mvdan.cc / cue
this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

internal/ci: use OIDC with the Central Registry for the e2e tests

This way we no longer need to maintain a static token as a CI secret
via E2E_PORCUEPINE_CUE_TOKEN. Two changes were needed for this to work:

First, the OIDC setup sets up logins.json rather than setting up
any env var or other state with a token string,
so we need to teach internal/_e2e how to inherit the registry logins
from the host rather than taking an access token string.

Note that we still allow setting CUE_TEST_TOKEN to an access token,
because this is still useful for developers whose machines are logged
into the central registry as themselves and not porcuepine.

Second, the OIDC setup is tweaked to add new rules for the
protected branches "master" and "ci/test",
with the same other settings we had except that the account
is swapped from "notcueckoo" to "porcuepine",
which has the necessary access to make the end-to-end tests succeed.

This works because these new rules are narrower by adding a branch
filter on top of all the other filters,
so the Central Registry applies this new rule when both match
given that it is more specific.

This was tested via ci/test in:
https://github.com/cue-lang/cue/actions/runs/22581435336/job/65414331280

Once this patch is merged, I'll go ahead and remove
the E2E_PORCUEPINE_CUE_TOKEN secret on GitHub Actions.

Signed-off-by: Daniel Martí <mvdan@mvdan.cc>
Change-Id: I76cf0e02ccf50bfd4619e8083a1379a336f3d08c
Reviewed-on: https://review.gerrithub.io/c/cue-lang/cue/+/1232501
Unity-Result: CUE porcuepine <cue.porcuepine@gmail.com>
TryBot-Result: CUEcueckoo <cueckoo@cuelang.org>
Reviewed-by: Paul Jolly <paul@myitcv.io>

Daniel Martí c38e4546 8da91149

+28 -6
+1 -1
.github/workflows/trybot.yaml
··· 136 136 Dispatch-Trailer: {"type":"')))) || (github.ref == 'refs/heads/ci/test')) && (matrix.go-version == '1.26.x' && matrix.runner == 'namespace-profile-linux-amd64-large') 137 137 name: End-to-end test 138 138 env: 139 - CUE_TEST_TOKEN: ${{ secrets.E2E_PORCUEPINE_CUE_TOKEN }} 139 + CUE_TEST_TOKEN: inherit 140 140 run: |- 141 141 cd internal/_e2e 142 142 go test -race
+23 -2
internal/_e2e/script_test.go
··· 27 27 "testing" 28 28 "time" 29 29 30 + "cuelang.org/go/internal/cueconfig" 30 31 "github.com/rogpeppe/go-internal/testscript" 31 32 ) 32 33 ··· 101 102 env.Setenv("CUE_CONFIG_DIR", configDir) 102 103 103 104 // CUE_TEST_TOKEN is a secret used by the scripts publishing to registry.cue.works. 104 - // When unset, those tests would fail with an auth error. 105 - if token := os.Getenv("CUE_TEST_TOKEN"); token != "" { 105 + switch token := os.Getenv("CUE_TEST_TOKEN"); token { 106 + case "": 107 + // When unset, those tests will fail with an auth error; 108 + // refuse to continue and ask the user to make a choice. 109 + return fmt.Errorf("Missing $CUE_TEST_TOKEN for porcuepine; set it to a valid app token or to 'inherit'") 110 + case "inherit": 111 + // TODO(mvdan): if/when we have a `cue login --get-access-token`, use that instead. 112 + loginsPath, err := cueconfig.LoginConfigPath(os.Getenv) 113 + if err != nil { 114 + return fmt.Errorf("locating ${CUE_CONFIG_DIR}/logins.json: %v", err) 115 + } 116 + loginsJSON, err := os.ReadFile(loginsPath) 117 + if err != nil { 118 + return fmt.Errorf("reading ${CUE_CONFIG_DIR}/logins.json: %v", err) 119 + } 120 + if err := os.MkdirAll(configDir, 0o777); err != nil { 121 + return fmt.Errorf("creating new ${CUE_CONFIG_DIR}: %v", err) 122 + } 123 + if err := os.WriteFile(filepath.Join(configDir, "logins.json"), loginsJSON, 0o666); err != nil { 124 + return fmt.Errorf("writing new ${CUE_CONFIG_DIR}/logins.json: %v", err) 125 + } 126 + default: 106 127 cmd := exec.Command("cue", "login", "--token", token) 107 128 cmd.Env = env.Vars // store the token in the CUE_CONFIG_DIR we just set 108 129 if out, err := cmd.CombinedOutput(); err != nil {
+4 -3
internal/ci/github/trybot.cue
··· 122 122 { 123 123 name: "End-to-end test" 124 124 env: { 125 - // E2E_PORCUEPINE_CUE_TOKEN is a token generated on registry.cue.works 126 - // as the GitHub porcuepine user, with description "e2e cue repo". 127 - CUE_TEST_TOKEN: "${{ secrets.E2E_PORCUEPINE_CUE_TOKEN }}" 125 + // The Central Registry login via OIDC is set up to use the "porcuepine" bot account 126 + // for pushes to the protected branches master and ci/test. 127 + // Inherit those credentials from ${CUE_CONFIG_DIR} in the testscript environment. 128 + CUE_TEST_TOKEN: "inherit" 128 129 } 129 130 // Our regular tests run with both `go test ./...` and `go test -race ./...`. 130 131 // The end-to-end tests should only be run once, given the slowness and API rate limits.