From 100d53e00545084a6fd2db1f1af7451cb89f3e59 Mon Sep 17 00:00:00 2001 From: Tom Stovall Date: Fri, 9 Jun 2023 14:27:06 -0700 Subject: [PATCH 01/13] Cache the terminus directory and only add token if not already logged in --- action.yml | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/action.yml b/action.yml index 19290d3..5f32f1f 100644 --- a/action.yml +++ b/action.yml @@ -34,11 +34,26 @@ runs: curl -L https://github.com/pantheon-systems/terminus/releases/download/$TERMINUS_RELEASE/terminus.phar --output terminus chmod +x terminus sudo ln -s ~/terminus/terminus /usr/local/bin/terminus + mkdir -p ~/.terminus/{cache,plugins} env: TERMINUS_RELEASE: ${{ inputs.terminus-version || env.TERMINUS_RELEASE }} + - uses: actions/cache@v3 + id: terminus-cache + ## description: "Cache Terminus cache directory to eliminate auth API limits." + with: + path: $HOME/.terminus/ + key: ${{ runner.os }}-terminus + restore-keys: | + ${{ runner.os }}-terminus- + - name: Login to Pantheon if: ${{ inputs.pantheon-machine-token }} shell: bash + ## description: "Authenticate with Pantheon using a machine token only if a session has not already been established" run: | - terminus auth:login --machine-token="${{ inputs.pantheon-machine-token }}" + if [ -f ~/.terminus/cache/session ]; then + terminus auth:login + else + terminus auth:login --machine-token="${{ inputs.pantheon-machine-token }}" + fi From 7dbc4e0364650e5b16b1b9d515e785b74b676f38 Mon Sep 17 00:00:00 2001 From: Tom Stovall Date: Mon, 12 Jun 2023 10:29:31 -0700 Subject: [PATCH 02/13] Implement as single line rather than multiline bash --- action.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/action.yml b/action.yml index 5f32f1f..72e0af9 100644 --- a/action.yml +++ b/action.yml @@ -52,8 +52,4 @@ runs: shell: bash ## description: "Authenticate with Pantheon using a machine token only if a session has not already been established" run: | - if [ -f ~/.terminus/cache/session ]; then - terminus auth:login - else - terminus auth:login --machine-token="${{ inputs.pantheon-machine-token }}" - fi + terminus auth:login || terminus auth:login --machine-token="${{ inputs.pantheon-machine-token }}" From f54f4f6ebce22ec2126fdfa6ce54d441052eaea6 Mon Sep 17 00:00:00 2001 From: Kyle Taylor Date: Thu, 7 Mar 2024 15:24:41 -0600 Subject: [PATCH 03/13] Add encryption when caching Terminus sessions - Update actions/cache to v4 - Add steps for encrypting/decrypting cached session - Separate step just for caching Terminus plugins --- action.yml | 117 +++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 104 insertions(+), 13 deletions(-) diff --git a/action.yml b/action.yml index 72e0af9..ef526da 100644 --- a/action.yml +++ b/action.yml @@ -11,10 +11,15 @@ inputs: description: | The full version of Terminus to install. If omitted, the latest version is used. required: false + disable-cache: + description: Disable session cache and force a new session to be initiated. + required: false + default: false + runs: using: composite steps: - - name: Determine version + - name: Set Terminus version shell: bash if: ${{ ! inputs.terminus-version }} run: | @@ -29,27 +34,113 @@ runs: - name: Install Terminus shell: bash run: | - mkdir ~/terminus && cd ~/terminus + mkdir $HOME/terminus && cd $HOME/terminus echo "Installing Terminus v$TERMINUS_RELEASE" curl -L https://github.com/pantheon-systems/terminus/releases/download/$TERMINUS_RELEASE/terminus.phar --output terminus chmod +x terminus - sudo ln -s ~/terminus/terminus /usr/local/bin/terminus - mkdir -p ~/.terminus/{cache,plugins} + sudo ln -s $HOME/terminus/terminus /usr/local/bin/terminus + mkdir -p $HOME/.terminus/{cache,plugins} env: TERMINUS_RELEASE: ${{ inputs.terminus-version || env.TERMINUS_RELEASE }} - - uses: actions/cache@v3 - id: terminus-cache - ## description: "Cache Terminus