feat: add Cloudsmith auth

This adds in the orb to authenticate with Cloudsmith via OIDC. Our Cloudsmith orb requires two environment variables to work: * CLOUDSMITH_ORGANISATION * CLOUDSMITH_SERVICE_ACCOUNT To allow us to specify these in Tool Kit config instead (which is a lot cleaner, the config lives in the code etc) we need to define a schema for a nonexistent `cloudsmith` plugin and then pass params through into the CircleCI config. Co-Authored-By: Alex Muller <alexmuller@users.noreply.github.com> Co-Authored-By: Ivo Murrell <ivomurrell@users.noreply.github.com>
Financial-Times · Nov 25, 2024 · d3606b8 · d3606b8
1 parent e1314d7
commit d3606b8
Show file tree

Hide file tree

Showing 7 changed files with 76 additions and 0 deletions.
diff --git a/lib/schemas/src/plugins.ts b/lib/schemas/src/plugins.ts
@@ -1,6 +1,7 @@
 import { z } from 'zod'
 
 import { CircleCISchema } from './plugins/circleci'
+import { CloudsmithSchema } from './plugins/cloudsmith'
 import { DopplerSchema } from './plugins/doppler'
 import { RootSchema } from './plugins/dotcom-tool-kit'
 import { HerokuSchema } from './plugins/heroku'
@@ -28,6 +29,7 @@ export const legacyPluginOptions: Record<string, string> = {
 export const PluginSchemas = {
   'app root': RootSchema,
   '@dotcom-tool-kit/circleci': CircleCISchema,
+  '@dotcom-tool-kit/cloudsmith': CloudsmithSchema,
   '@dotcom-tool-kit/doppler': DopplerSchema,
   '@dotcom-tool-kit/heroku': HerokuSchema,
   '@dotcom-tool-kit/lint-staged-npm': LintStagedNpmSchema,

diff --git a/lib/schemas/src/plugins/cloudsmith.ts b/lib/schemas/src/plugins/cloudsmith.ts
@@ -0,0 +1,6 @@
+import { z } from 'zod'
+
+export const CloudsmithSchema = z.object({
+  organisation: z.string().optional(),
+  serviceAccount: z.string().optional()
+})
diff --git a/orb/src/@orb.yml b/orb/src/@orb.yml
@@ -13,5 +13,6 @@ display:
 orbs:
   node: circleci/node@5.0.2
   change-api: financial-times/change-api@1.0.9
+  cloudsmith-oidc: ft-circleci-orbs/cloudsmith-oidc@1.0.0
   aws-cli: circleci/aws-cli@3.1.4
   serverless-framework: circleci/serverless-framework@2.0.2
diff --git a/orb/src/jobs/deploy-production.yml b/orb/src/jobs/deploy-production.yml
@@ -11,13 +11,30 @@ parameters:
       The system-code of the system being changed. Defaults to the repository
       name.
     type: string
+  cloudsmith-org:
+    default: 'financial-times'
+    type: string
+  cloudsmith-service-account:
+    default: ''
+    type: string
 
 executor: << parameters.executor >>
 
+environment:
+  CLOUDSMITH_ORGANISATION: << parameters.cloudsmith-org >>
+  CLOUDSMITH_SERVICE_ACCOUNT: << parameters.cloudsmith-service-account >>
+
 steps:
   - attach-workspace
   - setup_remote_docker:
       docker_layer_caching: true
+  - when:
+      condition:
+        and:
+          - << parameters.cloudsmith-org >>
+          - << parameters.cloudsmith-service-account >>
+      steps:
+        - cloudsmith-oidc/authenticate_with_oidc
   - when:
       condition:
         and:

diff --git a/orb/src/jobs/deploy-review.yml b/orb/src/jobs/deploy-review.yml
@@ -8,13 +8,30 @@ parameters:
   system-code:
     default: ''
     type: string
+  cloudsmith-org:
+    default: 'financial-times'
+    type: string
+  cloudsmith-service-account:
+    default: ''
+    type: string
 
 executor: << parameters.executor >>
 
+environment:
+  CLOUDSMITH_ORGANISATION: << parameters.cloudsmith-org >>
+  CLOUDSMITH_SERVICE_ACCOUNT: << parameters.cloudsmith-service-account >>
+
 steps:
   - attach-workspace
   - setup_remote_docker:
       docker_layer_caching: true
+  - when:
+      condition:
+        and:
+          - << parameters.cloudsmith-org >>
+          - << parameters.cloudsmith-service-account >>
+      steps:
+        - cloudsmith-oidc/authenticate_with_oidc
   - when:
       condition:
         and:

