Freddydk/avoidallsecrets

Actions/DetermineSecrets/DetermineSecrets.ps1

@@ -0,0 +1,107 @@
+Param(
+    [Parameter(HelpMessage = "Comma-separated list of Secrets to get.", Mandatory = $true)]
+    [string] $getSecrets = "",
+    [Parameter(HelpMessage = "Determines whether you want to use the GhTokenWorkflow secret for TokenForPush", Mandatory = $false)]
+    [string] $useGhTokenWorkflowForPush = 'false'
+)
+
+. (Join-Path -Path $PSScriptRoot -ChildPath "..\AL-Go-Helper.ps1" -Resolve)
+
+$settings = $env:Settings | ConvertFrom-Json | ConvertTo-HashTable
+
+# Build an array of secrets to get (and the names of the secrets)
+$script:secretsCollection = [System.Collections.ArrayList]::new()
+$script:secretNames = @{}
+
+function AddSecret {
+    Param(
+        [string] $secret,
+        [switch] $useMapping
+    )
+
+    if ($secret) {
+        $secretName = $secret
+        $secretNameProperty = "$($secretName)SecretName"
+        if ($useMapping.IsPresent -and $settings.Keys -contains $secretNameProperty) {
+            $secretName = $settings."$secretNameProperty"
+        }
+        # Secret is the AL-Go name of the secret
+        # SecretName is the actual name of the secret to get from the KeyVault or GitHub environment
+        if ($secretName -and ($script:secretsCollection -notcontains $secret)) {
+            # Add secret to the collection of secrets to get
+            $script:secretsCollection += $secret
+            $script:secretNames += @{
+                "$secret" = "$secretName"
+            }
+        }
+    }
+}
+
+AddSecret -secret 'AZURE_CREDENTIALS' -useMapping
+foreach($secret in ($getSecrets.Split(',') | Select-Object -Unique)) {
+    switch ($secret) {
+        'TokenForPush' {
+            AddSecret -secret 'TokenForPush'
+            if ($useGhTokenWorkflowForPush -eq 'true') {
+                # If we are using the ghTokenWorkflow for commits, we need to get ghTokenWorkflow secret
+                AddSecret -secret 'ghTokenWorkflow' -useMapping
+            }
+            else {
+                AddSecret -secret 'github_token'
+            }
+        }
+        'GitSubmodulesToken' {
+            # If we are getting the gitSubModules token, we might need to get the github token as well
+            AddSecret -secret $secret -useMapping
+            AddSecret -secret 'github_token'
+        }
+        'AppDependencySecrets' {
+            # Loop through appDependencyProbingPaths and trustedNuGetFeeds and add secrets to the collection of secrets to get
+            $settingsCollection = @()
+            if ($settings.Keys -contains 'appDependencyProbingPaths') {
+                $settingsCollection += $settings.appDependencyProbingPaths
+            }
+            if ($settings.Keys -contains 'trustedNuGetFeeds') {
+                $settingsCollection += $settings.trustedNuGetFeeds
+            }
+            foreach($settingsItem in $settingsCollection) {
+                if ($settingsItem.PsObject.Properties.name -eq "AuthTokenSecret") {
+                    AddSecret -secret $settingsItem.authTokenSecret
+                }
+            }
+            # Look through installApps and installTestApps for secrets and add them to the collection of secrets to get
+            foreach($installSettingsKey in @('installApps','installTestApps')) {
+                if ($settings.Keys -contains $installSettingsKey) {
+                    $settings."$installSettingsKey" | ForEach-Object {
+                        # If any of the installApps URLs contains '${{SECRETNAME}}' we need to get the secret
+                        $pattern = '.*(\$\{\{\s*([^}]+?)\s*\}\}).*'
+                        if ($_ -match $pattern) {
+                            AddSecret -secret $matches[2]
+                        }
+                    }
+                }
+            }
+        }
+        default {
+            AddSecret -secret $secret -useMapping
+        }
+    }
+}
+
+# Calculate output for secrets
+# one output called FORMATSTR with the content: {{"secret1":{0},"secret2":{1},"secret3":{2}}}
+# and one environment variable per secret called S0, S1, S2 with the name of the GitHub Secret (or Azure DevOps secret) to look for
+if ($script:secretsCollection.Count -gt 32) {
+    throw "Maximum number of secrets exceeded."
+}
+
+$cnt = 0
+$formatArr = @()
+foreach($secret in $script:secretsCollection) {
+    $formatArr += @("""$Secret"":{$cnt}")
+    Add-Content -Encoding UTF8 -Path $ENV:GITHUB_ENV -Value "S$cnt=$($script:secretNames[$secret])"
+    Write-Host "S$cnt=$($script:secretNames[$secret])"
+    $cnt++
+}
+Add-Content -Encoding UTF8 -Path $ENV:GITHUB_OUTPUT -Value "FORMATSTR={{$($formatArr -join ',')}}"
+Write-Host "FORMATSTR={{$($formatArr -join ',')}}"