cache directory to eliminate auth API limits." + - name: Cache Terminus plugin directory + uses: actions/cache@v4 + id: terminus-plugin-cache with: - path: $HOME/.terminus/ - key: ${{ runner.os }}-terminus + path: $HOME/.terminus/plugins + key: ${{ runner.os }}-terminus-plugins restore-keys: | - ${{ runner.os }}-terminus- + ${{ runner.os }}-terminus-plugins- + + - name: Set a cache path, key, and restore-key + id: cache + shell: bash + run: | + + # Set cache path, key, and restore-key. + echo "path=${{ runner.temp }}/terminus-session.gpg" >> $GITHUB_OUTPUT - - name: Login to Pantheon - if: ${{ inputs.pantheon-machine-token }} + machine_token_hash=`echo ${{ inputs.pantheon-machine-token }} | sha256sum | head -c 40` + restore_key="terminus-session-$machine_token_hash" + echo "restore-key=$restore_key-" >> $GITHUB_OUTPUT + + # Use the GitHub Actions "run id" to uniqify the cache key so that we + # can force initiating a new session when requested via action input + # (GitHub Actions caches are immutable and can't be updated for a given + # key). + # @see https://github.com/actions/cache/blob/main/tips-and-workarounds.md#update-a-cache + echo "key=$restore_key-${{ github.run_id }}" >> $GITHUB_OUTPUT + + - name: Restore cached encrypted Terminus session + id: restore-cache + if: inputs.disable-cache != 'true' + uses: actions/cache/restore@v4 + with: + path: ${{ steps.cache.outputs.path }} + key: ${{ steps.cache.outputs.key }} + restore-keys: ${{ steps.cache.outputs.restore-key }} + enableCrossOsArchive: true + + - name: Decrypt and set cached session file + id: decrypt + if: steps.restore-cache.outcome == 'success' + continue-on-error: true shell: bash - ## description: "Authenticate with Pantheon using a machine token only if a session has not already been established" run: | + + # Verify that the encrypted session file was restored from cache. + test -s ${{ steps.cache.outputs.path }} + + # Decrypt the session file using the "file descriptor" passphrase option + # (--passphrase-fd) instead of regular --passphrase because it's more + # secure to pipe the secret than to pass it as a command argument. + echo ${{ inputs.pantheon-machine-token }} | \ + gpg2 --passphrase-fd \ + --batch \ + --yes \ + --pinentry loopback \ + --output terminus-session-temp \ + --decrypt ${{ steps.cache.outputs.path }} + + # Move the session file into the Terminus cache directory. + mv terminus-session-temp $TERMINUS_CACHE_DIR/session + + # Check if restored session is still valid + terminus auth:whoami | grep -v "You are not logged in" + + - name: Create new Terminus session (if needed) + id: encrypt + if: steps.decrypt.outcome != 'success' + run: | + + # Initiate a new Terminus session because the old one was missing or + # expired, and encrypt new session file into GitHub Actions cache path. terminus auth:login || terminus auth:login --machine-token="${{ inputs.pantheon-machine-token }}" + + # Copy the session file to a mounted folder + $TERMINUS_CACHE_DIR/session terminus-session-temp + + # Encrypt the session file using the "file descriptor" passphrase option + # (--passphrase-fd) instead of regular --passphrase because it's more + # secure to pipe the secret than pass it as a command argument. + + echo ${{ inputs.pantheon-machine-token }} | \ + gpg2 --passphrase-fd \ + --batch \ + --yes \ + --pinentry-mode loopback \ + --output ${{ steps.cache.outputs.path }} \ + --symmetric terminus-session-temp + + # Remove the temporary session file we copied. + rm terminus-session-temp + shell: bash + + - name: Cache encrypted Terminus session + id: encrypt-cache + if: steps.encrypt.outcome == 'success' + uses: actions/cache/save@v4 + with: + path: ${{ steps.cache.outputs.path }} + key: ${{ steps.cache.outputs.key }} + enableCrossOsArchive: true From 23bf422ad779047eeb5068064145cac0ff586a6d