Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions .github/workflows/test-release-secrets-ssm.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
name: Test release-secrets SSM

# Builds, type-checks, and unit-tests the release-secrets SSM helper, and
# verifies the committed dist/ bundle matches a fresh build (GitHub runs the
# committed JS as-is; it never builds the action).

on:
pull_request:
paths:
- 'actions/release-secrets/ssm/**'
- '.github/workflows/test-release-secrets-ssm.yml'
push:
branches:
- main
paths:
- 'actions/release-secrets/ssm/**'
- '.github/workflows/test-release-secrets-ssm.yml'

permissions:
contents: read

defaults:
run:
working-directory: actions/release-secrets/ssm

jobs:
test:
name: typecheck, test, and verify dist
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
# Pinned to match the Node major used to build the committed dist/, so
# the check-dist step below is a stable comparison, not version-flaky.
node-version-file: actions/release-secrets/ssm/.nvmrc
# Yarn version is pinned via the package.json "packageManager" field;
# corepack provisions exactly that version.
- run: corepack enable
# --immutable fails the build if yarn.lock would change, so CI can't drift
# from the committed lockfile. The 7-day cooldown (npmMinimalAgeGate) is
# already baked into the lockfile, so it is not re-evaluated here.
- run: yarn install --immutable
- run: yarn typecheck
- run: yarn test
- name: Verify dist/ is up to date
run: |
yarn build
if [ -n "$(git status --porcelain dist/)" ]; then
echo "::error::dist/ is out of date — run 'yarn build' in actions/release-secrets/ssm and commit the result."
git diff --stat -- dist/
exit 1
fi
- name: Smoke-test the bundled entrypoint
# Guards against a no-op bundle: the unit tests import run() from source,
# so they pass even if the ncc entrypoint never actually invokes run()
# (e.g. a `require.main === module` guard that is always false in the ESM
# bundle). Malformed input must make the real artifact fail loudly.
run: |
if SSM_PARAMETER_PAIRS='smoke_test_no_equals' node dist/index.js; then
echo "::error::dist/index.js exited 0 on malformed input — the entrypoint is a no-op (run() was not invoked)."
exit 1
fi
7 changes: 7 additions & 0 deletions actions/release-secrets/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,13 @@ It can also be used to download files from s3.

The repository must be configured with OIDC, allowing access to an AWS account.

The SSM step runs a bundled Node script, so the runner must have `node` on its
`PATH` (GitHub-hosted runners do; self-hosted runners need Node installed).

`ssm_parameter_pairs` paths must be plain SSM parameter names. Version or label
selectors (`/path:2`, `/path:label`) are not supported — the value is looked up
by its bare name and a selector will fail the lookup.

# Example

This example uses the release-secrets action to get an NPM token.
Expand Down
10 changes: 5 additions & 5 deletions actions/release-secrets/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -18,17 +18,17 @@ runs:
using: composite
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4
uses: aws-actions/configure-aws-credentials@e7f100cf4c008499ea8adda475de1042d6975c7b # v6
with:
audience: https://github.com/launchdarkly
role-to-assume: ${{ inputs.aws_assume_role }}
aws-region: us-east-1
- name: Load environment variables
uses: dkershner6/aws-ssm-getparameters-action@4fcb4872421f387a6c43058473acc1b22443fe13 # 4fcb4872421f387a6c43058473acc1b22443fe13
shell: bash
if: ${{ inputs.ssm_parameter_pairs != '' }}
with:
parameterPairs: ${{ inputs.ssm_parameter_pairs }}
withDecryption: 'true'
env:
SSM_PARAMETER_PAIRS: ${{ inputs.ssm_parameter_pairs }}
run: node "$GITHUB_ACTION_PATH/ssm/dist/index.js"
- name: Download S3 files
shell: bash
if: ${{ inputs.s3_path_pairs != '' }}
Expand Down
11 changes: 11 additions & 0 deletions actions/release-secrets/ssm/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
node_modules/
*.tsbuildinfo

# Yarn Berry: commit yarn.lock + .yarnrc.yml; ignore install state / local cache.
.yarn/*
!.yarn/patches
!.yarn/plugins
!.yarn/releases
!.yarn/sdks
!.yarn/versions
.pnp.*
1 change: 1 addition & 0 deletions actions/release-secrets/ssm/.nvmrc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
22
11 changes: 11 additions & 0 deletions actions/release-secrets/ssm/.yarnrc.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# ncc bundles from a real node_modules tree, so use the node-modules linker
# rather than Yarn's default Plug'n'Play.
nodeLinker: node-modules

# Supply-chain cooldown: refuse to install any package version published less
# than 7 days ago, matching the org Renovate policy (minimumReleaseAge: 7 days).
# A freshly published (possibly compromised or to-be-unpublished) version is not
# considered for resolution until it has aged past this gate.
npmMinimalAgeGate: "7d"

enableTelemetry: false
Loading
Loading