feat: add support for GitHub and gitlab in helper #1442
Conversation
daniel-cit
changed the title
daniel-cit
requested review from
a team,
eeaton,
rjerrems and
sleighton2022
as code owners
|
@apeabody Could you PTAL? |
|
/gemini review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces support for GitHub Actions and GitLab CI/CD as alternatives to Google Cloud Build for the deployment helper. The changes are extensive, involving significant refactoring to modularize CI/CD-specific configurations, the introduction of an Executor interface to abstract CI/CD system interactions, and updates to documentation and helper scripts. The overall design is solid. However, I've identified a few critical issues: a potential modification of the source code directory, a security risk of leaking secrets in logs, and a bug in the build-type selection script that could lead to an inconsistent state. Addressing these points will greatly improve the robustness and security of the new functionality.
| # Rename *_cb.tf files to *_cb.tf.example if BUILD_TYPE is not "cb" | ||
| if [ "$TARGET_BUILD" != "cb" ]; then | ||
| find "$BASE_PATH" -name "*_cb.tf" -print0 | while IFS= read -r -d $'\0' file; do | ||
| new_name="${file}.example" | ||
| echo "Renaming \"$file\" to \"$new_name\"" | ||
| mv "$file" "$new_name" | ||
| done | ||
| fi | ||
|
|
||
| # Rename *_BUILD_TYPE.tf.example to *_BUILD_TYPE.tf if they exist | ||
| find "$BASE_PATH" -name "*_$TARGET_BUILD.tf.example" -print0 | while IFS= read -r -d $'\0' file; do | ||
| # Extract the base name without the .example extension | ||
| base_name="${file%.tf.example}" | ||
| new_name="$base_name.tf" | ||
|
|
||
| echo "Renaming \"$file\" to \"$new_name\"" | ||
| mv "$file" "$new_name" | ||
| done | ||
|
|
||
| echo "File renaming complete." |
There was a problem hiding this comment.
The current logic for switching between build types is not robust. If the script is run multiple times with different build types (e.g., first github, then gitlab), it can leave multiple build configurations active simultaneously (e.g., both *_github.tf and *_gitlab.tf would exist), which will cause Terraform to fail due to duplicate resource definitions. The script should ensure that only the target build type is active by deactivating all others.
A more robust approach would be to first deactivate any currently active build type configuration, and then activate the configuration for the selected target build type. This ensures a clean and predictable state regardless of how many times the script is run with different parameters.
# Deactivate all other build types to ensure a clean state
for type in "${build_types[@]}"; do
if [[ "$type" != "$TARGET_BUILD" ]]; then
find "$BASE_PATH" -name "*_$type.tf" -print0 | while IFS= read -r -d $'\0' file; do
if [ -f "$file" ]; then
new_name="${file}.example"
echo "Deactivating: renaming \"$file\" to \"$new_name\""
mv "$file" "$new_name"
fi
done
fi
done
# Activate the target build type
find "$BASE_PATH" -name "*_$TARGET_BUILD.tf.example" -print0 | while IFS= read -r -d $'\0' file; do
base_name="${file%.tf.example}"
new_name="$base_name.tf"
echo "Activating: renaming \"$file\" to \"$new_name\""
mv "$file" "$new_name"
done
echo "File renaming complete."| err = utils.RenameBuildFiles(filepath.Join(c.FoundationPath, BootstrapStep), tfvars.BuildType) | ||
| if err != nil { | ||
| return err | ||
| } |
There was a problem hiding this comment.
The RenameBuildFiles function is called on c.FoundationPath, which points to the source directory of the foundation code. This modifies the source repository, which is a significant side effect. The helper tool should not alter the source code it's deploying from, as this can lead to an inconsistent state for the user and future deployments. The file renaming logic should be applied to the code after it has been copied to the target repository's checkout directory.
| output, err := cmd.CombinedOutput() | ||
| if err != nil { | ||
| t.Fatalf("Error executing git command: %v", err) | ||
| } | ||
| fmt.Printf("git clone output:\n%s\n", string(output)) |
There was a problem hiding this comment.
The output of the git clone command, which may contain the full repository URL with an embedded access token, is printed directly to stdout. If the command fails (e.g., repository not found), this will leak the secret token into the logs. The token should be redacted from any output before being printed or logged to prevent accidental exposure.
| // version 4.31.0 removed because of issue https://github.com/hashicorp/terraform-provider-google/issues/12226 | ||
| // version 6.26.0 and 6.27.0 removed because of the bug https://github.com/hashicorp/terraform-provider-google/issues/21950 | ||
| source = "hashicorp/google" | ||
| version = ">= 3.50, != 4.31.0, != 6.26.0, != 6.27.0, < 7.0" |
There was a problem hiding this comment.
Can we bump to < 8? TPG v7 has been out for a while.
| */ | ||
|
|
||
| terraform { | ||
| required_version = ">= 0.13" |
There was a problem hiding this comment.
As practice we are recommend >= 1.3 given the frequent dependency on optional().
| # } | ||
| github = { | ||
| source = "integrations/github" | ||
| version = "5.34.0" |
There was a problem hiding this comment.
I recommend switching to a pessimistic operator rather than a static version. For example ~> 5.34, or more likely ~> 6.0 which has been out for a while.
2 participants
This PR adds support for GitHub Action and GitLab workflows deploy in deploy helper