actions/deploy: auto-renew github token instead of using single-use token

Author: tronghn

actions/deploy/entrypoint.sh

@@ -7,6 +7,9 @@ fi
 if [ -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then
     echo "::add-mask::$ACTIONS_ID_TOKEN_REQUEST_TOKEN"
 fi
+if [ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]; then
+    echo "::add-mask::$ACTIONS_ID_TOKEN_REQUEST_URL"
+fi
 
 if [ -z "$OWNER" ]; then
     OWNER=$(echo "$GITHUB_REPOSITORY" | cut -f1 -d/)
@@ -65,12 +68,8 @@ if [ -z "$APIKEY" ]; then
         exit 1
     fi
 
-    payload=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=hookd")
-    jwt=$(echo "$payload" | jq -r '.value')
-    export GITHUB_TOKEN="$jwt"
-
-    #export GITHUB_TOKEN_REQUEST_TOKEN="$ACTIONS_ID_TOKEN_REQUEST_TOKEN"
-    #export GITHUB_TOKEN_REQUEST_URL="$ACTIONS_ID_TOKEN_REQUEST_URL"
+    export GITHUB_TOKEN_URL="$ACTIONS_ID_TOKEN_REQUEST_TOKEN"
+    export GITHUB_BEARER_TOKEN="$ACTIONS_ID_TOKEN_REQUEST_URL"
 else
     echo "::notice ::APIKEY IS DEPRECATED, PLEASE USE WORKLOAD IDENTITY, For more info see https://doc.nais.io/build/how-to/build-and-deploy and/or https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs"
 fi

pkg/deployclient/config.go

@@ -19,7 +19,6 @@ type Config struct {
 	DeployServerURL           string
 	DryRun                    bool
 	Environment               string
-	GitHubToken               string
 	GitHubTokenURL            string
 	GitHubBearerToken         string
 	GrpcAuthentication        bool
@@ -54,7 +53,6 @@ func InitConfig(cfg *Config) {
 	flag.StringVar(&cfg.DeployServerURL, "deploy-server", getEnv("DEPLOY_SERVER", DefaultDeployServer), "URL to API server. (env DEPLOY_SERVER)")
 	flag.BoolVar(&cfg.DryRun, "dry-run", getEnvBool("DRY_RUN", false), "Run templating, but don't actually make any requests. (env DRY_RUN)")
 	flag.StringVar(&cfg.Environment, "environment", os.Getenv("ENVIRONMENT"), "Environment for GitHub deployment. Autodetected from nais.yaml if not specified. (env ENVIRONMENT)")
-	flag.StringVar(&cfg.GitHubToken, "github-token", os.Getenv("GITHUB_TOKEN"), "Deprecated. Use 'github-token-url' and 'github-bearer-token' instead. Github JWT. (env GITHUB_TOKEN)")
 	flag.StringVar(&cfg.GitHubTokenURL, "github-token-url", os.Getenv("GITHUB_TOKEN_URL"), "URL for requesting GitHub id_token. (env GITHUB_TOKEN_URL)")
 	flag.StringVar(&cfg.GitHubBearerToken, "github-bearer-token", os.Getenv("GITHUB_BEARER_TOKEN"), "Bearer token for use when requesting GitHub id_token. (env GITHUB_BEARER_TOKEN)")
 	flag.BoolVar(&cfg.GrpcAuthentication, "grpc-authentication", getEnvBool("GRPC_AUTHENTICATION", true), "Use team API key to authenticate requests. (env GRPC_AUTHENTICATION)")
@@ -143,7 +141,7 @@ func (cfg *Config) Validate() error {
 		return ErrClusterRequired
 	}
 
-	githubAuth := len(cfg.GitHubToken) > 0 || (len(cfg.GitHubTokenURL) > 0 && len(cfg.GitHubBearerToken) > 0)
+	githubAuth := len(cfg.GitHubTokenURL) > 0 && len(cfg.GitHubBearerToken) > 0
 	if len(cfg.APIKey) == 0 && !githubAuth {
 		return ErrAuthRequired
 	}

pkg/deployclient/grpc.go

@@ -30,12 +30,6 @@ func NewGrpcConnection(cfg Config) (*grpc.ClientConn, error) {
 				TokenURL:    cfg.GitHubTokenURL,
 				Team:        cfg.Team,
 			}
-		} else if cfg.GitHubToken != "" {
-			interceptor = &auth_interceptor.JWTInterceptor{
-				JWT:        cfg.GitHubToken,
-				RequireTLS: cfg.GrpcUseTLS,
-				Team:       cfg.Team,
-			}
 		} else {
 			decoded, err := hex.DecodeString(cfg.APIKey)
 			if err != nil {