From 2ef70f4dba412cb3fb44e5092b5648a529c765b1 Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 18:13:58 +0530 Subject: [PATCH 01/17] chore: add workflow for cache policy update --- .github/workflows/unit-tests-and-lint.yml | 5 +++ .github/workflows/update-cache-policy.yml | 49 +++++++++++++++++++++++ 2 files changed, 54 insertions(+) create mode 100644 .github/workflows/update-cache-policy.yml diff --git a/.github/workflows/unit-tests-and-lint.yml b/.github/workflows/unit-tests-and-lint.yml index b95731b7b..03c3b3bd3 100644 --- a/.github/workflows/unit-tests-and-lint.yml +++ b/.github/workflows/unit-tests-and-lint.yml @@ -67,3 +67,8 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} + + temp: + uses: ./.github/workflows/update-cache-policy.yml + with: + policy_type: 'no-store' diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml new file mode 100644 index 000000000..36e2f93b6 --- /dev/null +++ b/.github/workflows/update-cache-policy.yml @@ -0,0 +1,49 @@ +name: Update cache control policy + +on: + workflow_dispatch: + inputs: + policy_type: + type: choice + description: Select the cache control policy type + required: true + options: + - no-store + - max-age=3600 + workflow_call: + inputs: + policy_type: + type: string + required: true + +jobs: + update-cache-policy: + name: Update cache control policy for SDK artifacts + runs-on: [self-hosted, Linux, X64] + + steps: + - name: Install AWS CLI + uses: unfor19/install-aws-cli-action@master + + - name: Configure AWS credentials + uses: aws-actions/configure-aws-credentials@v4 + with: + role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_S3_SYNC_ROLE }} + aws-region: us-east-1 + + - name: Determine the cache control policy + id: determine_policy + run: | + echo "cache_control_policy=${{ github.event.inputs.policy_type || inputs.policy_type }}" >> $GITHUB_ENV + + - name: Update cache control policy + run: | + aws s3api list-objects --bucket ${{ secrets.AWS_S3_BUCKET_NAME }} --prefix adobe-analytics-js --query "Contents[].Key" --output text | while read key; do + aws s3api copy-object \ + --bucket ${{ secrets.AWS_S3_BUCKET_NAME }} \ + --copy-source ${{ secrets.AWS_S3_BUCKET_NAME }}/$key \ + --key $key \ + --metadata-directive REPLACE \ + --cache-control "${{ env.cache_control_policy }}" + done + From 70ea7b20bcb22a830458b296dd4587e59373c61f Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 18:16:33 +0530 Subject: [PATCH 02/17] chore: add permissions secton --- .github/workflows/update-cache-policy.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml index 36e2f93b6..5197fd4f3 100644 --- a/.github/workflows/update-cache-policy.yml +++ b/.github/workflows/update-cache-policy.yml @@ -16,6 +16,10 @@ on: type: string required: true +permissions: + id-token: write # allows the JWT to be requested from GitHub's OIDC provider + contents: read # This is required for actions/checkout + jobs: update-cache-policy: name: Update cache control policy for SDK artifacts From 93cbfa6ef230d4cd9f5e5cb8e6f7782ffc45fdc4 Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 18:19:20 +0530 Subject: [PATCH 03/17] chore: pass secrets --- .github/workflows/unit-tests-and-lint.yml | 4 ++++ .github/workflows/update-cache-policy.yml | 10 ++++++++++ 2 files changed, 14 insertions(+) diff --git a/.github/workflows/unit-tests-and-lint.yml b/.github/workflows/unit-tests-and-lint.yml index 03c3b3bd3..aba037c24 100644 --- a/.github/workflows/unit-tests-and-lint.yml +++ b/.github/workflows/unit-tests-and-lint.yml @@ -72,3 +72,7 @@ jobs: uses: ./.github/workflows/update-cache-policy.yml