-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add initial version of login to Octopus with OIDC or API keys #3
Merged
Merged
Changes from 26 commits
Commits
Show all changes
43 commits
Select commit
Hold shift + click to select a range
02604f2
Wip login to octopus
geofflamrock 5657a20
Add pr trigger to get workflow to show up
geofflamrock e9bd07f
Remove PR trigger
geofflamrock bca99fe
Merge remote-tracking branch 'origin/main' into geoffl/add-login
geofflamrock 55e4ebe
Change to info logging
geofflamrock 4c2b79f
Add id-token permissions
geofflamrock 59d4d71
Fix permissions
geofflamrock 797fa3d
Add content type header
geofflamrock 1c3fd78
Attempting to see the error
geofflamrock 3d4e189
Fix request body formatting
geofflamrock e919dbb
Add debug logging
geofflamrock 993cc60
Make debug messages info
geofflamrock 64f6039
Remove debugging message
geofflamrock a7e3c58
Add output variables and print env vars
geofflamrock d63ab39
Better error handling and refactoring to include test context
geofflamrock 63f3fbd
More testing of action
geofflamrock bf168b8
Fix missing space parameter
geofflamrock 78eec29
Use defaults from repo if not supplied to make testing easier
geofflamrock 525a8b8
Improves eslint configuration and cleanup
geofflamrock 4222799
wip adding tests
geofflamrock 9942b77
Merge remote-tracking branch 'origin/main' into geoffl/add-login
geofflamrock 9d0f8b0
Merge remote-tracking branch 'origin/main' into geoffl/add-login
geofflamrock 66027ba
Fix build
geofflamrock 230e394
Add changeset
geofflamrock 7112c7b
More tests
geofflamrock 363360b
Adds login details to readme
geofflamrock 000c850
Fixes examples
geofflamrock f55c0f3
Adds linting to ci
geofflamrock 80b4d08
Add test report
geofflamrock 1e1da5d
Fix up ci test reporting
geofflamrock 0b80bbb
Set correct permissions
geofflamrock e254244
Change to different test report action
geofflamrock 79d9af8
Merge remote-tracking branch 'origin/main' into geoffl/add-login
geofflamrock 5b57472
Update lockfile
geofflamrock d5dc109
Merge remote-tracking branch 'origin/main' into geoffl/add-login
geofflamrock 183debb
Merge from main
geofflamrock d049e90
Use openid configuration
geofflamrock 4b9c023
Merge remote-tracking branch 'origin/main' into geoffl/add-login
geofflamrock 2b4f2f0
Add user agent
geofflamrock c942b65
Merge branch 'geoffl/use-openid-configuration' into geoffl/add-login
geofflamrock 440bcd1
Add user agent to openid config request
geofflamrock ffa3b2a
Fix casing
geofflamrock b48e7f1
Merge remote-tracking branch 'origin/main' into geoffl/add-login
geofflamrock File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
--- | ||
"@octopusdeploy/login": minor | ||
--- | ||
|
||
Add initial version of login to Octopus with OpenID Connect or API Keys |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,8 +1,82 @@ | ||
# login | ||
|
||
GitHub action to login to your Octopus Server | ||
A GitHub action to login to your [Octopus Deploy](https://octopus.com/) server. | ||
|
||
## Changesets | ||
After successful login, the GitHub Actions environment will be configured so that credentials do not need to be supplied to later Octopus actions (e.g. [`create-release-action`](https://github.com/OctopusDeploy/create-release-action)) or the [Octopus CLI](https://github.com/OctopusDeploy/cli). | ||
|
||
This action supports two ways of logging in: | ||
|
||
## API Key | ||
|
||
To login using an API Key: | ||
|
||
- Provision an API key in Octopus. See [How to create an API key](https://octopus.com/docs/octopus-rest-api/how-to-create-an-api-key) for more information. It is recommended that a service account is used instead of a user account. | ||
- Add the `OctopusDeploy/login` action to your workflow, specifying the `server` and `api_key` inputs. | ||
|
||
### Inputs | ||
|
||
| Name | Description | | ||
| --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| `server` | The URL of your Octopus server. This input is required. | | ||
| `api_key` | The API key you wish to login in with. It is **strongly recommended** to store this as a secret in GitHub Actions. This input is required if using API Key to login. | | ||
|
||
### Outputs | ||
|
||
| Name | Description | | ||
| --------- | ---------------------------------------------------------------------------------------------------------------------------------- | | ||
| `server` | The URL of your Octopus server that has been logged into. The environment variable `OCTOPUS_URL` will also be set with this value. | | ||
| `api_key` | The API key that was used to login in with. The environment variable `OCTOPUS_API_KEY` will also be set with this value. | | ||
|
||
### Example | ||
|
||
```yaml | ||
- name: Login to Octopus | ||
with: | ||
server: https://my.octopus.app | ||
api_key: ${{ secrets.OCTOPUS_API_KEY }} | ||
``` | ||
|
||
## OpenID Connect (OIDC) | ||
|
||
> Support for OpenID Connect is currently in development and may not be available in your Octopus version just yet. | ||
|
||
Using OpenID Connect (OIDC) is the recommended way to login from GitHub Actions to Octopus. It allows the granting of short-lived access tokens for a service account in Octopus that can be used during your GitHub Actions workflow run, without needing to provision or store an API key. | ||
|
||
See [About security hardening with OpenID Connect](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) for more information. | ||
|
||
To login using OIDC: | ||
|
||
- Create a service account in Octopus with the permissions required. | ||
- Configure an OIDC identity that matches the GitHub Actions subject claim for your repository and workflow. See the [GitHub documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#defining-trust-conditions-on-cloud-roles-using-oidc-claims) for examples of the subject claim. | ||
- Copy the `Service Account Id` value from the Octopus service account. This will be a guid. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I had to push up a merge conflict fix anyway, so I've done this 😄 |
||
- Add the `OctopusDeploy/login` action to your workflow, specifying the `server` and `service_account_id` inputs. | ||
|
||
### Inputs | ||
|
||
| Name | Description | | ||
| -------------------- | -------------------------------------------------------------------------------------------------- | | ||
| `server` | The URL of your Octopus server. This input is required. | | ||
| `service_account_id` | The id of the service account you wish to login as. This input is required if using OIDC to login. | | ||
|
||
### Outputs | ||
|
||
| Name | Description | | ||
| -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | | ||
| `server` | The URL of your Octopus server that has been logged into. The environment variable `OCTOPUS_URL` will also be set with this value. | | ||
| `access_token` | An access token that can be use to authenticate when making API requests. The environment variable `OCTOPUS_ACCESS_TOKEN` will also be set with this value. | | ||
|
||
### Example | ||
|
||
```yaml | ||
- name: Login to Octopus | ||
with: | ||
server: https://my.octopus.app | ||
service_account_id: 5be4ac10-2679-4041-a8b0-7b05b445e19e | ||
``` | ||
|
||
## Development | ||
|
||
### Changesets | ||
|
||
This repository uses [changesets](https://github.com/changesets/changesets) to manage package versions. | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have adjusted the eslint config to match up more closely to what we use elsewhere in the Octopus portal. It's not 100% the same, but much closer.