use secrets in ci

Signed-off-by: Kyle Penfound <kyle@dagger.io>
kpenfound · Nov 4, 2023 · bb2716a · bb2716a
1 parent add213b
commit bb2716a
Show file tree

Hide file tree

Showing 5 changed files with 56 additions and 49 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,6 +11,6 @@ jobs:
       - name: Dagger
         uses: kpenfound/dagger-action@main
         with:
-          args: ci-remote --commit $GITHUB_REF_NAME --release --tag $GITHUB_REF_NAME --fly-token ${{ secrets.FLY_TOKEN }} --netlify-token ${{ secrets.NETLIFY_TOKEN }} --gh-token ${{ secrets.GH_RELEASE_TOKEN }}
+          args: ci-remote --commit $GITHUB_REF_NAME --release --tag $GITHUB_REF_NAME --infisical-token ${{ secrets.INFISICAL_TOKEN }}
           module: github.com/kpenfound/greetings-api/ci
           cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: Dagger
         uses: kpenfound/dagger-action@main
-        with:
+        with, registryUser, registryPass:
           args: ci-remote --commit $GITHUB_SHA
           module: github.com/kpenfound/greetings-api/ci
           cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}
diff --git a/DEMO.md b/DEMO.md
@@ -93,6 +93,8 @@ Netlify at https://dagger-demo.netlify.app/
     - secrets!
     - services
 - Local runs
+    - `dagger functions -m ./ci`
+    - `dagger serve ./ci serve --help`
     - `dagger serve -m ./ci -p 8080,8081 serve --dir "."`
     - navigate to [localhost:8081](http://localhost:8081/) in browser
     - notice "Hello Kubecon!" greeting coming from backend API

diff --git a/ci/dagger.json b/ci/dagger.json
@@ -5,6 +5,7 @@
   "dependencies": [
     "backend",
     "frontend",
+    "github.com/jpadams/daggerverse/infisical@7f64507480159500910b48f161ba8e256fa0f8ff",
     "github.com/jpadams/github-release@688e608ce3d7a68565b855708af7de4cddab8e47",
     "github.com/kpenfound/dagger-modules/fly@f41cc6fa3a1af415b6d32087f88249aec41ae20d",
     "github.com/kpenfound/dagger-modules/netlify@9e98d4b6c88a7ce63109ff21a51786b4bf3dc26f",

diff --git a/ci/main.go b/ci/main.go
@@ -7,11 +7,11 @@ import (
 
 const (
 	REPO = "github.com/kpenfound/greetings-api"
+	IMAGE = "kylepenfound/greetings-api:latest"
 )
 
 type Greetings struct{}
 
-
 func (g *Greetings) UnitTest(ctx context.Context, dir *Directory) (string, error) {
 	backendResult, err := dag.Backend().UnitTest(ctx, dir)
 	if err != nil {
@@ -32,55 +32,60 @@ func (g *Greetings) Lint(ctx context.Context, dir *Directory) (string, error) {
 func (g *Greetings) Build(dir *Directory, env string) *Directory {
 	return dag.Directory().
 		WithFile("/build/greetings-api", dag.Backend().Binary(dir)).
-		WithDirectory("build/website/", dag.Frontend().Build(dir.Directory("website"), FrontendBuildOpts{ Env: env }))
+		WithDirectory("build/website/", dag.Frontend().Build(dir.Directory("website"), FrontendBuildOpts{Env: env}))
 }
 
 func (g *Greetings) Serve(dir *Directory) *Service {
 	backendService := dag.Backend().Serve(dir)
 	frontendService := dag.Frontend().Serve(dir.Directory("website"))
 
 	return dag.Proxy().
-	WithService(backendService, "backend", 8080, 8080).
-	WithService(frontendService, "frontend", 8081, 80).
-	Service()
+		WithService(backendService, "backend", 8080, 8080).
+		WithService(frontendService, "frontend", 8081, 80).
+		Service()
 }
 
 func (g *Greetings) Release(ctx context.Context, dir *Directory, tag string, ghToken *Secret) (string, error) {
 	// Get build
 	build := g.Build(dir, "netlify")
 	// Compress frontend build
 	assets := dag.Container().From("alpine:3.18").
-	WithDirectory("/assets", build).
-	WithWorkdir("/assets/build").
-	WithExec([]string{"tar", "czf", "website.tar.gz", "website/"}).
-	WithExec([]string{"rm", "-r", "website"}).
-	Directory("/assets/build")
+		WithDirectory("/assets", build).
+		WithWorkdir("/assets/build").
+		WithExec([]string{"tar", "czf", "website.tar.gz", "website/"}).
+		WithExec([]string{"rm", "-r", "website"}).
+		Directory("/assets/build")
 
 	title := fmt.Sprintf("Release %s", tag)
 
-	return dag.GithubRelease().Create(ctx, REPO, tag, title, ghToken, GithubReleaseCreateOpts{ Assets: assets })
+	return dag.GithubRelease().Create(ctx, REPO, tag, title, ghToken, GithubReleaseCreateOpts{Assets: assets})
 }
 