Actions/DetermineSecrets/README.md

@@ -0,0 +1,32 @@
+# Determine secrets
+
+Determine the secrets needed for the workflow
+
+## INPUT
+
+### ENV variables
+
+| Name | Description |
+| :-- | :-- |
+| Settings | env.Settings must be set by a prior call to the ReadSettings Action |
+
+### Parameters
+
+| Name | Required | Description | Default value |
+| :-- | :-: | :-- | :-- |
+| shell | | The shell (powershell or pwsh) in which the PowerShell script in this action should run | powershell |
+| getSecrets | Yes | Comma-separated list of secrets to get (add appDependencySecrets to request secrets needed for resolving dependencies in AppDependencyProbingPaths and TrustedNuGetFeeds, add TokenForPush in order to request a token to use for pull requests and commits). Secrets preceded by an asterisk are returned encrypted | |
+| useGhTokenWorkflowForPush | false | Determines whether you want to use the GhTokenWorkflow secret for TokenForPush | false |
+
+## OUTPUT
+
+### ENV variables
+
+none
+
+### OUTPUT variables
+
+| Name | Description |
+| :-- | :-- |
+| FORMATSTR | A format string to be used when transferring the secrets to ReadSecrets |
+| S0,S1,S2,...,S31 | The actual names of the GitHub secrets to look for |

Actions/DetermineSecrets/action.yaml

@@ -0,0 +1,34 @@
+name: Determine Secrets
+author: Microsoft Corporation
+inputs:
+  shell:
+    description: Shell in which you want to run the action (powershell or pwsh)
+    required: false
+    default: powershell
+  getSecrets:
+    description: Comma-separated list of Secrets to get. Secrets preceded by an asterisk are returned encrypted
+    required: true
+  useGhTokenWorkflowForPush:
+    description: Determines whether you want to use the GhTokenWorkflow secret for TokenForPush
+    required: false
+    default: 'false'
+outputs:
+  FORMATSTR:
+    description: A format string to be used when transferring the secrets to ReadSecrets
+    value: ${{ steps.DetermineSecrets.outputs.FORMATSTR }}
+runs:
+  using: composite
+  steps:
+    - name: run
+      shell: ${{ inputs.shell }}
+      id: DetermineSecrets
+      env:
+        _getSecrets: ${{ inputs.getSecrets }}
+        _useGhTokenWorkflowForPush: ${{ inputs.useGhTokenWorkflowForPush }}
+      run: |
+        ${{ github.action_path }}/../Invoke-AlGoAction.ps1 -ActionName "DetermineSecrets" -Action {
+          ${{ github.action_path }}/DetermineSecrets.ps1 -getSecrets $ENV:_getSecrets -useGhTokenWorkflowForPush $ENV:_useGhTokenWorkflowForPush
+        }
+branding:
+  icon: terminal
+  color: blue

Actions/ReadSecrets/README.md

@@ -4,7 +4,6 @@ Read secrets from GitHub secrets or Azure Keyvault for AL-Go workflows
 The secrets read and added to the output are the secrets specified in the getSecrets parameter
 Additionally, the secrets specified by the authTokenSecret in AppDependencyProbingPaths and TrustedNuGetFeeds are read if appDependencySecrets is specified in getSecrets
 All secrets included in the Secrets output are Base64 encoded to avoid issues with national characters
-Secrets, which name is preceded by an asterisk (\*) are encrypted and Base64 encoded
 
 ## INPUT
 
@@ -19,8 +18,7 @@ Secrets, which name is preceded by an asterisk (\*) are encrypted and Base64 enc
 | Name | Required | Description | Default value |
 | :-- | :-: | :-- | :-- |
 | shell | | The shell (powershell or pwsh) in which the PowerShell script in this action should run | powershell |
-| gitHubSecrets | Yes | GitHub secrets in a json structure | |
-| getSecrets | Yes | Comma-separated list of secrets to get (add appDependencySecrets to request secrets needed for resolving dependencies in AppDependencyProbingPaths and TrustedNuGetFeeds, add TokenForPush in order to request a token to use for pull requests and commits). Secrets preceded by an asterisk are returned encrypted | |
+| gitHubSecrets | Yes | A JSON structure with all secrets needed. The structure already contains the existing GitHub secrets | |
 | useGhTokenWorkflowForPush | false | Determines whether you want to use the GhTokenWorkflow secret for TokenForPush | false |
 
 ## OUTPUT
@@ -33,5 +31,5 @@ none
 
 | Name | Description |
 | :-- | :-- |
-| Secrets | A compressed json construct with all requested secrets base64 encoded. Secrets preceded by an asterisk (\*) are encrypted before base64 encoding. The secret value + the base64 value of the secret value are masked in the log |
+| Secrets | A compressed json construct with all requested secrets base64 encoded. The secret value + the base64 value of the secret value are masked in the log |
 | TokenForPush | The token to use when workflows are pushing changes (either directly, or via pull requests). This is either the GITHUB_TOKEN or the GhTokenWorkflow secret (based on the env variable useGhTokenWorkflowForPush) |