with: policy_type: 'no-store' + secrets: + AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} + AWS_S3_BUCKET_NAME: ${{ secrets.AWS_S3_BUCKET_NAME }} + AWS_S3_SYNC_ROLE: ${{ secrets.AWS_S3_SYNC_ROLE }} diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml index 5197fd4f3..5862d7f21 100644 --- a/.github/workflows/update-cache-policy.yml +++ b/.github/workflows/update-cache-policy.yml @@ -15,6 +15,16 @@ on: policy_type: type: string required: true + secrets: + AWS_ACCOUNT_ID: + description: AWS Account ID + required: true + AWS_S3_BUCKET_NAME: + description: AWS S3 Bucket Name + required: true + AWS_S3_SYNC_ROLE: + description: AWS S3 Sync Role + required: true permissions: id-token: write # allows the JWT to be requested from GitHub's OIDC provider From 1f1bdb5cb3c9378223c09fc17d12f971dc6c1060 Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 18:30:21 +0530 Subject: [PATCH 04/17] chore: fix secrets --- .github/workflows/unit-tests-and-lint.yml | 6 +++--- .github/workflows/update-cache-policy.yml | 17 +++++++---------- 2 files changed, 10 insertions(+), 13 deletions(-) diff --git a/.github/workflows/unit-tests-and-lint.yml b/.github/workflows/unit-tests-and-lint.yml index aba037c24..1cd1503b6 100644 --- a/.github/workflows/unit-tests-and-lint.yml +++ b/.github/workflows/unit-tests-and-lint.yml @@ -73,6 +73,6 @@ jobs: with: policy_type: 'no-store' secrets: - AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }} - AWS_S3_BUCKET_NAME: ${{ secrets.AWS_S3_BUCKET_NAME }} - AWS_S3_SYNC_ROLE: ${{ secrets.AWS_S3_SYNC_ROLE }} + AWS_PROD_ACCOUNT_ID: ${{ secrets.AWS_PROD_ACCOUNT_ID }} + AWS_PROD_S3_BUCKET_NAME: ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} + AWS_PROD_S3_SYNC_ROLE: ${{ secrets.AWS_PROD_S3_SYNC_ROLE }} diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml index 5862d7f21..ceac1a78e 100644 --- a/.github/workflows/update-cache-policy.yml +++ b/.github/workflows/update-cache-policy.yml @@ -16,14 +16,11 @@ on: type: string required: true secrets: - AWS_ACCOUNT_ID: - description: AWS Account ID + AWS_PROD_ACCOUNT_ID: required: true - AWS_S3_BUCKET_NAME: - description: AWS S3 Bucket Name + AWS_PROD_S3_BUCKET_NAME: required: true - AWS_S3_SYNC_ROLE: - description: AWS S3 Sync Role + AWS_PROD_S3_SYNC_ROLE: required: true permissions: @@ -42,7 +39,7 @@ jobs: - name: Configure AWS credentials uses: aws-actions/configure-aws-credentials@v4 with: - role-to-assume: arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/${{ secrets.AWS_S3_SYNC_ROLE }} + role-to-assume: arn:aws:iam::${{ secrets.AWS_PROD_ACCOUNT_ID }}:role/${{ secrets.AWS_PROD_S3_SYNC_ROLE }} aws-region: us-east-1 - name: Determine the cache control policy @@ -52,10 +49,10 @@ jobs: - name: Update cache control policy run: | - aws s3api list-objects --bucket ${{ secrets.AWS_S3_BUCKET_NAME }} --prefix adobe-analytics-js --query "Contents[].Key" --output text | while read key; do + aws s3api list-objects --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} --prefix adobe-analytics-js --query "Contents[].Key" --output text | while read key; do aws s3api copy-object \ - --bucket ${{ secrets.AWS_S3_BUCKET_NAME }} \ - --copy-source ${{ secrets.AWS_S3_BUCKET_NAME }}/$key \ + --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} \ + --copy-source ${{ secrets.AWS_PROD_S3_BUCKET_NAME }}/$key \ --key $key \ --metadata-directive REPLACE \ --cache-control "${{ env.cache_control_policy }}" From 161291031253a0f1196fdd5d6cad367b6cec6025 Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 18:35:41 +0530 Subject: [PATCH 05/17] chore: fix object listing output --- .github/workflows/update-cache-policy.