Revert "actions/deploy: auto-renew github token instead of using single-use token"

tronghn · tronghn · commit 50752be7706e · 2025-03-21T10:13:45.000+01:00
This reverts commit 1ecf404.
diff --git a/actions/deploy/entrypoint.sh b/actions/deploy/entrypoint.sh
@@ -7,9 +7,6 @@ fi
 if [ -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then
     echo "::add-mask::$ACTIONS_ID_TOKEN_REQUEST_TOKEN"
 fi
-if [ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]; then
-    echo "::add-mask::$ACTIONS_ID_TOKEN_REQUEST_URL"
-fi
 
 if [ -z "$OWNER" ]; then
     OWNER=$(echo "$GITHUB_REPOSITORY" | cut -f1 -d/)
@@ -68,8 +65,12 @@ if [ -z "$APIKEY" ]; then
         exit 1
     fi
 
-    export GITHUB_TOKEN_URL="$ACTIONS_ID_TOKEN_REQUEST_TOKEN"
-    export GITHUB_BEARER_TOKEN="$ACTIONS_ID_TOKEN_REQUEST_URL"
+    payload=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=hookd")
+    jwt=$(echo "$payload" | jq -r '.value')
+    export GITHUB_TOKEN="$jwt"
+
+    #export GITHUB_TOKEN_REQUEST_TOKEN="$ACTIONS_ID_TOKEN_REQUEST_TOKEN"
+    #export GITHUB_TOKEN_REQUEST_URL="$ACTIONS_ID_TOKEN_REQUEST_URL"
 else
     echo "::notice ::APIKEY IS DEPRECATED, PLEASE USE WORKLOAD IDENTITY, For more info see https://doc.nais.io/build/how-to/build-and-deploy and/or https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs"
 fi
diff --git a/pkg/deployclient/config.go b/pkg/deployclient/config.go
@@ -19,6 +19,7 @@ type Config struct {
 	DeployServerURL           string
 	DryRun                    bool
 	Environment               string
+	GitHubToken               string
 	GitHubTokenURL            string
 	GitHubBearerToken         string
 	GrpcAuthentication        bool
@@ -53,6 +54,7 @@ func InitConfig(cfg *Config) {
 	flag.StringVar(&cfg.DeployServerURL, "deploy-server", getEnv("DEPLOY_SERVER", DefaultDeployServer), "URL to API server. (env DEPLOY_SERVER)")
 	flag.BoolVar(&cfg.DryRun, "dry-run", getEnvBool("DRY_RUN", false), "Run templating, but don't actually make any requests. (env DRY_RUN)")
 	flag.StringVar(&cfg.Environment, "environment", os.Getenv("ENVIRONMENT"), "Environment for GitHub deployment. Autodetected from nais.yaml if not specified. (env ENVIRONMENT)")
+	flag.StringVar(&cfg.GitHubToken, "github-token", os.Getenv("GITHUB_TOKEN"), "Deprecated. Use 'github-token-url' and 'github-bearer-token' instead. Github JWT. (env GITHUB_TOKEN)")
 	flag.StringVar(&cfg.GitHubTokenURL, "github-token-url", os.Getenv("GITHUB_TOKEN_URL"), "URL for requesting GitHub id_token. (env GITHUB_TOKEN_URL)")
 	flag.StringVar(&cfg.GitHubBearerToken, "github-bearer-token", os.Getenv("GITHUB_BEARER_TOKEN"), "Bearer token for use when requesting GitHub id_token. (env GITHUB_BEARER_TOKEN)")
 	flag.BoolVar(&cfg.GrpcAuthentication, "grpc-authentication", getEnvBool("GRPC_AUTHENTICATION", true), "Use team API key to authenticate requests. (env GRPC_AUTHENTICATION)")
@@ -141,7 +143,7 @@ func (cfg *Config) Validate() error {
 		return ErrClusterRequired
 	}
 
-	githubAuth := len(cfg.GitHubTokenURL) > 0 && len(cfg.GitHubBearerToken) > 0
+	githubAuth := len(cfg.GitHubToken) > 0 || (len(cfg.GitHubTokenURL) > 0 && len(cfg.GitHubBearerToken) > 0)
 	if len(cfg.APIKey) == 0 && !githubAuth {
 		return ErrAuthRequired
 	}
diff --git a/pkg/deployclient/grpc.go b/pkg/deployclient/grpc.go
@@ -30,6 +30,12 @@ func NewGrpcConnection(cfg Config) (*grpc.ClientConn, error) {
 				TokenURL:    cfg.GitHubTokenURL,
 				Team:        cfg.Team,
 			}
+		} else if cfg.GitHubToken != "" {
+			interceptor = &auth_interceptor.JWTInterceptor{
+				JWT:        cfg.GitHubToken,
+				RequireTLS: cfg.GrpcUseTLS,
+				Team:       cfg.Team,
+			}
 		} else {
 			decoded, err := hex.DecodeString(cfg.APIKey)
 			if err != nil {
