actions/runner-container-hooks
1
0
Fork 0
mirror of https://github.com/actions/runner-container-hooks.git synced 2025-12-17 10:16:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Pass secrets more securely for container action

Browse Source
This commit is contained in:
Thomas Boop
2022-06-06 18:43:57 -04:00
parent 689a74e352
commit e928fa3252
6 changed files with 84 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
packages/k8s/src/hooks/run-container-step.ts
View File

@@ -3,6 +3,7 @@ import * as core from '@actions/core'
import { PodPhase } from 'hooklib'
import {
createJob,
createSecretForEnvs,
getContainerJobPodName,
getPodLogs,
getPodStatus,
@@ -16,7 +17,13 @@ export async function runContainerStep(stepContainer): Promise<number> {
if (stepContainer.dockerfile) {
throw new Error('Building container actions is not currently supported')
}
const container = createPodSpec(stepContainer)
let secretName: string | undefined = undefined
if (stepContainer['environmentVariables']) {
secretName = await createSecretForEnvs(
stepContainer['environmentVariables']
)
}
const container = createPodSpec(stepContainer, secretName)
const job = await createJob(container)
if (!job.metadata?.name) {
throw new Error(
@@ -39,28 +46,28 @@ export async function runContainerStep(stepContainer): Promise<number> {
core.warning(`Can't determine container status`)
return 0
}
const exitCode =
status.containerStatuses[status.containerStatuses.length - 1].state
?.terminated?.exitCode
return Number(exitCode) || 0
}
function createPodSpec(container): k8s.V1Container {
function createPodSpec(container, secretName?: string): k8s.V1Container {
const podContainer = new k8s.V1Container()
podContainer.name = JOB_CONTAINER_NAME
podContainer.image = container.image
if (container.entryPoint) {
podContainer.command = [container.entryPoint, ...container.entryPointArgs]
}
podContainer.env = []
for (const [key, value] of Object.entries(
container['environmentVariables']
)) {
if (value && key !== 'HOME') {
podContainer.env.push({ name: key, value: value as string })
}
if (secretName) {
podContainer.envFrom = [
{
secretRef: {
name: secretName,
optional: false
}
}
]
}
podContainer.volumeMounts = containerVolumes()