-
Notifications
You must be signed in to change notification settings - Fork 176
Expand file tree
/
Copy pathaction.yml
More file actions
70 lines (60 loc) · 2.98 KB
/
action.yml
File metadata and controls
70 lines (60 loc) · 2.98 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: 'Setup JFrog'
description: >-
Exchange a GitHub OIDC token for a JFrog access token and configure
Go and Python package managers to use the JFrog Artifactory proxy.
Requires the calling job to have "permissions: id-token: write".
runs:
using: 'composite'
steps:
- name: Get JFrog OIDC token
shell: bash
run: |
set -euo pipefail
# Verify that the job has id-token: write permission.
if [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]; then
echo "::error::OIDC token request URL/token not available. Does this job have 'permissions: id-token: write'?"
exit 1
fi
# Exchange GitHub OIDC token for JFrog access token.
ID_TOKEN=$(curl -sLS \
-H "User-Agent: actions/oidc-client" \
-H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=jfrog-github" | jq -r .value)
echo "::add-mask::${ID_TOKEN}"
if [ -z "$ID_TOKEN" ] || [ "$ID_TOKEN" = "null" ]; then
echo "::error::Failed to obtain GitHub OIDC token."
exit 1
fi
ACCESS_TOKEN=$(curl -sLS -XPOST -H "Content-Type: application/json" \
"https://databricks.jfrog.io/access/api/v1/oidc/token" \
-d "{\"grant_type\": \"urn:ietf:params:oauth:grant-type:token-exchange\", \"subject_token_type\":\"urn:ietf:params:oauth:token-type:id_token\", \"subject_token\": \"${ID_TOKEN}\", \"provider_name\": \"github-actions\"}" | jq -r .access_token)
echo "::add-mask::${ACCESS_TOKEN}"
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
echo "::error::Failed to exchange GitHub OIDC token for JFrog access token."
exit 1
fi
# Verify the token works.
HTTP_STATUS=$(curl -sL -o /dev/null -w "%{http_code}" \
-H "Authorization: Bearer ${ACCESS_TOKEN}" \
"https://databricks.jfrog.io/artifactory/api/system/version")
if [ "$HTTP_STATUS" != "200" ]; then
echo "::error::JFrog auth check failed (HTTP ${HTTP_STATUS})."
exit 1
fi
echo "JFROG_ACCESS_TOKEN=${ACCESS_TOKEN}" >> "$GITHUB_ENV"
- name: Configure Go to use JFrog proxy
shell: bash
run: |-
set -euo pipefail
CREDS="gha-service-account:${JFROG_ACCESS_TOKEN}"
echo "::add-mask::${CREDS}"
echo "GOPROXY=https://${CREDS}@databricks.jfrog.io/artifactory/api/go/db-golang,direct" >> "$GITHUB_ENV"
echo "GONOSUMDB=*" >> "$GITHUB_ENV"
- name: Configure Python (uv/pip) to use JFrog proxy
shell: bash
run: |-
set -euo pipefail
CREDS="gha-service-account:${JFROG_ACCESS_TOKEN}"
echo "::add-mask::${CREDS}"
echo "UV_INDEX_URL=https://${CREDS}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"
echo "PIP_INDEX_URL=https://${CREDS}@databricks.jfrog.io/artifactory/api/pypi/db-pypi/simple" >> "$GITHUB_ENV"