Mon Sep 17 00:00:00 2001 From: Kyle Taylor Date: Thu, 7 Mar 2024 16:20:59 -0600 Subject: [PATCH 04/13] Fix missing cp, update README --- README.md | 15 +++++++++++++-- action.yml | 6 +++--- 2 files changed, 16 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index b6df3ab..cb76aa3 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ steps: - name: Setup PHP uses: shivammathur/setup-php@v2 with: - php-version: '7.4' + php-version: "7.4" - name: Install Terminus uses: pantheon-systems/terminus-github-actions@main @@ -36,7 +36,7 @@ steps: - name: Setup PHP uses: shivammathur/setup-php@v2 with: - php-version: '7.4' + php-version: "7.4" - name: Install Terminus uses: pantheon-systems/terminus-github-actions@main @@ -48,6 +48,17 @@ steps: run: terminus site:list ``` +This action will encrypt and cache the Terminus session by default to be re-used across jobs in a workflow to reduce the number of authorizations. If you need to disable this for some reason, you can set the `disable-cache` option to `true`. + +```yaml +steps: + - name: Install Terminus + uses: pantheon-systems/terminus-github-actions@main + with: + pantheon-machine-token: ${{ secrets.PANTHEON_MACHINE_TOKEN }} + disable-cache: true +``` + Please note that in order to run commands that require SSH (e.g. drush or wp-cli), you will need to setup a SSH key. There are plenty of options available in the [Github Actions Marketplace](https://github.com/marketplace?type=actions&query=ssh+key+). We recommend you to choose one of them and use them in your pipeline. ## Credits diff --git a/action.yml b/action.yml index ef526da..7516fe1 100644 --- a/action.yml +++ b/action.yml @@ -20,8 +20,8 @@ runs: using: composite steps: - name: Set Terminus version - shell: bash if: ${{ ! inputs.terminus-version }} + shell: bash run: | TERMINUS_RELEASE=$( curl --silent \ @@ -111,6 +111,7 @@ runs: - name: Create new Terminus session (if needed) id: encrypt if: steps.decrypt.outcome != 'success' + shell: bash run: | # Initiate a new Terminus session because the old one was missing or @@ -118,7 +119,7 @@ runs: terminus auth:login || terminus auth:login --machine-token="${{ inputs.pantheon-machine-token }}" # Copy the session file to a mounted folder - $TERMINUS_CACHE_DIR/session terminus-session-temp + cp $TERMINUS_CACHE_DIR/session terminus-session-temp # Encrypt the session file using the "file descriptor" passphrase option # (--passphrase-fd) instead of regular --passphrase because it's more @@ -134,7 +135,6 @@ runs: # Remove the temporary session file we copied. rm terminus-session-temp - shell: bash - name: Cache encrypted Terminus session id: encrypt-cache From 97a340f3831da41fc6eb28f96c7475c813bc56c5 Mon Sep 17 00:00:00 2001 From: Kyle Taylor Date: Thu, 7 Mar 2024 16:55:10 -0600 Subject: [PATCH 05/13] Move some steps around --- action.yml | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/action.yml b/action.yml index 7516fe1..f22c10b 100644 --- a/action.yml +++ b/action.yml @@ -53,7 +53,7 @@ runs: ${{ runner.os }}-terminus-plugins- - name: Set a cache path, key, and restore-key - id: cache + id: configure-cache shell: bash run: | @@ -73,7 +73,7 @@ runs: - name: Restore cached encrypted Terminus session id: restore-cache - if: inputs.disable-cache != 'true' + if: ${{ inputs.disable-cache != 'true' }} uses: actions/cache/restore@v4 with: path: ${{ steps.cache.outputs.path }} @@ -81,9 +81,9 @@ runs: restore-keys: ${{ steps.cache.outputs.restore-key }} enableCrossOsArchive: true - - name: Decrypt and set cached session file + - name: Decrypt cached session file id: decrypt - if: steps.restore-cache.outcome == 'success' + if: ${{ steps.restore-cache.outcome == 'success' }} continue-on-error: true shell: bash run: | @@ -106,18 +106,22 @@ runs: mv terminus-session-temp $TERMINUS_CACHE_DIR/session # Check if restored