-
New documentation of the no_auth parameter
Inspiration
While working on containerizing docker-phasik.tv, I had the idea to try and validate the DigitalOcean App Schema YAML file as a CI/CD or local linter step. As part of the GitHub Actions workflow, I found that doctl needed to be installed and set up on the GitHub Runner. That's when I pulled in actions-doctl as a quick solution.
However, I quickly realized that the API token parameter was required. I did not want to expose any such DigitalOcean API tokens in the GitHub Actions CI/CD environment. That's what started me down the rabbit hole towards making changes this and other projects to implement this new offline mode App Spec validation feature.
Another user had posted an issue about this on GitHub: digitalocean/action-doctl#67. I decided to work on this.
What it does
action-doctl is a new GitHub Actions workflow used to install and set up DigitalOcean's doctl command line utility. It allows for using doctl inside GitHub Actions CI/CD workflows.
The upstream doctl did not provide a way to avoid passing an API token. So, I implemented a way to pass a new parameter: no_auth: true.
When passing this parameter to the patched GitHub Actions workflow here, it skips running the doctl auth init command. Instead, it simply installs doctl into the GitHub Actions Runner environment and finishes without requiring an API token.
This allows for using doctl with commands that do not require an API token.
doctl app spec validate-offline: I submitted this brand new command todoctlin digitalocean/doctl#1450- Does NOT require an API token 🎉
- Does NOT require internet access to validate an App Schema either! 🎉
The new offline mode was used in the following dependent pull-requests:
- trinitronx/action-doctl@add-no-auth-option-pre-release-fork
- LyraPhase/pre-commit-digitalocean@v0.1.0
- trinitronx/doctl@v1.101.0-pre.git.69cd972159a0
How we built it
I first started down the rabbit hole of what it might take to implement simple App Spec validation. This led me to first build a proof-of-concept hook using the usual doctl app spec validate. I then realized that this would require passing API tokens and potentially exposing those secrets in the CI/CD environment. After that realization, I ended up making changes to this action-doctl project in order to make passing the token and running doctl auth optional.
After those parts were implemented, I realized that the underlying doctl command always required an API token to have been setup, even for the presumably offline --schema-only validate command. Once that issue was found, I worked on implementing a secondary validate-offline command inside doctl.
Putting all the pieces together produced a wonderful result! A new CI/CD workflow that could validate the DigitalOcean app.yaml file schema without an internet connection or API token required.
Challenges we ran into
This prototype hook required changes in 3 or 4 different languages (if counting GitHub actions YAML). doctl is written in Go, action-doctl is written in TypeScript/JavaScript, and the pre-commit-digitalocean hooks are written in POSIX shell.
Accomplishments that we're proud of
Everything works together nicely! This should also close a few issues across these projects once all the pull requests are merged.
What we learned
Underlying the first problem to solve are sometimes 3 or 4 other problems (and projects) that need changes for a fully working solution to be put together. Lots of moving parts means lots of testing each piece.
What's next for action-doctl
- Code reviews from DigitalOcean
- Merging PRs
- Switching
docker-phasik.tvback off of pre-release PoC branches to use those merged PRs once they make it to the main branches
Built With
- github-actions
- javascript
- node.js
- typescript
Log in or sign up for Devpost to join the conversation.