-func (g *Greetings) Deploy(ctx context.Context, dir *Directory, flyToken *Secret, netlifyToken *Secret) (string, error) {
+func (g *Greetings) Deploy(ctx context.Context, dir *Directory, flyToken *Secret, netlifyToken *Secret, registryUser string, registryPass *Secret) (string, error) {
 	// Backend
-	imageTag := "kylepenfound/greetings-api:latest"
-	backendAmd64 := dag.Backend().Container(dir, BackendContainerOpts{ Arch: "amd64"})
-	backendArm64 := dag.Backend().Container(dir, BackendContainerOpts{ Arch: "arm64"})
-	_, err := dag.Container().Publish(ctx, imageTag, ContainerPublishOpts{
-		PlatformVariants: []*Container{
-			backendAmd64,
-			backendArm64,
-		},
+	backendAmd64 := dag.Backend().Container(dir, BackendContainerOpts{Arch: "amd64"})
+	backendArm64 := dag.Backend().Container(dir, BackendContainerOpts{Arch: "arm64"})
+	_, err := dag.Container().
+		WithRegistryAuth(
+			"index.docker.io",
+			registryUser,
+			registryPass,
+		).
+		Publish(ctx, IMAGE, ContainerPublishOpts{
+			PlatformVariants: []*Container{
+				backendAmd64,
+				backendArm64,
+			},
 	})
 	if err != nil {
 		return "", err
 	}
-	backendResult, err := fly_deploy(ctx, imageTag, flyToken) // Pass tag. Fly isn't happy with full shas
+	backendResult, err := fly_deploy(ctx, IMAGE, flyToken) // Pass tag. Fly isn't happy with full shas
 	if err != nil {
 		return "", err
 	}
 	// Frontend
-	frontend := dag.Frontend().Build(dir.Directory("website"), FrontendBuildOpts{ Env: "netlify" })
+	frontend := dag.Frontend().Build(dir.Directory("website"), FrontendBuildOpts{Env: "netlify"})
 	frontendResult, err := netlify_deploy(ctx, frontend, netlifyToken)
 	if err != nil {
 		return "", err
@@ -93,9 +98,7 @@ func (g *Greetings) Ci(
 	dir *Directory,
 	release Optional[bool],
 	tag Optional[string],
-	flyToken Optional[*Secret],
-	netlifyToken Optional[*Secret],
-	ghToken Optional[*Secret],
+	infisicalToken Optional[*Secret],
 ) (string, error) {
 	out, err := g.Lint(ctx, dir)
 	if err != nil {
@@ -107,27 +110,33 @@ func (g *Greetings) Ci(
 	}
 	out = out + "\n" + testOut
 
-	if release.GetOr(false) {
+	infisical, isset := infisicalToken.Get()
+
+	if release.GetOr(false) && isset {
 		tag_, tagSet := tag.Get()
-		ghToken_, ghSet := ghToken.Get()
+		ghToken := dag.Infisical().GetSecret("GITHUB_TOKEN", infisical, "dev", "/")
 
-		if tagSet && ghSet {
-			releaseOut, err := g.Release(ctx, dir, tag_, ghToken_)
+		if tagSet {
+			releaseOut, err := g.Release(ctx, dir, tag_, ghToken)
 			if err != nil {
 				return "", err
 			}
 			out = out + "\n" + releaseOut
 		}
-		fly, flySet := flyToken.Get()
-		netlify, netlifySet := netlifyToken.Get()
 
-		if flySet && netlifySet {
-			deployOut, err := g.Deploy(ctx, dir, fly, netlify)
-			if err != nil {
-				return "", err
-			}
-			out = out + "\n" + deployOut
+		flyToken := dag.Infisical().GetSecret("FLY_TOKEN", infisical, "dev", "/")
+		netlifyToken := dag.Infisical().GetSecret("NETLIFY_TOKEN", infisical, "dev", "/")
+		registryUser, err := dag.Infisical().GetSecret("DOCKERHUB_USER", infisical, "dev", "/").Plaintext(ctx)
+		if err != nil {
+			return "", err
 		}
+		registryPass := dag.Infisical().GetSecret("DOCKERHUB_PASS", infisical, "dev", "/")
+
+		deployOut, err := g.Deploy(ctx, dir, flyToken, netlifyToken, registryUser, registryPass)
+		if err != nil {
+			return "", err
+		}
+		out = out + "\n" + deployOut
 	}
 
 	return out, nil
@@ -138,22 +147,18 @@ func (g *Greetings) CiRemote(
 	commit string,
 	release Optional[bool],
 	tag Optional[string],
-	flyToken Optional[*Secret],
-	netlifyToken Optional[*Secret],
-	ghToken Optional[*Secret],
-)	 (string, error) {
+	infisicalToken Optional[*Secret],
+) (string, error) {
 	dir := dag.Git(fmt.Sprintf("https://%s", REPO)).
-	Commit(commit).
-	Tree()
+		Commit(commit).
+		Tree()
 
 	return g.Ci(
 		ctx,
 		dir,
 		release,
 		tag,
-		flyToken,
-		netlifyToken,
-		ghToken,
+		infisicalToken,
 	)
 }
 func fly_deploy(ctx context.Context, imageRef string, token *Secret) (string, error) {
@@ -167,4 +172,3 @@ func netlify_deploy(ctx context.Context, dir *Directory, token *Secret) (string,
 	out, err := dag.Netlify().Deploy(ctx, dir, token, site)
 	return out, err
 }
-