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml index ceac1a78e..8cfec55c4 100644 --- a/.github/workflows/update-cache-policy.yml +++ b/.github/workflows/update-cache-policy.yml @@ -49,12 +49,13 @@ jobs: - name: Update cache control policy run: | - aws s3api list-objects --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} --prefix adobe-analytics-js --query "Contents[].Key" --output text | while read key; do + aws s3api list-objects --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} --prefix adobe-analytics-js --query "Contents[].Key" --output text | tr '\t' '\n' | while read key; do aws s3api copy-object \ --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} \ - --copy-source ${{ secrets.AWS_PROD_S3_BUCKET_NAME }}/$key \ - --key $key \ + --copy-source "${{ secrets.AWS_PROD_S3_BUCKET_NAME }}/$key" \ + --key "$key" \ --metadata-directive REPLACE \ --cache-control "${{ env.cache_control_policy }}" done + From 8b9334ebb48643b178b2aa85b5de2edf959aa118 Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 18:37:09 +0530 Subject: [PATCH 06/17] chore: update cache policy --- .github/workflows/unit-tests-and-lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/unit-tests-and-lint.yml b/.github/workflows/unit-tests-and-lint.yml index 1cd1503b6..86d5e47ce 100644 --- a/.github/workflows/unit-tests-and-lint.yml +++ b/.github/workflows/unit-tests-and-lint.yml @@ -71,7 +71,7 @@ jobs: temp: uses: ./.github/workflows/update-cache-policy.yml with: - policy_type: 'no-store' + policy_type: 'max-age=3600' secrets: AWS_PROD_ACCOUNT_ID: ${{ secrets.AWS_PROD_ACCOUNT_ID }} AWS_PROD_S3_BUCKET_NAME: ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} From f247b17795d43af3ac100360f82787670a42eba1 Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 18:56:46 +0530 Subject: [PATCH 07/17] chore: update multiple prefixes --- .github/workflows/update-cache-policy.yml | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml index 8cfec55c4..3faf2e24f 100644 --- a/.github/workflows/update-cache-policy.yml +++ b/.github/workflows/update-cache-policy.yml @@ -49,13 +49,19 @@ jobs: - name: Update cache control policy run: | - aws s3api list-objects --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} --prefix adobe-analytics-js --query "Contents[].Key" --output text | tr '\t' '\n' | while read key; do - aws s3api copy-object \ - --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} \ - --copy-source "${{ secrets.AWS_PROD_S3_BUCKET_NAME }}/$key" \ - --key "$key" \ - --metadata-directive REPLACE \ - --cache-control "${{ env.cache_control_policy }}" + prefixes=("adobe-analytics-js" "latest") + + for prefix in "${prefixes[@]}"; do + echo "Processing prefix: $prefix" + + aws s3api list-objects --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} --prefix "$prefix" --query "Contents[].Key" --output text | tr '\t' '\n' | while read key; do + aws s3api copy-object \ + --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} \ + --copy-source "${{ secrets.AWS_PROD_S3_BUCKET_NAME }}/$key" \ + --key "$key" \ + --metadata-directive REPLACE \ + --cache-control "${{ env.cache_control_policy }}" + done done From 787201e3183632f5363b504141f2e8423145418b Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 19:20:35 +0530 Subject: [PATCH 08/17] chore: add parallelism --- .github/workflows/update-cache-policy.yml | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml index 3faf2e24f..0d1e881d9 100644 --- a/.github/workflows/update-cache-policy.yml +++ b/.github/workflows/update-cache-policy.yml @@ -49,19 +49,24 @@ jobs: - name: Update cache control policy run: | + # Get the number of CPU cores in the runner and leave one core free + num_cores=$(nproc --ignore=1 || echo 1) # Default to 1 if nproc is unavailable + # Use a factor to set the parallel jobs (e.g., number of cores or slightly lower) + parallel_jobs=$((num_cores * 2)) + echo "Detected $num_cores cores. Using $parallel_jobs parallel jobs." + prefixes=("adobe-analytics-js" "latest") for prefix in "${prefixes[@]}"; do echo "Processing prefix: $prefix" - aws s3api list-objects --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} --prefix "$prefix" --query "Contents[].Key" --output text | tr '\t' '\n' | while read key; do - aws s3api copy-object \ - --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} \ - --copy-source "${{ secrets.AWS_PROD_S3_BUCKET_NAME }}/$key" \ - --key "$key" \ - --metadata-directive REPLACE \ - --cache-control "${{ env.cache_control_policy }}" - done + aws s3api list-objects --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} --prefix "$prefix" --query "Contents[].Key" --output text | tr '\t' '\n' | \ + --retries 3 parallel -j "$parallel_jobs" "aws s3api copy-object \ + --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} \ + --copy-source ${{ secrets.AWS_PROD_S3_BUCKET_NAME }}/{} \ + --key {} \ + --metadata-directive REPLACE \ + --cache-control '${{ env.cache_control_policy }}'" done From f5943e762cdb9d87fef01116ae83d6eeb858e2e3 Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 19:23:21 +0530 Subject: [PATCH 09/17] chore: fix the command options --- .github/workflows/update-cache-policy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml index 0d1e881d9..b28e5e84a 100644 --- a/.github/workflows/update-cache-policy.yml +++ b/.github/workflows/update-cache-policy.yml @@ -61,7 +61,7 @@ jobs: echo "Processing prefix: $prefix" aws s3api list-objects --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} --prefix "$prefix" --query "Contents[].Key" --output text | tr '\t' '\n' | \ - --retries 3 parallel -j "$parallel_jobs" "aws s3api copy-object \ + parallel --retries 10 -j "$parallel_jobs" "aws s3api copy-object \ --bucket ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} \ --copy-source ${{ secrets.AWS_PROD_S3_BUCKET_NAME }}/{} \ --key {} \ From f3ec70358f6b1b35b9720ba3f6e6874a5845e38a Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 19:53:53 +0530 Subject: [PATCH 10/17] chore: add check for actor --- .github/workflows/unit-tests-and-lint.yml | 1 + .github/workflows/update-cache-policy.yml | 24 ++++++++++++++++++++++- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/.github/workflows/unit-tests-and-lint.yml b/.github/workflows/unit-tests-and-lint.yml index 86d5e47ce..deac21cae 100644 --- a/.github/workflows/unit-tests-and-lint.yml +++ b/.github/workflows/unit-tests-and-lint.yml @@ -76,3 +76,4 @@ jobs: AWS_PROD_ACCOUNT_ID: ${{ secrets.AWS_PROD_ACCOUNT_ID }} AWS_PROD_S3_BUCKET_NAME: ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} AWS_PROD_S3_SYNC_ROLE: ${{ secrets.AWS_PROD_S3_SYNC_ROLE }} + PAT: ${{ secrets.PAT }} diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml index b28e5e84a..5a586d775 100644 --- a/.github/workflows/update-cache-policy.yml +++ b/.github/workflows/update-cache-policy.yml @@ -22,13 +22,35 @@ on: required: true AWS_PROD_S3_SYNC_ROLE: required: true + PAT: + required: true permissions: id-token: write # allows the JWT to be requested from GitHub's OIDC provider contents: read # This is required for actions/checkout jobs: + check-actor: + runs-on: ubuntu-latest + steps: + - name: Check if valid actor + env: + ORG_NAME: rudderlabs + TEAM_NAME: js-sdk + run: | + actor=${{ github.actor || github.triggering_actor }} + response=$(curl -s -H "Authorization: Bearer ${{ secrets.PAT }}" \ + "https://api.github.com/orgs/$ORG_NAME/teams/$TEAM_NAME/members/$actor") + + if echo "$response" | grep -q '"state": "active"'; then + echo "$actor is a member of $TEAM_NAME" + else + echo "$actor is NOT a member of $TEAM_NAME" + exit 1 + fi + update-cache-policy: + needs: check-actor name: Update cache control policy for SDK artifacts runs-on: [self-hosted, Linux, X64] @@ -55,7 +77,7 @@ jobs: parallel_jobs=$((num_cores * 2)) echo "Detected $num_cores cores. Using $parallel_jobs parallel jobs." - prefixes=("adobe-analytics-js" "latest") + prefixes=("adobe-analytics-js") for prefix in "${prefixes[@]}"; do echo "Processing prefix: $prefix" From 8b0aca7c9cb0a01c8f5f9ec9a1be2472fe95a4b9 Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 20:02:42 +0530 Subject: [PATCH 11/17] chore: use new api --- .github/workflows/update-cache-policy.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml index 5a586d775..a77396ab1 100644 --- a/.github/workflows/update-cache-policy.yml +++ b/.github/workflows/update-cache-policy.yml @@ -39,8 +39,11 @@ jobs: TEAM_NAME: js-sdk run: | actor=${{ github.actor || github.triggering_actor }} - response=$(curl -s -H "Authorization: Bearer ${{ secrets.PAT }}" \ - "https://api.github.com/orgs/$ORG_NAME/teams/$TEAM_NAME/members/$actor") + response=$(curl -L \ + -H "Accept: application/vnd.github+json" \ + -H "Authorization: Bearer ${{ secrets.PAT }}" \ + -H "X-GitHub-Api-Version: 2022-11-28" \ + https://api.github.com/orgs/${{ env.ORG_NAME }}/teams/${{ env.TEAM_NAME }}/memberships/$actor) if echo "$response" | grep -q '"state": "active"'; then echo "$actor is a member of $TEAM_NAME" From bb89de06a57ecb2a07b3deebfc00e4a2d5c79144 Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 20:09:55 +0530 Subject: [PATCH 12/17] chore: log response --- .github/workflows/update-cache-policy.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml index a77396ab1..1e719ff3e 100644 --- a/.github/workflows/update-cache-policy.yml +++ b/.github/workflows/update-cache-policy.yml @@ -45,6 +45,8 @@ jobs: -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/orgs/${{ env.ORG_NAME }}/teams/${{ env.TEAM_NAME }}/memberships/$actor) + echo "Response: $response" + if echo "$response" | grep -q '"state": "active"'; then echo "$actor is a member of $TEAM_NAME" else From 161ab3a6b7fd4a1b2a68933ab6bcd2d07aab3d48 Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 20:21:38 +0530 Subject: [PATCH 13/17] chore: use github token --- .github/workflows/unit-tests-and-lint.yml | 2 +- .github/workflows/update-cache-policy.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/unit-tests-and-lint.yml b/.github/workflows/unit-tests-and-lint.yml index deac21cae..28a208b20 100644 --- a/.github/workflows/unit-tests-and-lint.yml +++ b/.github/workflows/unit-tests-and-lint.yml @@ -76,4 +76,4 @@ jobs: AWS_PROD_ACCOUNT_ID: ${{ secrets.AWS_PROD_ACCOUNT_ID }} AWS_PROD_S3_BUCKET_NAME: ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} AWS_PROD_S3_SYNC_ROLE: ${{ secrets.AWS_PROD_S3_SYNC_ROLE }} - PAT: ${{ secrets.PAT }} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml index 1e719ff3e..7921fc1f0 100644 --- a/.github/workflows/update-cache-policy.yml +++ b/.github/workflows/update-cache-policy.yml @@ -22,7 +22,7 @@ on: required: true AWS_PROD_S3_SYNC_ROLE: required: true - PAT: + GITHUB_TOKEN: required: true permissions: @@ -41,7 +41,7 @@ jobs: actor=${{ github.actor || github.triggering_actor }} response=$(curl -L \ -H "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer ${{ secrets.PAT }}" \ + -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/orgs/${{ env.ORG_NAME }}/teams/${{ env.TEAM_NAME }}/memberships/$actor) From eaf280158ce11dc6d5e23a3fecff885a60b3e2c2 Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 20:22:47 +0530 Subject: [PATCH 14/17] chore: do not send github token --- .github/workflows/unit-tests-and-lint.yml | 1 - .github/workflows/update-cache-policy.yml | 2 -- 2 files changed, 3 deletions(-) diff --git a/.github/workflows/unit-tests-and-lint.yml b/.github/workflows/unit-tests-and-lint.yml index 28a208b20..86d5e47ce 100644 --- a/.github/workflows/unit-tests-and-lint.yml +++ b/.github/workflows/unit-tests-and-lint.yml @@ -76,4 +76,3 @@ jobs: AWS_PROD_ACCOUNT_ID: ${{ secrets.AWS_PROD_ACCOUNT_ID }} AWS_PROD_S3_BUCKET_NAME: ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} AWS_PROD_S3_SYNC_ROLE: ${{ secrets.AWS_PROD_S3_SYNC_ROLE }} - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml index 7921fc1f0..8aea81f83 100644 --- a/.github/workflows/update-cache-policy.yml +++ b/.github/workflows/update-cache-policy.yml @@ -22,8 +22,6 @@ on: required: true AWS_PROD_S3_SYNC_ROLE: required: true - GITHUB_TOKEN: - required: true permissions: id-token: write # allows the JWT to be requested from GitHub's OIDC provider From ef0982005a42327c21f3216689d5b683658fd06b Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 20:26:41 +0530 Subject: [PATCH 15/17] chore: pass github token under a different name --- .github/workflows/unit-tests-and-lint.yml | 1 + .github/workflows/update-cache-policy.yml | 4 +++- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/workflows/unit-tests-and-lint.yml b/.github/workflows/unit-tests-and-lint.yml index 86d5e47ce..6bb799ba3 100644 --- a/.github/workflows/unit-tests-and-lint.yml +++ b/.github/workflows/unit-tests-and-lint.yml @@ -76,3 +76,4 @@ jobs: AWS_PROD_ACCOUNT_ID: ${{ secrets.AWS_PROD_ACCOUNT_ID }} AWS_PROD_S3_BUCKET_NAME: ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} AWS_PROD_S3_SYNC_ROLE: ${{ secrets.AWS_PROD_S3_SYNC_ROLE }} + TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml index 8aea81f83..b8765431c 100644 --- a/.github/workflows/update-cache-policy.yml +++ b/.github/workflows/update-cache-policy.yml @@ -22,6 +22,8 @@ on: required: true AWS_PROD_S3_SYNC_ROLE: required: true + TOKEN: + required: true permissions: id-token: write # allows the JWT to be requested from GitHub's OIDC provider @@ -39,7 +41,7 @@ jobs: actor=${{ github.actor || github.triggering_actor }} response=$(curl -L \ -H "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \ + -H "Authorization: Bearer ${{ secrets.TOKEN }}" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/orgs/${{ env.ORG_NAME }}/teams/${{ env.TEAM_NAME }}/memberships/$actor) From c24f1b9e486ebfe4fa231cba154e88db1ffea2f1 Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 21:08:00 +0530 Subject: [PATCH 16/17] chore: use pat again --- .github/workflows/unit-tests-and-lint.yml | 2 +- .github/workflows/update-cache-policy.