session is still valid - terminus auth:whoami | grep -v "You are not logged in" + terminus auth:whoami - - name: Create new Terminus session (if needed) - id: encrypt - if: steps.decrypt.outcome != 'success' + - name: Authenticate Terminus + id: authenticate + if: ${{ inputs.pantheon-machine-token }} + continue-on-error: true shell: bash run: | - - # Initiate a new Terminus session because the old one was missing or - # expired, and encrypt new session file into GitHub Actions cache path. terminus auth:login || terminus auth:login --machine-token="${{ inputs.pantheon-machine-token }}" + - name: Encrypt new Terminus session (if needed) + id: encrypt-cache + if: ${{ steps.decrypt.outcome != 'success' && steps.authenticate.outcome == 'success'}} + shell: bash + run: | + # Copy the session file to a mounted folder cp $TERMINUS_CACHE_DIR/session terminus-session-temp @@ -137,8 +141,8 @@ runs: rm terminus-session-temp - name: Cache encrypted Terminus session - id: encrypt-cache - if: steps.encrypt.outcome == 'success' + id: save-cache + if: ${{ steps.encrypt.outcome == 'success' }} uses: actions/cache/save@v4 with: path: ${{ steps.cache.outputs.path }} From f76d089f125c6e0326fe6b8e561706b4f4de8db4 Mon Sep 17 00:00:00 2001 From: Kyle Taylor Date: Thu, 7 Mar 2024 16:58:04 -0600 Subject: [PATCH 06/13] Fix cache directory path --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index f22c10b..e64def9 100644 --- a/action.yml +++ b/action.yml @@ -103,7 +103,7 @@ runs: --decrypt ${{ steps.cache.outputs.path }} # Move the session file into the Terminus cache directory. - mv terminus-session-temp $TERMINUS_CACHE_DIR/session + mv terminus-session-temp $HOME/.terminus/cache/session # Check if restored session is still valid terminus auth:whoami @@ -123,7 +123,7 @@ runs: run: | # Copy the session file to a mounted folder - cp $TERMINUS_CACHE_DIR/session terminus-session-temp + cp $HOME/.terminus/cache/session terminus-session-temp # Encrypt the session file using the "file descriptor" passphrase option # (--passphrase-fd) instead of regular --passphrase because it's more From 56163368fab4bf25c9bf8ef8b6b163fe0fdab125 Mon Sep 17 00:00:00 2001 From: Kyle Taylor Date: Thu, 7 Mar 2024 17:07:31 -0600 Subject: [PATCH 07/13] Update steps ids --- action.yml | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/action.yml b/action.yml index e64def9..3695290 100644 --- a/action.yml +++ b/action.yml @@ -76,9 +76,9 @@ runs: if: ${{ inputs.disable-cache != 'true' }} uses: actions/cache/restore@v4 with: - path: ${{ steps.cache.outputs.path }} - key: ${{ steps.cache.outputs.key }} - restore-keys: ${{ steps.cache.outputs.restore-key }} + path: ${{ steps.configure-cache.outputs.path }} + key: ${{ steps.configure-cache.outputs.key }} + restore-keys: ${{ steps.configure-cache.outputs.restore-key }} enableCrossOsArchive: true - name: Decrypt cached session file @@ -89,7 +89,7 @@ runs: run: | # Verify that the encrypted session file was restored from cache. - test -s ${{ steps.cache.outputs.path }} + test -s ${{ steps.configure-cache.outputs.path }} # Decrypt the session file using the "file descriptor" passphrase option # (--passphrase-fd) instead of regular --passphrase because it's more @@ -100,7 +100,7 @@ runs: --yes \ --pinentry loopback \ --output terminus-session-temp \ - --decrypt ${{ steps.cache.outputs.path }} + --decrypt ${{ steps.configure-cache.outputs.path }} # Move the session file into the Terminus cache directory. mv terminus-session-temp $HOME/.terminus/cache/session @@ -128,13 +128,12 @@ runs: # Encrypt the session file using the "file descriptor" passphrase option # (--passphrase-fd) instead of regular --passphrase because it's more # secure to pipe the secret than pass it as a command argument. - echo ${{ inputs.pantheon-machine-token }} | \ gpg2 --passphrase-fd \ --batch \ --yes \ --pinentry-mode loopback \ - --output ${{ steps.cache.outputs.path }} \ + --output ${{ steps.configure-cache.outputs.path }} \ --symmetric terminus-session-temp # Remove the temporary session file we copied. @@ -145,6 +144,6 @@ runs: if: ${{ steps.encrypt.outcome == 'success' }} uses: actions/cache/save@v4 with: - path: ${{ steps.cache.outputs.path }} - key: ${{ steps.cache.outputs.key }} + path: ${{ steps.configure-cache.outputs.path }} + key: ${{ steps.configure-cache.outputs.key }} enableCrossOsArchive: true From e26db6ccbc17a03e677b1860536fa8b190eecad5 Mon Sep 17 00:00:00 2001 From: Kyle Taylor Date: Fri, 8 Mar 2024 09:27:31 -0600 Subject: [PATCH 08/13] Update actions/checkout version for tests --- .github/workflows/test-terminus-version.yml | 6 ++---- .github/workflows/test-terminus.yml | 8 +++----- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/.github/workflows/test-terminus-version.yml b/.github/workflows/test-terminus-version.yml index 4f214fa..a0c1f0d 100644 --- a/.github/workflows/test-terminus-version.yml +++ b/.github/workflows/test-terminus-version.yml @@ -1,4 +1,4 @@ -name: 'Tests: Version' +name: "Tests: Version" on: workflow_call: @@ -17,9 +17,8 @@ jobs: runs-on: ubuntu-latest name: ${{ inputs.terminus-version }} steps: - - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup PHP uses: shivammathur/setup-php@v2 @@ -35,4 +34,3 @@ jobs: run: | terminus -V --no-ansi if [[ $(terminus -V --no-ansi) != *"${{ inputs.terminus-version }}" ]]; then exit 1; fi - diff --git a/.github/workflows/test-terminus.yml b/.github/workflows/test-terminus.yml index 26b5134..8c6fda3 100644 --- a/.github/workflows/test-terminus.yml +++ b/.github/workflows/test-terminus.yml @@ -3,16 +3,15 @@ name: Terminus Github Action Tests on: pull_request: branches: - - main + - main jobs: test_terminus: runs-on: ubuntu-latest name: Terminus Setup steps: - - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Terminus uses: ./ @@ -27,9 +26,8 @@ jobs: runs-on: ubuntu-latest name: Terminus Login steps: - - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Setup Terminus uses: ./ From 5eb81fc7b50b4118203bbe95a0d88feac1183863 Mon Sep 17 00:00:00 2001 From: Kyle Taylor Date: Fri, 8 Mar 2024 09:49:02 -0600 Subject: [PATCH 09/13] Use openssl vs gpg2 for platform compatibilities - gpg2 is not installed on MacOS by default, openssl is available - clean up some comments --- action.yml | 39 ++++++++++----------------------------- 1 file changed, 10 insertions(+), 29 deletions(-) diff --git a/action.yml b/action.yml index 3695290..552d076 100644 --- a/action.yml +++ b/action.yml @@ -57,18 +57,13 @@ runs: shell: bash run: | - # Set cache path, key, and restore-key. - echo "path=${{ runner.temp }}/terminus-session.gpg" >> $GITHUB_OUTPUT - + # Generate a hash of the machine token to use as a restore-key. machine_token_hash=`echo ${{ inputs.pantheon-machine-token }} | sha256sum | head -c 40` restore_key="terminus-session-$machine_token_hash" - echo "restore-key=$restore_key-" >> $GITHUB_OUTPUT - # Use the GitHub Actions "run id" to uniqify the cache key so that we - # can force initiating a new session when requested via action input - # (GitHub Actions caches are immutable and can't be updated for a given - # key). - # @see https://github.com/actions/cache/blob/main/tips-and-workarounds.md#update-a-cache + # Set path, cache key, and restore-key for later steps. + echo "path=${{ runner.temp }}/terminus-session.gpg" >> $GITHUB_OUTPUT + echo "restore-key=$restore_key-" >> $GITHUB_OUTPUT echo "key=$restore_key-${{ github.run_id }}" >> $GITHUB_OUTPUT - name: Restore cached encrypted Terminus session @@ -91,16 +86,9 @@ runs: # Verify that the encrypted session file was restored from cache. test -s ${{ steps.configure-cache.outputs.path }} - # Decrypt the session file using