actions/deploy: auto-renew github token instead of using single-use token

tronghn · tronghn · commit a6758e64144f · 2025-03-21T10:46:55.000+01:00
Take two, now with correct masks and variables.
diff --git a/actions/deploy/entrypoint.sh b/actions/deploy/entrypoint.sh
@@ -4,6 +4,11 @@
 if [ -n "$APIKEY" ]; then
     echo "::add-mask::$APIKEY"
 fi
+
+if [ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]; then
+    echo "::add-mask::$ACTIONS_ID_TOKEN_REQUEST_URL"
+fi
+
 if [ -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then
     echo "::add-mask::$ACTIONS_ID_TOKEN_REQUEST_TOKEN"
 fi
@@ -65,12 +70,10 @@ if [ -z "$APIKEY" ]; then
         exit 1
     fi
 
-    payload=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=hookd")
-    jwt=$(echo "$payload" | jq -r '.value')
-    export GITHUB_TOKEN="$jwt"
-
-    #export GITHUB_TOKEN_REQUEST_TOKEN="$ACTIONS_ID_TOKEN_REQUEST_TOKEN"
-    #export GITHUB_TOKEN_REQUEST_URL="$ACTIONS_ID_TOKEN_REQUEST_URL"
+    export GITHUB_TOKEN_URL="$ACTIONS_ID_TOKEN_REQUEST_URL"
+    echo "::add-mask::$GITHUB_TOKEN_URL"
+    export GITHUB_BEARER_TOKEN="$ACTIONS_ID_TOKEN_REQUEST_TOKEN"
+    echo "::add-mask::$GITHUB_BEARER_TOKEN"
 else
     echo "::notice ::APIKEY IS DEPRECATED, PLEASE USE WORKLOAD IDENTITY, For more info see https://doc.nais.io/build/how-to/build-and-deploy and/or https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs"
 fi
diff --git a/pkg/deployclient/config.go b/pkg/deployclient/config.go
@@ -19,7 +19,6 @@ type Config struct {
 	DeployServerURL           string
 	DryRun                    bool
 	Environment               string
-	GitHubToken               string
 	GitHubTokenURL            string
 	GitHubBearerToken         string
 	GrpcAuthentication        bool
@@ -54,7 +53,6 @@ func InitConfig(cfg *Config) {
 	flag.StringVar(&cfg.DeployServerURL, "deploy-server", getEnv("DEPLOY_SERVER", DefaultDeployServer), "URL to API server. (env DEPLOY_SERVER)")
 	flag.BoolVar(&cfg.DryRun, "dry-run", getEnvBool("DRY_RUN", false), "Run templating, but don't actually make any requests. (env DRY_RUN)")
 	flag.StringVar(&cfg.Environment, "environment", os.Getenv("ENVIRONMENT"), "Environment for GitHub deployment. Autodetected from nais.yaml if not specified. (env ENVIRONMENT)")
-	flag.StringVar(&cfg.GitHubToken, "github-token", os.Getenv("GITHUB_TOKEN"), "Deprecated. Use 'github-token-url' and 'github-bearer-token' instead. Github JWT. (env GITHUB_TOKEN)")
 	flag.StringVar(&cfg.GitHubTokenURL, "github-token-url", os.Getenv("GITHUB_TOKEN_URL"), "URL for requesting GitHub id_token. (env GITHUB_TOKEN_URL)")
 	flag.StringVar(&cfg.GitHubBearerToken, "github-bearer-token", os.Getenv("GITHUB_BEARER_TOKEN"), "Bearer token for use when requesting GitHub id_token. (env GITHUB_BEARER_TOKEN)")
 	flag.BoolVar(&cfg.GrpcAuthentication, "grpc-authentication", getEnvBool("GRPC_AUTHENTICATION", true), "Use team API key to authenticate requests. (env GRPC_AUTHENTICATION)")
@@ -143,7 +141,7 @@ func (cfg *Config) Validate() error {
 		return ErrClusterRequired
 	}
 
-	githubAuth := len(cfg.GitHubToken) > 0 || (len(cfg.GitHubTokenURL) > 0 && len(cfg.GitHubBearerToken) > 0)
+	githubAuth := len(cfg.GitHubTokenURL) > 0 && len(cfg.GitHubBearerToken) > 0
 	if len(cfg.APIKey) == 0 && !githubAuth {
 		return ErrAuthRequired
 	}
diff --git a/pkg/deployclient/grpc.go b/pkg/deployclient/grpc.go
@@ -30,12 +30,6 @@ func NewGrpcConnection(cfg Config) (*grpc.ClientConn, error) {
 				TokenURL:    cfg.GitHubTokenURL,
 				Team:        cfg.Team,
 			}
-		} else if cfg.GitHubToken != "" {
-			interceptor = &auth_interceptor.JWTInterceptor{
-				JWT:        cfg.GitHubToken,
-				RequireTLS: cfg.GrpcUseTLS,
-				Team:       cfg.Team,
-			}
 		} else {
 			decoded, err := hex.DecodeString(cfg.APIKey)
 			if err != nil {
