Create a simple action for installing chainctl. (#33)

This sets up a little action for installing and authenticating the Chainguard CLI: `chainctl` in Github actions.
chainguard-dev · Mar 28, 2022 · a30653f · a30653f
1 parent 1cd1d67
commit a30653f
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 0 deletions.
diff --git a/setup-chainctl/README.md b/setup-chainctl/README.md
@@ -0,0 +1,33 @@
+# Setup `chainctl`
+
+This action installs the latest `chainctl` binary for a particular environment
+and authenticates with it using identity tokens.
+
+## Usage
+
+```yaml
+- uses: chainguard-dev/actions/setup-chainctl@main
+  with:
+    # environment determines the environment from which to download the chainctl
+    # binary from, it is required and has no default (for now).
+    # Required.
+    environment: cookie-monster
+    # audience is the identity token audience to use when creating an identity
+    # token to authenticate with Chainguard, it is rquired and has no default
+    # (for now).
+    # Required.
+    audience: oscar-the-grouch
+```
+
+## Scenarios
+
+```yaml
+permissions:
+  id-token: write
+
+steps:
+- uses: chainguard-dev/actions/setup-chainctl@main
+  with:
+    environment: big-bird
+    audience: elmo
+```
diff --git a/setup-chainctl/action.yaml b/setup-chainctl/action.yaml
@@ -0,0 +1,51 @@
+# Copyright 2022 Chainguard, Inc.
+# SPDX-License-Identifier: Apache-2.0
+
+name: 'Setup chainctl'
+description: |
+  This action sets up the Chainguard chainctl CLI and authenticates
+  it against the target environment.
+
+inputs:
+  environment:
+    description: |
+      Determines the environment from which to download the chainctl
+      binary from, it is required and has no default (for now).
+    required: true
+
+  audience:
+    description: |
+      Specifies the identity token audience to use when creating an
+      identity token to authenticate with Chainguard, it is rquired
+      and has no default (for now).
+    required: true
+
+runs:
+  using: "composite"
+
+  steps:
+    - name: Install chainctl
+      shell: bash
+      run: |
+        wget -O chainctl "https://storage.googleapis.com/us.artifacts.${{ inputs.environment }}.appspot.com/chainctl_$(uname -s)_$(uname -m)"
+        chmod +x chainctl
+        sudo mv chainctl /usr/local/bin
+
+    - name: Authenticate with Chainguard
+      shell: bash
+      env:
+        CHAINGUARD_INVITE_CODE: ${{ secrets.CHAINGUARD_INVITE_CODE }}
+      run: |
+        AUDIENCE="${{ inputs.audience }}"
+        IDTOKEN=$(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=${AUDIENCE}" | jq -r '.value')
+
+        if chainctl auth login --identity-token "${IDTOKEN}"; then
+          echo Logged in!
+        elif [[ -z "${CHAINGUARD_INVITE_CODE}" ]]; then
+          echo No invite code is present!  Failing since registration will not do any good.
+          echo Configure a secret named CHAINGUARD_INVITE_CODE to have this workload register itself.
+          exit 1
+        else
+          # This will start failing once the invite code expires, which is why we have the login guard.
+          chainctl auth register --identity-token "${IDTOKEN}" --invite-code="${CHAINGUARD_INVITE_CODE}"
+        fi