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/unit-tests-and-lint.yml b/.github/workflows/unit-tests-and-lint.yml index 6bb799ba3..deac21cae 100644 --- a/.github/workflows/unit-tests-and-lint.yml +++ b/.github/workflows/unit-tests-and-lint.yml @@ -76,4 +76,4 @@ jobs: AWS_PROD_ACCOUNT_ID: ${{ secrets.AWS_PROD_ACCOUNT_ID }} AWS_PROD_S3_BUCKET_NAME: ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} AWS_PROD_S3_SYNC_ROLE: ${{ secrets.AWS_PROD_S3_SYNC_ROLE }} - TOKEN: ${{ secrets.GITHUB_TOKEN }} + PAT: ${{ secrets.PAT }} diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml index b8765431c..1e719ff3e 100644 --- a/.github/workflows/update-cache-policy.yml +++ b/.github/workflows/update-cache-policy.yml @@ -22,7 +22,7 @@ on: required: true AWS_PROD_S3_SYNC_ROLE: required: true - TOKEN: + PAT: required: true permissions: @@ -41,7 +41,7 @@ jobs: actor=${{ github.actor || github.triggering_actor }} response=$(curl -L \ -H "Accept: application/vnd.github+json" \ - -H "Authorization: Bearer ${{ secrets.TOKEN }}" \ + -H "Authorization: Bearer ${{ secrets.PAT }}" \ -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/orgs/${{ env.ORG_NAME }}/teams/${{ env.TEAM_NAME }}/memberships/$actor) From a0e491fd143c5889ae9b6881909d69f3681901b5 Mon Sep 17 00:00:00 2001 From: Sai Kumar Battinoju Date: Wed, 11 Dec 2024 22:00:03 +0530 Subject: [PATCH 17/17] chore: clean up the workflow --- .github/workflows/unit-tests-and-lint.yml | 10 -------- .github/workflows/update-cache-policy.yml | 28 +++++------------------ 2 files changed, 6 insertions(+), 32 deletions(-) diff --git a/.github/workflows/unit-tests-and-lint.yml b/.github/workflows/unit-tests-and-lint.yml index deac21cae..b95731b7b 100644 --- a/.github/workflows/unit-tests-and-lint.yml +++ b/.github/workflows/unit-tests-and-lint.yml @@ -67,13 +67,3 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }} - - temp: - uses: ./.github/workflows/update-cache-policy.yml - with: - policy_type: 'max-age=3600' - secrets: - AWS_PROD_ACCOUNT_ID: ${{ secrets.AWS_PROD_ACCOUNT_ID }} - AWS_PROD_S3_BUCKET_NAME: ${{ secrets.AWS_PROD_S3_BUCKET_NAME }} - AWS_PROD_S3_SYNC_ROLE: ${{ secrets.AWS_PROD_S3_SYNC_ROLE }} - PAT: ${{ secrets.PAT }} diff --git a/.github/workflows/update-cache-policy.yml b/.github/workflows/update-cache-policy.yml index 1e719ff3e..8cca3587c 100644 --- a/.github/workflows/update-cache-policy.yml +++ b/.github/workflows/update-cache-policy.yml @@ -10,30 +10,16 @@ on: options: - no-store - max-age=3600 - workflow_call: - inputs: - policy_type: - type: string - required: true - secrets: - AWS_PROD_ACCOUNT_ID: - required: true - AWS_PROD_S3_BUCKET_NAME: - required: true - AWS_PROD_S3_SYNC_ROLE: - required: true - PAT: - required: true permissions: id-token: write # allows the JWT to be requested from GitHub's OIDC provider contents: read # This is required for actions/checkout jobs: - check-actor: + validate-actor: runs-on: ubuntu-latest steps: - - name: Check if valid actor + - name: Validate if actor is allowed to trigger the workflow env: ORG_NAME: rudderlabs TEAM_NAME: js-sdk @@ -45,17 +31,15 @@ jobs: -H "X-GitHub-Api-Version: 2022-11-28" \ https://api.github.com/orgs/${{ env.ORG_NAME }}/teams/${{ env.TEAM_NAME }}/memberships/$actor) - echo "Response: $response" - if echo "$response" | grep -q '"state": "active"'; then - echo "$actor is a member of $TEAM_NAME" + echo "$actor is a member of $TEAM_NAME team" else - echo "$actor is NOT a member of $TEAM_NAME" + echo "$actor is NOT a member of $TEAM_NAME team" exit 1 fi update-cache-policy: - needs: check-actor + needs: validate-actor name: Update cache control policy for SDK artifacts runs-on: [self-hosted, Linux, X64] @@ -82,7 +66,7 @@ jobs: parallel_jobs=$((num_cores * 2)) echo "Detected $num_cores cores. Using $parallel_jobs parallel jobs." - prefixes=("adobe-analytics-js") + prefixes=("adobe-analytics-js" "v3" "v1.1") for prefix in "${prefixes[@]}"; do echo "Processing prefix: $prefix"