Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor: Switching to Service Account JSON Credentials #16540

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Refactor: Switching to Service Account JSON Credentials #16540

Changes from 3 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
30cf55b
Chore:Switching to Service Account JSON Credentials for GA Packs Down…
JayanaGunaweera01 Aug 28, 2023
ebda6fd
Fix: continue-on-error: true
JayanaGunaweera01 Aug 28, 2023
c08b453
fix: Removed creds.json
JayanaGunaweera01 Aug 30, 2023
1b056c8
refactor: Secure Token Handling and Streamline Script
JayanaGunaweera01 Sep 14, 2023
3db1330
remove: creds.json
JayanaGunaweera01 Sep 14, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 35 additions & 6 deletions .github/workflows/migration-automation.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Save service account JSON credentials to a file
run: echo '${{ secrets.MIGRATION_JSON }}' > ${{ github.workspace }}/.github/migration-tester/migration-automation/creds.json
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can writing the credentials to a file like this pose any security issues?

Copy link
Contributor Author

@JayanaGunaweera01 JayanaGunaweera01 Sep 14, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chamathns ,

Thank you for raising this valid concern. In the context of GitHub Actions workflows, files created within the runner environment – be it a temporary VM or container – are ephemeral. Once the workflow concludes, these files are purged, especially since our current procedure does not involve generating artifacts or saving logs from this step.
So it doesn't pose security issues.

Having said that, taking into account best practices and suggestions such as yours, I have transitioned our methodology from file-based storage to leveraging environment variables for credential management. This strategic shift not only streamlines the process but also amplifies security, effectively circumventing the risks associated with file-based credential storage.

For a detailed overview of the changes implemented, I would direct your attention to commits 1b056c8 and 3db1330.

- name: Setup Docker environment
run: |
# Get the ID of the workflow from the GitHub API using curl and jq
Expand Down Expand Up @@ -114,8 +116,11 @@ jobs:
- name: Execute Migration Automation Script Ubuntu
run: |
chmod +x ${{ github.workspace }}/.github/migration-tester/migration-automation/ubuntu-os/migration-script-ubuntu.sh
sh ${{ github.workspace }}/.github/migration-tester/migration-automation/ubuntu-os/migration-script-ubuntu.sh "${{ github.event.inputs.urlOld }}" "${{ github.event.inputs.urlNew }}" "${{ github.event.inputs.currentVersion }}" "${{ github.event.inputs.migratingVersion }}" "${{ github.event.inputs.database }}" "${{ github.event.inputs.os }}" "${{ secrets.MIGRATION_EMAIL }}" "${{ secrets.MIGRATION_PASSWORD }}" "${{ secrets.MIGRATION_PAT }}" "${{ secrets.GCP_CLIENT_ID }}" "${{ secrets.GCP_CLIENT_SECRET }}" "${{ secrets.GCP_REFRESH_TOKEN }}" | tee "${{ github.workspace }}/.github/migration-tester/migration-automation/logs.txt"
sh ${{ github.workspace }}/.github/migration-tester/migration-automation/ubuntu-os/migration-script-ubuntu.sh "${{ github.event.inputs.urlOld }}" "${{ github.event.inputs.urlNew }}" "${{ github.event.inputs.currentVersion }}" "${{ github.event.inputs.migratingVersion }}" "${{ github.event.inputs.database }}" "${{ github.event.inputs.os }}" "${{ secrets.MIGRATION_EMAIL }}" "${{ secrets.MIGRATION_PASSWORD }}" "${{ secrets.MIGRATION_PAT }}" creds.json | tee "${{ github.workspace }}/.github/migration-tester/migration-automation/logs.txt"
continue-on-error: true
- name: Remove creds.json file
run: rm -f ${{ github.workspace }}/.github/migration-tester/migration-automation/creds.json


- name: Persist Logs
run: |
Expand All @@ -137,11 +142,16 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Save service account JSON credentials to a file
run: echo '${{ secrets.MIGRATION_JSON }}' > ${{ github.workspace }}/.github/migration-tester/migration-automation/creds.json
- name: Execute Migration Automation Script Ubuntu
run: |
chmod +x ${{ github.workspace }}/.github/migration-tester/migration-automation/ubuntu-os/migration-script-ubuntu.sh
sh ${{ github.workspace }}/.github/migration-tester/migration-automation/ubuntu-os/migration-script-ubuntu.sh "${{ github.event.inputs.urlOld }}" "${{ github.event.inputs.urlNew }}" "${{ github.event.inputs.currentVersion }}" "${{ github.event.inputs.migratingVersion }}" "${{ github.event.inputs.database }}" "${{ github.event.inputs.os }}" "${{ secrets.MIGRATION_EMAIL }}" "${{ secrets.MIGRATION_PASSWORD }}" "${{ secrets.MIGRATION_PAT }}" "${{ secrets.GCP_CLIENT_ID }}" "${{ secrets.GCP_CLIENT_SECRET }}" "${{ secrets.GCP_REFRESH_TOKEN }}" | tee "${{ github.workspace }}/.github/migration-tester/migration-automation/logs.txt"
sh ${{ github.workspace }}/.github/migration-tester/migration-automation/ubuntu-os/migration-script-ubuntu.sh "${{ github.event.inputs.urlOld }}" "${{ github.event.inputs.urlNew }}" "${{ github.event.inputs.currentVersion }}" "${{ github.event.inputs.migratingVersion }}" "${{ github.event.inputs.database }}" "${{ github.event.inputs.os }}" "${{ secrets.MIGRATION_EMAIL }}" "${{ secrets.MIGRATION_PASSWORD }}" "${{ secrets.MIGRATION_PAT }}" creds.json | tee "${{ github.workspace }}/.github/migration-tester/migration-automation/logs.txt"
continue-on-error: true
- name: Remove creds.json file
run: rm -f ${{ github.workspace }}/.github/migration-tester/migration-automation/creds.json


