got the correct yaml syntax to execute my script as I need
steps:
- name: 'gcr.io/cloud-builders/docker'
entrypoint: 'bash'
args: ['-c', ". ./cloudbuilds/script.sh $$SOMEVAR1 $$SOMEVAR2"]
secretEnv: ['SOMEVAR1', 'SOMEVAR2']
availableSecrets:
secretManager:
- versionName: projects/$PROJECT_ID/secrets/SECRET1/versions/1
env: 'SOMEVAR2'
- versionName: projects/$PROJECT_ID/secrets/SECRET2/versions/latest
env: 'SOMEVAR1'
BUILD
Already have image (with digest): gcr.io/cloud-builders/docker
VARIABLES
Secret1: Secret2Value
Secret2: Secret1Value
PUSH
DONE
USERNAME & PASSWORD are environment variables, for them to be expanded on the command line, you need to run the command via the shell. (Note that doing so is considered bad practice from a security perspective.)
This is why only the first step works in your second update.
Github has two kind of pages:
User
Projects
I have a User page. So I want to publish from the master branch. I want to use NuxtJS. NuxtJS generates a CI file when you install it. Following https://nuxtjs.org/docs/2.x/deployment/github-pages I also set up a CD file whereas I went for npm instead of yarn.
So I have
ci.yml
name: ci
on:
push:
branches:
- main
- master
pull_request:
branches:
- main
- master
jobs:
ci:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
node: [14]
steps:
- name: Checkout 🛎
uses: actions/checkout#master
- name: Setup node env 🏗
uses: actions/setup-node#v2.1.2
with:
node-version: ${{ matrix.node }}
check-latest: true
- name: Cache node_modules 📦
uses: actions/cache#v2
with:
path: ~/.npm
key: ${{ runner.os }}-node-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-node-
- name: Install dependencies 👨🏻💻
run: npm ci
- name: Run linter 👀
run: npm run lint
cd.yml
name: cd
on: [push, pull_request]
jobs:
cd:
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-latest]
node: [14]
steps:
- name: Checkout
uses: actions/checkout#master
- name: Setup node env
uses: actions/setup-node#v2.1.2
with:
node-version: ${{ matrix.node }}
- name: Install dependencies
run: npm ci
- name: Generate
run: npm run generate
- name: Deploy
uses: peaceiris/actions-gh-pages#v3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./dist
Now if I understood it correctly: Those actions will generate and create the static sites i.e. the dist directory. In the cd.yml file we then set:
name: Deploy
uses: peaceiris/actions-gh-pages#v3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./dist
So everything seems okay but we did use peaceiris/actions-gh-pages#v3 which seems to create a gh_pages branch, so it seems my cd.yml file might be wrong?
If I go to my user github page I just see the readme.md displayed. What do I do wrong?
Specify the publish_branch parameter for the actions-gh-pages action (see docs):
- name: Deploy
uses: peaceiris/actions-gh-pages#v3
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./dist
# new
publish_branch: master
The Problem
A GitHub trigger set up in Google Cloud Build doesn't actually substitute the configured values while running the Build (cloudbuild.yaml)
This is the Google Cloud Build config
cloudbuild.yaml
steps:
- name: 'gcr.io/cloud-builders/gcloud'
id: 'decrypt .npmrc'
args:
- kms
- decrypt
- --ciphertext-file=npmrc.enc
- --plaintext-file=/root/.npmrc
- --location=global
- --keyring=my-keyring
- --key=npm-key
- --project=${_CLOUD_KMS_PROJECT}
volumes:
- name: 'home'
path: /root/
- name: 'gcr.io/cloud-builders/npm'
id: 'install'
args: ['install']
env:
- HOME=/root/
volumes:
- name: 'home'
path: /root/
- name: 'gcr.io/cloud-builders/npm'
id: 'test'
args: ['run', 'test']
- name: gcr.io/$PROJECT_ID/skaffold:alpha
id: 'deploy'
args: ['run', '-f=${_SKAFFOLD_FILE}']
env:
- CLOUDSDK_COMPUTE_ZONE=${_CLOUDSDK_COMPUTE_ZONE}
- CLOUDSDK_CONTAINER_CLUSTER=${_CLOUDSDK_CONTAINER_CLUSTER}
substitutions:
_SKAFFOLD_FILE: dummy.yaml
_CLOUDSDK_COMPUTE_ZONE: us-west1-a
_CLOUDSDK_CONTAINER_CLUSTER: dummy
timeout: 1000s
Curiously, when triggering the build via a gcloud SDK call it works ✅ ex:
gcloud builds submit --config=cloudbuild.yaml --substitutions=_SKAFFOLD_FILE=skaffold.yaml,_CLOUDSDK_COMPUTE_ZONE=us-west1-a,_CLOUDSDK_CONTAINER_CLUSTER=skaffold .
Some more context
Cloud Build Trigger dashboard (img)
Trigger configuration with substitutions (img)
Missing substitutions in Build history from triggered build (img)
In contrast: Correctly substituted values when running gcloud builds submit (img)