the "file descriptor" passphrase option - # (--passphrase-fd) instead of regular --passphrase because it's more - # secure to pipe the secret than to pass it as a command argument. - echo ${{ inputs.pantheon-machine-token }} | \ - gpg2 --passphrase-fd \ - --batch \ - --yes \ - --pinentry loopback \ - --output terminus-session-temp \ - --decrypt ${{ steps.configure-cache.outputs.path }} + # Decrypt the session file. + echo "${{ inputs.pantheon-machine-token }}" | \ + openssl enc -d -aes-256-cbc -pass stdin -in ${{ steps.configure-cache.outputs.path }} -out terminus-session-temp # Move the session file into the Terminus cache directory. mv terminus-session-temp $HOME/.terminus/cache/session @@ -125,16 +113,9 @@ runs: # Copy the session file to a mounted folder cp $HOME/.terminus/cache/session terminus-session-temp - # Encrypt the session file using the "file descriptor" passphrase option - # (--passphrase-fd) instead of regular --passphrase because it's more - # secure to pipe the secret than pass it as a command argument. - echo ${{ inputs.pantheon-machine-token }} | \ - gpg2 --passphrase-fd \ - --batch \ - --yes \ - --pinentry-mode loopback \ - --output ${{ steps.configure-cache.outputs.path }} \ - --symmetric terminus-session-temp + # Encrypt the session file. + echo "${{ inputs.pantheon-machine-token }}" | \ + openssl enc -aes-256-cbc -salt -pass stdin -in terminus-session-temp -out ${{ steps.configure-cache.outputs.path }} # Remove the temporary session file we copied. rm terminus-session-temp From 9722a2d1d4461c2c4c6ec5a149fd0208823a4254 Mon Sep 17 00:00:00 2001 From: Kyle Taylor Date: Fri, 8 Mar 2024 10:38:12 -0600 Subject: [PATCH 10/13] Add pbkdf2 and iter for improved strength Address "deprecated key derivation used" output --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 552d076..7273960 100644 --- a/action.yml +++ b/action.yml @@ -88,7 +88,7 @@ runs: # Decrypt the session file. echo "${{ inputs.pantheon-machine-token }}" | \ - openssl enc -d -aes-256-cbc -pass stdin -in ${{ steps.configure-cache.outputs.path }} -out terminus-session-temp + openssl enc -d -aes-256-cbc -pbkdf2 -iter 10000 -pass stdin -in ${{ steps.configure-cache.outputs.path }} -out terminus-session-temp # Move the session file into the Terminus cache directory. mv terminus-session-temp $HOME/.terminus/cache/session @@ -115,7 +115,7 @@ runs: # Encrypt the session file. echo "${{ inputs.pantheon-machine-token }}" | \ - openssl enc -aes-256-cbc -salt -pass stdin -in terminus-session-temp -out ${{ steps.configure-cache.outputs.path }} + openssl enc -aes-256-cbc -salt -pbkdf2 -iter 10000 -pass stdin -in terminus-session-temp -out ${{ steps.configure-cache.outputs.path }} # Remove the temporary session file we copied. rm terminus-session-temp From a11cb4e9c962de877e4a57cb19becbdb05025154 Mon Sep 17 00:00:00 2001 From: Kyle Taylor Date: Fri, 8 Mar 2024 11:42:59 -0600 Subject: [PATCH 11/13] Fix encrypt step name reference --- action.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/action.yml b/action.yml index 7273960..4d1db66 100644 --- a/action.yml +++ b/action.yml @@ -62,7 +62,7 @@ runs: restore_key="terminus-session-$machine_token_hash" # Set path, cache key, and restore-key for later steps. - echo "path=${{ runner.temp }}/terminus-session.gpg" >> $GITHUB_OUTPUT + echo "path=${{ runner.temp }}/terminus-session.enc" >> $GITHUB_OUTPUT echo "restore-key=$restore_key-" >> $GITHUB_OUTPUT echo "key=$restore_key-${{ github.run_id }}" >> $GITHUB_OUTPUT @@ -122,7 +122,7 @@ runs: - name: Cache encrypted Terminus session id: save-cache - if: ${{ steps.encrypt.outcome == 'success' }} + if: ${{ steps.encrypt-cache.outcome == 'success' }} uses: actions/cache/save@v4 with: path: ${{ steps.configure-cache.outputs.path }} From fcb98ed43d7045a15b2c5632223100f281588b7b Mon Sep 17 00:00:00 