- name: Persist Logs
run: |
Expand Down Expand Up @@ -173,6 +183,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Save service account JSON credentials to a file
run: echo '${{ secrets.JSON }}' > ${{ github.workspace }}/.github/migration-tester/migration-automation/creds.json

- name: Create MS SQL Database
run: |
Expand All @@ -194,8 +206,10 @@ jobs:
- name: Execute Migration Automation Script Ubuntu
run: |
chmod +x ${{ github.workspace }}/.github/migration-tester/migration-automation/ubuntu-os/migration-script-ubuntu.sh
sh ${{ github.workspace }}/.github/migration-tester/migration-automation/ubuntu-os/migration-script-ubuntu.sh "${{ github.event.inputs.urlOld }}" "${{ github.event.inputs.urlNew }}" "${{ github.event.inputs.currentVersion }}" "${{ github.event.inputs.migratingVersion }}" "${{ github.event.inputs.database }}" "${{ github.event.inputs.os }}" "${{ secrets.MIGRATION_EMAIL }}" "${{ secrets.MIGRATION_PASSWORD }}" "${{ secrets.MIGRATION_PAT }}" "${{ secrets.GCP_CLIENT_ID }}" "${{ secrets.GCP_CLIENT_SECRET }}" "${{ secrets.GCP_REFRESH_TOKEN }}" | tee ${{ github.workspace }}/.github/migration-tester/migration-automation/logs.txt
sh ${{ github.workspace }}/.github/migration-tester/migration-automation/ubuntu-os/migration-script-ubuntu.sh "${{ github.event.inputs.urlOld }}" "${{ github.event.inputs.urlNew }}" "${{ github.event.inputs.currentVersion }}" "${{ github.event.inputs.migratingVersion }}" "${{ github.event.inputs.database }}" "${{ github.event.inputs.os }}" "${{ secrets.MIGRATION_EMAIL }}" "${{ secrets.MIGRATION_PASSWORD }}" "${{ secrets.MIGRATION_PAT }}" creds.json | tee "${{ github.workspace }}/.github/migration-tester/migration-automation/logs.txt"
continue-on-error: true
- name: Remove creds.json file
run: rm -f ${{ github.workspace }}/.github/migration-tester/migration-automation/creds.json

- name: Persist Logs
run: |
Expand All @@ -216,12 +230,17 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Save service account JSON credentials to a file
run: echo '${{ secrets.MIGRATION_JSON }}' > ${{ github.workspace }}/.github/migration-tester/migration-automation/creds.json

- name: Execute Migration Automation Script Mac
run: |
chmod +x ${{ github.workspace }}/.github/migration-tester/migration-automation/mac-os/migration-script-mac.sh
sh ${{ github.workspace }}/.github/migration-tester/migration-automation/mac-os/migration-script-mac.sh "${{ github.event.inputs.urlOld }}" "${{ github.event.inputs.urlNew }}" "${{ github.event.inputs.currentVersion }}" "${{ github.event.inputs.migratingVersion }}" "${{ github.event.inputs.database }}" "${{ github.event.inputs.os }}" "${{ secrets.MIGRATION_EMAIL }}" "${{ secrets.MIGRATION_PASSWORD }}" "${{ secrets.MIGRATION_PAT }}" "${{ secrets.GCP_CLIENT_ID }}" "${{ secrets.GCP_CLIENT_SECRET }}" "${{ secrets.GCP_REFRESH_TOKEN }}" | tee "${{ github.workspace }}/.github/migration-tester/migration-automation/logs.txt"
sh ${{ github.workspace }}/.github/migration-tester/migration-automation/mac-os/migration-script-mac.sh "${{ github.event.inputs.urlOld }}" "${{ github.event.inputs.urlNew }}" "${{ github.event.inputs.currentVersion }}" "${{ github.event.inputs.migratingVersion }}" "${{ github.event.inputs.database }}" "${{ github.event.inputs.os }}" "${{ secrets.MIGRATION_EMAIL }}" "${{ secrets.MIGRATION_PASSWORD }}" "${{ secrets.MIGRATION_PAT }}" creds.json | tee "${{ github.workspace }}/.github/migration-tester/migration-automation/logs.txt"
continue-on-error: true
- name: Remove creds.json file
run: rm -f ${{ github.workspace }}/.github/migration-tester/migration-automation/creds.json

