|
| 1 | +# How to inject puppetcore authentication into the shared workflows |
| 2 | + |
| 3 | +## Description |
| 4 | + |
| 5 | +This guide explains how to configure your repository to consume the following shared workflows and ensure that puppetcore dependencies are successfully bundle installed: |
| 6 | + |
| 7 | +- `module_ci.yml` |
| 8 | +- `gem_ci.yml` |
| 9 | +- `tooling_mend_ruby.yml` |
| 10 | + |
| 11 | +The above workflows are backward compatible and designed to work with both puppetcore and non-puppetcore repositories. |
| 12 | + |
| 13 | +## Prerequisites |
| 14 | + |
| 15 | +- A puppetcore repository that needs to use a shared workflow. |
| 16 | +- Access to repository settings to configure secrets |
| 17 | +- A valid `PUPPET_FORGE_TOKEN` with access to the private puppetcore gem source |
| 18 | + |
| 19 | +## Configuration Requirements |
| 20 | + |
| 21 | +### Required Settings |
| 22 | + |
| 23 | +To use PuppetCore Gems with the above shared workflows, your repository must meet these requirements: |
| 24 | + |
| 25 | +1. **Set up the PUPPET_FORGE_TOKEN secret**: |
| 26 | + - Navigate to your repository on GitHub |
| 27 | + - Go to Settings > Secrets and variables > Actions |
| 28 | + - Add a new repository secret named `PUPPET_FORGE_TOKEN` with your valid token value |
| 29 | + |
| 30 | +2. **Configure Ruby Version to be >= 3.1**: |
| 31 | + - Ruby version >= 3.1 is required for PuppetCore Gems. |
| 32 | + - Some shared worklows, like `module_ci.yml`, have an old default Ruby version that must be overridden |
| 33 | + |
| 34 | +## Usage |
| 35 | + |
| 36 | +Create or update your workflow file (typically `.github/workflows/ci.yml`) to look something like: |
| 37 | + |
| 38 | +```yaml |
| 39 | +name: "ci" |
| 40 | + |
| 41 | +on: |
| 42 | + pull_request: |
| 43 | + branches: |
| 44 | + - "main" |
| 45 | + workflow_dispatch: |
| 46 | + |
| 47 | +jobs: |
| 48 | + Spec: |
| 49 | + uses: "puppetlabs/cat-github-actions/.github/workflows/module_ci.yml@main" |
| 50 | + with: |
| 51 | + run_shellcheck: true |
| 52 | + ruby_version: '3.1' # Required for PuppetCore Gems |
| 53 | + secrets: "inherit" # Required to pass PUPPET_FORGE_TOKEN |
| 54 | +``` |
| 55 | +
|
| 56 | +For 2 example consumers, see: |
| 57 | +
|
| 58 | +* [puppet-upgrade ci.yml](https://github.com/puppetlabs/puppet-upgrade/blob/main/.github/workflows/ci.yml) |
| 59 | +* [provision ci.yml](https://github.com/puppetlabs/provision/blob/main/.github/workflows/ci.yml) |
| 60 | +
|
| 61 | +## How It Works |
| 62 | +
|
| 63 | +The above shared workflows are designed to install gems from <https://rubygems-puppetcore.puppet.com>. They |
| 64 | +
|
| 65 | +- **Inherit** the `PUPPET_FORGE_TOKEN` secret from the consumer repository and then **set** an environment variable of the same name. This environment variable is required by some repositories to "switch" between either the public or puppetcore gems. |
| 66 | +- **Set** the `BUNDLE_RUBYGEMS___PUPPETCORE__PUPPET__COM` environment variable ensuring authentication against the <https://rubygems-puppetcore.puppet.com> gemsource. For example, |
| 67 | + |
| 68 | +```bash |
| 69 | +BUNDLE_RUBYGEMS___PUPPETCORE__PUPPET__COM: "forge-key:${{ secrets.PUPPET_FORGE_TOKEN }}" |
| 70 | +``` |
| 71 | + |
| 72 | +## Troubleshooting |
| 73 | + |
| 74 | +Common issues and their solutions: |
| 75 | + |
| 76 | +- **Bundle install fails**: Ensure Ruby version is set to at least 3.1 |
| 77 | +- **Authentication errors**: Verify the PUPPET_FORGE_TOKEN is correctly set and has appropriate permissions |
| 78 | + |
| 79 | +## Appendix |
| 80 | + |
| 81 | +### Security Considerations |
| 82 | + |
| 83 | +- Use the `secrets: "inherit"` pattern to securely pass tokens from your consumer to shared workflow. |
| 84 | +- Push secrets into environment variables for use by code. This is another github pattern that maintains redaction of secrets in logs |
0 commit comments