2001 From: Kyle Taylor Date: Fri, 8 Mar 2024 15:20:51 -0600 Subject: [PATCH 12/13] Update authentication pattern - Remove redundant auth step - Use whoami to validate session - Remove redundant file copying steps - Remove Terminus plugins cache (can add back later if we support installing plugins) --- action.yml | 47 +++++++++++++++++------------------------------ 1 file changed, 17 insertions(+), 30 deletions(-) diff --git a/action.yml b/action.yml index 4d1db66..76b36ea 100644 --- a/action.yml +++ b/action.yml @@ -43,16 +43,7 @@ runs: env: TERMINUS_RELEASE: ${{ inputs.terminus-version || env.TERMINUS_RELEASE }} - - name: Cache Terminus plugin directory - uses: actions/cache@v4 - id: terminus-plugin-cache - with: - path: $HOME/.terminus/plugins - key: ${{ runner.os }}-terminus-plugins - restore-keys: | - ${{ runner.os }}-terminus-plugins- - - - name: Set a cache path, key, and restore-key + - name: Set cache path, key, and restore-key id: configure-cache shell: bash run: | @@ -88,41 +79,37 @@ runs: # Decrypt the session file. echo "${{ inputs.pantheon-machine-token }}" | \ - openssl enc -d -aes-256-cbc -pbkdf2 -iter 10000 -pass stdin -in ${{ steps.configure-cache.outputs.path }} -out terminus-session-temp - - # Move the session file into the Terminus cache directory. - mv terminus-session-temp $HOME/.terminus/cache/session + openssl enc -d -aes-256-cbc -pbkdf2 -iter 10000 -pass stdin -in ${{ steps.configure-cache.outputs.path }} -out $HOME/.terminus/cache/session # Check if restored session is still valid - terminus auth:whoami + TERMINUS_USER=$(terminus auth:whoami) + + if [ -z "$TERMINUS_USER" ]; then + echo "No valid session found. " + exit 1 + fi + + echo "Valid session found: $TERMINUS_USER" - name: Authenticate Terminus id: authenticate - if: ${{ inputs.pantheon-machine-token }} - continue-on-error: true + if: ${{ inputs.pantheon-machine-token && steps.decrypt.outcome != 'success' }} shell: bash run: | - terminus auth:login || terminus auth:login --machine-token="${{ inputs.pantheon-machine-token }}" - - name: Encrypt new Terminus session (if needed) - id: encrypt-cache - if: ${{ steps.decrypt.outcome != 'success' && steps.authenticate.outcome == 'success'}} - shell: bash - run: | + # Running this step means the session was not restored from cache + # and needs to be re-authenticated. - # Copy the session file to a mounted folder - cp $HOME/.terminus/cache/session terminus-session-temp + # Authenticate with Pantheon using the machine token. + terminus auth:login --machine-token="${{ inputs.pantheon-machine-token }}" # Encrypt the session file. echo "${{ inputs.pantheon-machine-token }}" | \ - openssl enc -aes-256-cbc -salt -pbkdf2 -iter 10000 -pass stdin -in terminus-session-temp -out ${{ steps.configure-cache.outputs.path }} - - # Remove the temporary session file we copied. - rm terminus-session-temp + openssl enc -aes-256-cbc -salt -pbkdf2 -iter 10000 -pass stdin -in $HOME/.terminus/cache/session -out ${{ steps.configure-cache.outputs.path }} - name: Cache encrypted Terminus session id: save-cache - if: ${{ steps.encrypt-cache.outcome == 'success' }} + if: ${{ steps.authenticate.outcome == 'success' }} uses: actions/cache/save@v4 with: path: ${{ steps.configure-cache.outputs.path }} From 98b72b4662f83d5a44eeadb13648427ea560ca21 Mon Sep 17 00:00:00 2001 From: Kyle Taylor Date: Fri, 8 Mar 2024 16:03:10 -0600 Subject: [PATCH 13/13] Remove restore key --- action.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/action.yml b/action.yml index 76b36ea..3b3835f 100644 --- a/action.yml +++ b/action.yml @@ -64,7 +64,6 @@ runs: with: path: ${{ steps.configure-cache.outputs.path }} key: ${{ steps.configure-cache.outputs.key }} - restore-keys: ${{ steps.configure-cache.outputs.restore-key }} enableCrossOsArchive: true - name: Decrypt cached session file