- name: Persist Logs
run: |
mkdir -p ${{ github.workspace }}/.github/migration-tester/migration-automation/artifacts
Expand All @@ -241,6 +260,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Save service account JSON credentials to a file
run: echo '${{ secrets.MIGRATION_JSON }}' > ${{ github.workspace }}/.github/migration-tester/migration-automation/creds.json
- name: Set up PostgreSQL
env:
PGDATA: /usr/local/var/postgres
Expand All @@ -267,8 +288,11 @@ jobs:
- name: Execute Migration Automation Script Mac
run: |
chmod +x ${{ github.workspace }}/.github/migration-tester/migration-automation/mac-os/migration-script-mac.sh
sh ${{ github.workspace }}/.github/migration-tester/migration-automation/mac-os/migration-script-mac.sh "${{ github.event.inputs.urlOld }}" "${{ github.event.inputs.urlNew }}" "${{ github.event.inputs.currentVersion }}" "${{ github.event.inputs.migratingVersion }}" "${{ github.event.inputs.database }}" "${{ github.event.inputs.os }}" "${{ secrets.MIGRATION_EMAIL }}" "${{ secrets.MIGRATION_PASSWORD }}" "${{ secrets.MIGRATION_PAT }}" "${{ secrets.GCP_CLIENT_ID }}" "${{ secrets.GCP_CLIENT_SECRET }}" "${{ secrets.GCP_REFRESH_TOKEN }}" | tee "${{ github.workspace }}/.github/migration-tester/migration-automation/logs.txt"
sh ${{ github.workspace }}/.github/migration-tester/migration-automation/mac-os/migration-script-mac.sh "${{ github.event.inputs.urlOld }}" "${{ github.event.inputs.urlNew }}" "${{ github.event.inputs.currentVersion }}" "${{ github.event.inputs.migratingVersion }}" "${{ github.event.inputs.database }}" "${{ github.event.inputs.os }}" "${{ secrets.MIGRATION_EMAIL }}" "${{ secrets.MIGRATION_PASSWORD }}" "${{ secrets.MIGRATION_PAT }}" creds.json | tee "${{ github.workspace }}/.github/migration-tester/migration-automation/logs.txt"
continue-on-error: true
- name: Remove creds.json file
run: rm -f ${{ github.workspace }}/.github/migration-tester/migration-automation/creds.json

- name: Persist Logs
run: |
mkdir -p ${{ github.workspace }}/.github/migration-tester/migration-automation/artifacts
Expand All @@ -288,6 +312,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Save service account JSON credentials to a file
run: echo '${{ secrets.MIGRATION_JSON }}' > ${{ github.workspace }}/.github/migration-tester/migration-automation/creds.json

- uses: potatoqualitee/mssqlsuite@v1.7
with:
Expand Down Expand Up @@ -315,8 +341,11 @@ jobs:
- name: Execute Migration Automation Script Mac
run: |
chmod +x ${{ github.workspace }}/.github/migration-tester/migration-automation/mac-os/migration-script-mac.sh
sh ${{ github.workspace }}/.github/migration-tester/migration-automation/mac-os/migration-script-mac.sh "${{ github.event.inputs.urlOld }}" "${{ github.event.inputs.urlNew }}" "${{ github.event.inputs.currentVersion }}" "${{ github.event.inputs.migratingVersion }}" "${{ github.event.inputs.database }}" "${{ github.event.inputs.os }}" "${{ secrets.MIGRATION_EMAIL }}" "${{ secrets.MIGRATION_PASSWORD }}" "${{ secrets.MIGRATION_PAT }}" "${{ secrets.GCP_CLIENT_ID }}" "${{ secrets.GCP_CLIENT_SECRET }}" "${{ secrets.GCP_REFRESH_TOKEN }}" | tee "${{ github.workspace }}/.github/migration-tester/migration-automation/logs.txt"
sh ${{ github.workspace }}/.github/migration-tester/migration-automation/mac-os/migration-script-mac.sh "${{ github.event.inputs.urlOld }}" "${{ github.event.inputs.urlNew }}" "${{ github.event.inputs.currentVersion }}" "${{ github.event.inputs.migratingVersion }}" "${{ github.event.inputs.database }}" "${{ github.event.inputs.os }}" "${{ secrets.MIGRATION_EMAIL }}" "${{ secrets.MIGRATION_PASSWORD }}" "${{ secrets.MIGRATION_PAT }}" creds.json | tee "${{ github.workspace }}/.github/migration-tester/migration-automation/logs.txt"
continue-on-error: true
- name: Remove creds.json file
run: rm -f ${{ github.workspace }}/.github/migration-tester/migration-automation/creds.json

- name: Persist Logs
run: |
mkdir -p ${{ github.workspace }}/.github/migration-tester/migration-automation/artifacts
Expand Down