Skip to content

[Fixes: mosip/mosip-infra#1874] Add WireGuard onboarding workflow in master #252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Ivanmeneges wants to merge 7 commits into from
+134 −0
Closed

[Fixes: mosip/mosip-infra#1874] Add WireGuard onboarding workflow in master #252

Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
5313a4d
[Fixes: mosip/mosip-infra#1874] Add WireGuard onboarding workflow in …
Ivanmeneges Jun 17, 2026
f9784cc
Change runner from ubuntu-latest to self-hosted
Ivanmeneges Jun 17, 2026
47cdbbc
Address CodeRabbit and CodeQL review feedback for wg-onboard workflow.
Ivanmeneges Jun 18, 2026
6b4e140
wg-onboard: concurrency, pull-before-commit, drop dead input
Ivanmeneges Jun 18, 2026
3b341eb
wg-onboard: rebase with autostash only when tracker changed
Ivanmeneges Jun 18, 2026
d78b5a6
wg-onboard: use GITHUB_TOKEN for checkout, validate secrets early
Ivanmeneges Jun 18, 2026
4cfd8ab
Update git pull and push commands with remote URL
Ivanmeneges Jun 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
134 changes: 134 additions & 0 deletions .github/workflows/wg-onboard.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
name: WireGuard onboard environment

# Self-service WireGuard onboarding for a new environment.
# Allocates free WireGuard peers from the jumpserver and publishes them as
# GitHub *environment* secrets (TF_WG_CONFIG, CLUSTER_WIREGUARD_WG0/WG1) so a
# QA/dev team can run the Terraform + Helmsman workflows without DevOps.
#
# Requires .github/scripts/wg-onboard.sh (mosip/infra PR #253).

on:
workflow_dispatch:
inputs:
ENV_NAME:
description: 'Environment / branch name to onboard (becomes the GitHub environment name)'
required: true
type: string
JUMPSERVER_HOST:
description: 'Jumpserver / WireGuard VM public IP or DNS (SSH reachable)'
required: true
type: string
TICKET:
description: 'Optional ticket id to record in assigned.txt (e.g. DSD-10264)'
required: false
type: string
WG_DIR:
description: 'WireGuard env dir on the VM'
required: false
type: string
default: /home/ubuntu/wireguard_env_2026
ALLOWED_IPS:
description: 'AllowedIPs to set in each conf'
required: false
type: string
default: 172.31.0.0/16
DRY_RUN:
description: 'Resolve and print actions without creating env/secrets'
required: false
type: boolean
default: true

permissions:
contents: read

concurrency:
group: wg-onboard-${{ inputs.ENV_NAME }}
cancel-in-progress: false
Comment thread
Ivanmeneges marked this conversation as resolved.

jobs:
onboard:
runs-on: self-hosted
timeout-minutes: 20
steps:
- name: Validate required secrets
run: |
missing=()
[[ -z "${{ secrets.ACTION_PAT }}" ]] && missing+=(ACTION_PAT)
[[ -z "${{ secrets.MOSIP_AWS_PEM }}" ]] && missing+=(MOSIP_AWS_PEM)
if ((${#missing[@]})); then
echo "ERROR: Missing repository secrets: ${missing[*]}"
echo "Add them under Settings → Secrets and variables → Actions for ${GITHUB_REPOSITORY}"
exit 1
fi

- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false

- name: Write SSH private key
env:
SSH_KEY: ${{ secrets.MOSIP_AWS_PEM }}
SSH_KEY_NAME: MOSIP_AWS_PEM
run: |
SSH_KEY_PATH="${RUNNER_TEMP}/jumpserver_key"
printf '%s\n' "$SSH_KEY" | tr -d '\r' > "$SSH_KEY_PATH"
chmod 600 "$SSH_KEY_PATH"
if ! ssh-keygen -l -f "$SSH_KEY_PATH" >/dev/null 2>&1; then
echo "ERROR: secret '$SSH_KEY_NAME' is not a valid private key (check format/newlines/CRLF)"
exit 1
fi
Comment thread
coderabbitai[bot] marked this conversation as resolved.
echo "SSH_KEY_PATH=$SSH_KEY_PATH" >> "$GITHUB_ENV"

- name: Run WireGuard onboarding
env:
GH_TOKEN: ${{ secrets.ACTION_PAT }}
GITHUB_TOKEN: ${{ secrets.ACTION_PAT }}
INPUT_ENV_NAME: ${{ inputs.ENV_NAME }}
INPUT_JUMPSERVER_HOST: ${{ inputs.JUMPSERVER_HOST }}
INPUT_WG_DIR: ${{ inputs.WG_DIR }}
INPUT_ALLOWED_IPS: ${{ inputs.ALLOWED_IPS }}
INPUT_TICKET: ${{ inputs.TICKET }}
INPUT_DRY_RUN: ${{ inputs.DRY_RUN }}
GITHUB_REPOSITORY: ${{ github.repository }}
run: |
chmod +x .github/scripts/wg-onboard.sh
args=(
--env "$INPUT_ENV_NAME"
--host "$INPUT_JUMPSERVER_HOST"
--ssh-key "$SSH_KEY_PATH"
--repo "$GITHUB_REPOSITORY"
--wg-dir "$INPUT_WG_DIR"
--allowed-ips "$INPUT_ALLOWED_IPS"
)
[[ -n "$INPUT_TICKET" ]] && args+=(--ticket "$INPUT_TICKET")
[[ "$INPUT_DRY_RUN" == "true" ]] && args+=(--dry-run)
.github/scripts/wg-onboard.sh "${args[@]}"
Comment thread
coderabbitai[bot] marked this conversation as resolved.

- name: Cleanup SSH private key
if: always()
run: rm -f "${SSH_KEY_PATH:-}"

- name: Commit updated peer allocation
if: ${{ inputs.DRY_RUN == false }}
env:
GH_TOKEN: ${{ secrets.ACTION_PAT }}
INPUT_ENV_NAME: ${{ inputs.ENV_NAME }}
GIT_AUTHOR_NAME: ${{ github.actor }}
GIT_AUTHOR_EMAIL: ${{ github.actor }}@users.noreply.github.com
GIT_COMMITTER_NAME: ${{ github.actor }}
GIT_COMMITTER_EMAIL: ${{ github.actor }}@users.noreply.github.com
run: |
tracker=".github/scripts/wg-peer-allocation.tsv"
if git diff --quiet -- "$tracker"; then
echo "No allocation change to commit"
else
remote_url="https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
if ! git pull --rebase --autostash "$remote_url" "${GITHUB_REF_NAME}"; then
echo "ERROR: Rebase failed (concurrent tracker update?). Resolve on ${GITHUB_REF_NAME} and re-run."
exit 1
fi
git add "$tracker"
git commit -s -m "wg: allocate peers for environment $INPUT_ENV_NAME"
git push "$remote_url" "HEAD:${GITHUB_REF_NAME}"
fi