diff --git a/orb/src/jobs/deploy-staging.yml b/orb/src/jobs/deploy-staging.yml
@@ -2,13 +2,30 @@ parameters:
   executor:
     default: default
     type: executor
+  cloudsmith-org:
+    default: 'financial-times'
+    type: string
+  cloudsmith-service-account:
+    default: ''
+    type: string
 
 executor: << parameters.executor >>
 
+environment:
+  CLOUDSMITH_ORGANISATION: << parameters.cloudsmith-org >>
+  CLOUDSMITH_SERVICE_ACCOUNT: << parameters.cloudsmith-service-account >>
+
 steps:
   - attach-workspace
   - setup_remote_docker:
       docker_layer_caching: true
+  - when:
+      condition:
+        and:
+          - << parameters.cloudsmith-org >>
+          - << parameters.cloudsmith-service-account >>
+      steps:
+        - cloudsmith-oidc/authenticate_with_oidc
   - run:
       name: Deploy to staging
       command: npx dotcom-tool-kit deploy:staging

diff --git a/plugins/circleci-deploy/.toolkitrc.yml b/plugins/circleci-deploy/.toolkitrc.yml
@@ -30,6 +30,10 @@ options:
                   !toolkit/if-defined '@dotcom-tool-kit/serverless.awsAccountId':
                     aws-account-id: !toolkit/option '@dotcom-tool-kit/serverless.awsAccountId'
                     system-code: !toolkit/option '@dotcom-tool-kit/serverless.systemCode'
+                  !toolkit/if-defined '@dotcom-tool-kit/cloudsmith.organisation':
+                    cloudsmith-org: !toolkit/option '@dotcom-tool-kit/cloudsmith.organisation'
+                  !toolkit/if-defined '@dotcom-tool-kit/cloudsmith.serviceAccount':
+                    cloudsmith-service-account: !toolkit/option '@dotcom-tool-kit/cloudsmith.serviceAccount'
               - name: 'deploy-staging'
                 requires:
                   - 'setup'
@@ -39,6 +43,10 @@ options:
                   filters:
                     branches:
                       only: main
+                  !toolkit/if-defined '@dotcom-tool-kit/cloudsmith.organisation':
+                    cloudsmith-org: !toolkit/option '@dotcom-tool-kit/cloudsmith.organisation'
+                  !toolkit/if-defined '@dotcom-tool-kit/cloudsmith.serviceAccount':
+                    cloudsmith-service-account: !toolkit/option '@dotcom-tool-kit/cloudsmith.serviceAccount'
               - name: 'e2e-test-review'
                 requires:
                   - 'deploy-review'
@@ -71,6 +79,10 @@ options:
                   !toolkit/if-defined '@dotcom-tool-kit/serverless.awsAccountId':
                     aws-account-id: !toolkit/option '@dotcom-tool-kit/serverless.awsAccountId'
                     system-code: !toolkit/option '@dotcom-tool-kit/serverless.systemCode'
+                  !toolkit/if-defined '@dotcom-tool-kit/cloudsmith.organisation':
+                    cloudsmith-org: !toolkit/option '@dotcom-tool-kit/cloudsmith.organisation'
+                  !toolkit/if-defined '@dotcom-tool-kit/cloudsmith.serviceAccount':
+                    cloudsmith-service-account: !toolkit/option '@dotcom-tool-kit/cloudsmith.serviceAccount'
           - name: 'nightly'
             jobs:
               - name: 'deploy-review'
@@ -85,6 +97,10 @@ options:
                   !toolkit/if-defined '@dotcom-tool-kit/serverless.awsAccountId':
                     aws-account-id: !toolkit/option '@dotcom-tool-kit/serverless.awsAccountId'
                     system-code: !toolkit/option '@dotcom-tool-kit/serverless.systemCode'
+                  !toolkit/if-defined '@dotcom-tool-kit/cloudsmith.organisation':
+                    cloudsmith-org: !toolkit/option '@dotcom-tool-kit/cloudsmith.organisation'
+                  !toolkit/if-defined '@dotcom-tool-kit/cloudsmith.serviceAccount':
+                    cloudsmith-service-account: !toolkit/option '@dotcom-tool-kit/cloudsmith.serviceAccount'
       !toolkit/if-defined '@dotcom-tool-kit/circleci.cypressImage':
         executors:
           - name: cypress