Skip to content

Ci/authentication/use GitHub secrets instead of vault #5025

Ci/authentication/use GitHub secrets instead of vault

Ci/authentication/use GitHub secrets instead of vault #5025

# This is only workflow that requires cloud credentials and therefore will not run on PRs coming from forks.
name: "Test Nebari Provider"
on:
schedule:
- cron: "0 3 * * *"
pull_request:
paths:
- ".github/workflows/test-provider.yaml"
- ".github/failed-workflow-issue-templates/test-provider.md"
- ".github/actions/publish-from-template"
- "tests/**"
- "scripts/**"
- "src/**"
- "pyproject.toml"
push:
branches:
- main
- release/\d{4}.\d{1,2}.\d{1,2}
paths:
- ".github/workflows/test-provider.yaml"
- "tests/**"
- "scripts/**"
- "src/**"
- "pyproject.toml"
workflow_call:
inputs:
pr_number:
required: true
type: string
env:
PROJECT_ID: ${{ secrets.GCP_PROJECT_ID }}
jobs:
test-render-providers:
# Prevents the execution of this test under the following conditions:
# 1. When the 'NO_PROVIDER_CREDENTIALS' GitHub variable is set, indicating the absence of provider credentials.
# 2. For pull requests (PRs) originating from a fork, since GitHub does not provide the fork's credentials to the destination repository.
# ref. https://github.com/nebari-dev/nebari/issues/2379
if: |
vars.NO_PROVIDER_CREDENTIALS == '' &&
(github.event.pull_request.head.repo.full_name == github.repository || github.event_name != 'pull_request')
name: "Test Nebari Provider"
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
pull-requests: write
strategy:
matrix:
provider:
- aws
- azure
- gcp
- local
- existing
cicd:
- none
- github-actions
- gitlab-ci
fail-fast: false
steps:
- name: "Checkout Infrastructure"
uses: actions/checkout@v4
- name: Checkout the branch from the PR that triggered the job
if: ${{ github.event_name == 'issue_comment' }}
run: hub pr checkout ${{ inputs.pr_number }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Set up Python
uses: actions/setup-python@v5
with:
python-version: "3.11"
- name: 'Authenticate to GCP'
if: ${{ matrix.provider == 'gcp' }}
uses: 'google-github-actions/auth@v1'
with:
token_format: access_token
create_credentials_file: 'true'
workload_identity_provider: ${{ secrets.GCP_WORKFLOW_PROVIDER }}
service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
- name: Set required environment variables
if: ${{ matrix.provider == 'gcp' }}
run: |
echo "GOOGLE_CREDENTIALS=${{ env.GOOGLE_APPLICATION_CREDENTIALS }}" >> $GITHUB_ENV
- name: 'Authenticate to AWS'
if: ${{ matrix.provider == 'aws' }}
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ secrets.AWS_ROLE_ARN }}
role-session-name: github-action
aws-region: us-east-1
- name: 'Azure login'
if: ${{ matrix.provider == 'azure' }}
uses: azure/login@v1
with:
client-id: ${{ secrets.ARM_CLIENT_ID }}
tenant-id: ${{ secrets.ARM_TENANT_ID }}
subscription-id: ${{ secrets.ARM_SUBSCRIPTION_ID }}
- name: Install Nebari
run: |
pip install --upgrade pip
pip install .[dev]
- name: Nebari Initialize
run: |
nebari init "${{ matrix.provider }}" --project "TestProvider" --domain "${{ matrix.provider }}.nebari.dev" --auth-provider password --disable-prompt --ci-provider ${{ matrix.cicd }}
cat "nebari-config.yaml"
- name: Nebari Render
run: |
nebari render -c "nebari-config.yaml" -o "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-deployment"
cp "nebari-config.yaml" "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-deployment/nebari-config.yaml"
- name: Nebari Render Artifact
uses: actions/upload-artifact@master
with:
name: "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-artifact"
path: "nebari-${{ matrix.provider }}-${{ matrix.cicd }}-deployment"
- if: failure() || github.event_name == 'pull_request'
name: Publish information from template
uses: ./.github/actions/publish-from-template
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PROVIDER: ${{ matrix.provider }}
CICD: ${{ matrix.cicd }}
with:
filename: .github/failed-workflow-issue-templates/test-provider.md