Support single LOWER bundled secret
This commit is contained in:
parent
7102aa3232
commit
0ecf2aa879
1 changed files with 57 additions and 2 deletions
|
|
@ -12,7 +12,8 @@ jobs:
|
||||||
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
|
||||||
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
|
||||||
AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
|
AWS_SESSION_TOKEN: ${{ secrets.AWS_SESSION_TOKEN }}
|
||||||
AWS_DEFAULT_REGION: ${{ secrets.LOWER }}
|
AWS_DEFAULT_REGION: ${{ secrets.AWS_REGION }}
|
||||||
|
LOWER: ${{ secrets.LOWER }}
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Prepare source
|
- name: Prepare source
|
||||||
|
|
@ -60,11 +61,65 @@ jobs:
|
||||||
echo "Unable to install aws CLI on this runner."
|
echo "Unable to install aws CLI on this runner."
|
||||||
exit 1
|
exit 1
|
||||||
|
|
||||||
|
- name: Parse LOWER bundled secret
|
||||||
|
run: |
|
||||||
|
set -e
|
||||||
|
if [ -z "$LOWER" ]; then
|
||||||
|
echo "LOWER secret is empty or not set; using individual secrets if present."
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
python3 - <<'PY'
|
||||||
|
import json
|
||||||
|
import os
|
||||||
|
|
||||||
|
keys = [
|
||||||
|
"AWS_ACCESS_KEY_ID",
|
||||||
|
"AWS_SECRET_ACCESS_KEY",
|
||||||
|
"AWS_SESSION_TOKEN",
|
||||||
|
"AWS_DEFAULT_REGION",
|
||||||
|
"AWS_REGION",
|
||||||
|
]
|
||||||
|
|
||||||
|
lower = os.environ.get("LOWER", "")
|
||||||
|
parsed = {}
|
||||||
|
|
||||||
|
# Format 1: JSON object
|
||||||
|
try:
|
||||||
|
obj = json.loads(lower)
|
||||||
|
if isinstance(obj, dict):
|
||||||
|
parsed = {str(k): str(v) for k, v in obj.items() if v is not None}
|
||||||
|
except Exception:
|
||||||
|
pass
|
||||||
|
|
||||||
|
# Format 2: dotenv style lines: KEY=VALUE
|
||||||
|
if not parsed:
|
||||||
|
for line in lower.splitlines():
|
||||||
|
s = line.strip()
|
||||||
|
if not s or s.startswith("#") or "=" not in s:
|
||||||
|
continue
|
||||||
|
k, v = s.split("=", 1)
|
||||||
|
parsed[k.strip()] = v.strip().strip('"').strip("'")
|
||||||
|
|
||||||
|
env_path = os.environ["GITHUB_ENV"]
|
||||||
|
with open(env_path, "a", encoding="utf-8") as f:
|
||||||
|
for k in keys:
|
||||||
|
if os.environ.get(k):
|
||||||
|
continue
|
||||||
|
v = parsed.get(k)
|
||||||
|
if v:
|
||||||
|
f.write(f"{k}={v}\n")
|
||||||
|
|
||||||
|
# Accept AWS_REGION in bundle as region source.
|
||||||
|
if not os.environ.get("AWS_DEFAULT_REGION") and parsed.get("AWS_REGION"):
|
||||||
|
f.write(f"AWS_DEFAULT_REGION={parsed['AWS_REGION']}\n")
|
||||||
|
PY
|
||||||
|
|
||||||
- name: Check required AWS secrets
|
- name: Check required AWS secrets
|
||||||
run: |
|
run: |
|
||||||
[ -n "$AWS_ACCESS_KEY_ID" ] || { echo "Missing required secret/env: AWS_ACCESS_KEY_ID"; exit 1; }
|
[ -n "$AWS_ACCESS_KEY_ID" ] || { echo "Missing required secret/env: AWS_ACCESS_KEY_ID"; exit 1; }
|
||||||
[ -n "$AWS_SECRET_ACCESS_KEY" ] || { echo "Missing required secret/env: AWS_SECRET_ACCESS_KEY"; exit 1; }
|
[ -n "$AWS_SECRET_ACCESS_KEY" ] || { echo "Missing required secret/env: AWS_SECRET_ACCESS_KEY"; exit 1; }
|
||||||
[ -n "$AWS_DEFAULT_REGION" ] || { echo "Missing required secret/env: AWS_DEFAULT_REGION (mapped from secret LOWER)"; exit 1; }
|
[ -n "$AWS_DEFAULT_REGION" ] || { echo "Missing required secret/env: AWS_DEFAULT_REGION"; exit 1; }
|
||||||
if [ -z "${AWS_SESSION_TOKEN}" ]; then
|
if [ -z "${AWS_SESSION_TOKEN}" ]; then
|
||||||
echo "AWS_SESSION_TOKEN is empty. Proceeding with long-lived access keys."
|
echo "AWS_SESSION_TOKEN is empty. Proceeding with long-lived access keys."
|
||||||
else
|
else
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue