diff --git a/_releaser/Dockerfile b/_releaser/Dockerfile index ec6ee2a4e6..54be23c84f 100644 --- a/_releaser/Dockerfile +++ b/_releaser/Dockerfile @@ -24,7 +24,6 @@ FROM base AS netlify-remove ARG NETLIFY_SITE_NAME RUN --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \ --mount=type=secret,id=NETLIFY_AUTH_TOKEN \ - NETLIFY_AUTH_TOKEN=$(cat /run/secrets/NETLIFY_AUTH_TOKEN) \ releaser netlify remove FROM base AS netlify-deploy @@ -33,10 +32,7 @@ RUN --mount=type=bind,from=sitedir,target=/site \ --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \ --mount=type=secret,id=NETLIFY_AUTH_TOKEN \ --mount=type=secret,id=NETLIFY_ACCOUNT_SLUG \ - NETLIFY_AUTH_TOKEN=$(cat /run/secrets/NETLIFY_AUTH_TOKEN) \ - NETLIFY_ACCOUNT_SLUG=$(cat /run/secrets/NETLIFY_ACCOUNT_SLUG) \ - NETLIFY_DIR=/site \ - releaser netlify deploy + NETLIFY_DIR=/site releaser netlify deploy FROM base AS aws-s3-update-config ARG AWS_REGION @@ -46,8 +42,6 @@ RUN --mount=type=bind,target=. \ --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \ --mount=type=secret,id=AWS_ACCESS_KEY_ID \ --mount=type=secret,id=AWS_SECRET_ACCESS_KEY \ - AWS_ACCESS_KEY_ID=$(cat /run/secrets/AWS_ACCESS_KEY_ID) \ - AWS_SECRET_ACCESS_KEY=$(cat /run/secrets/AWS_SECRET_ACCESS_KEY) \ releaser aws s3-update-config FROM base AS aws-lambda-invoke @@ -56,6 +50,4 @@ ARG AWS_LAMBDA_FUNCTION RUN --mount=type=bind,from=releaser,source=/out/releaser,target=/usr/bin/releaser \ --mount=type=secret,id=AWS_ACCESS_KEY_ID \ --mount=type=secret,id=AWS_SECRET_ACCESS_KEY \ - AWS_ACCESS_KEY_ID=$(cat /run/secrets/AWS_ACCESS_KEY_ID) \ - AWS_SECRET_ACCESS_KEY=$(cat /run/secrets/AWS_SECRET_ACCESS_KEY) \ releaser aws lambda-invoke diff --git a/_releaser/aws.go b/_releaser/aws.go index 315c3b4086..7469b26c5b 100644 --- a/_releaser/aws.go +++ b/_releaser/aws.go @@ -7,6 +7,7 @@ import ( "log" "github.com/aws/aws-sdk-go/aws" + "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/session" "github.com/aws/aws-sdk-go/service/lambda" "github.com/aws/aws-sdk-go/service/s3" @@ -36,8 +37,9 @@ func (s *AwsS3UpdateConfigCmd) Run() error { } sess, err := session.NewSession(&aws.Config{ - Region: aws.String(s.Region)}, - ) + Credentials: awsCredentials(), + Region: aws.String(s.Region), + }) svc := s3.New(sess) @@ -67,7 +69,8 @@ func (s *AwsLambdaInvokeCmd) Run() error { svc := lambda.New(session.Must(session.NewSessionWithOptions(session.Options{ SharedConfigState: session.SharedConfigEnable, })), &aws.Config{ - Region: aws.String(s.Region), + Credentials: awsCredentials(), + Region: aws.String(s.Region), }) _, err := svc.Invoke(&lambda.InvokeInput{ @@ -80,3 +83,17 @@ func (s *AwsLambdaInvokeCmd) Run() error { log.Printf("INFO: lambda function %q invoked successfully\n", s.LambdaFunction) return nil } + +func awsCredentials() *credentials.Credentials { + return credentials.NewChainCredentials( + []credentials.Provider{ + &credentials.StaticProvider{ + Value: credentials.Value{ + AccessKeyID: getEnvOrSecret("AWS_ACCESS_KEY_ID"), + SecretAccessKey: getEnvOrSecret("AWS_SECRET_ACCESS_KEY"), + SessionToken: getEnvOrSecret("AWS_SESSION_TOKEN"), + }, + }, + }, + ) +} diff --git a/_releaser/main.go b/_releaser/main.go index cd1d03d3e3..abe59d6a30 100644 --- a/_releaser/main.go +++ b/_releaser/main.go @@ -2,6 +2,8 @@ package main import ( "log" + "os" + "path/filepath" "github.com/alecthomas/kong" ) @@ -29,3 +31,15 @@ func main() { })) ctx.FatalIfErrorf(ctx.Run()) } + +// getEnvOrSecret retrieves secret's value from secret file or env +func getEnvOrSecret(name string) string { + if v, ok := os.LookupEnv(name); ok { + return v + } + b, err := os.ReadFile(filepath.Join("/run/secrets", name)) + if err != nil { + return "" + } + return string(b) +} diff --git a/_releaser/netlify.go b/_releaser/netlify.go index 4fa740e71c..81de13a6e5 100644 --- a/_releaser/netlify.go +++ b/_releaser/netlify.go @@ -23,8 +23,7 @@ type NetlifyCmd struct { } type netlifyGlobalFlags struct { - SiteName string `kong:"name='site-name',env='NETLIFY_SITE_NAME'"` - AuthToken string `kong:"name='auth-token',env='NETLIFY_AUTH_TOKEN'"` + SiteName string `kong:"name='site-name',env='NETLIFY_SITE_NAME'"` } type NetlifyRemoveCmd struct { @@ -33,7 +32,7 @@ type NetlifyRemoveCmd struct { func (s *NetlifyRemoveCmd) Run() error { siteName := cleanSiteName(s.SiteName) - c := newNetlifyClient(s.AuthToken) + c := newNetlifyClient(getEnvOrSecret("NETLIFY_AUTH_TOKEN")) site, err := c.getSite(siteName) if err != nil { return fmt.Errorf("failed to get site %q: %w", siteName, err) @@ -47,8 +46,7 @@ func (s *NetlifyRemoveCmd) Run() error { type NetlifyDeployCmd struct { netlifyGlobalFlags - AccountSlug string `kong:"name='account-slug',env='NETLIFY_ACCOUNT_SLUG'"` - PublishDir string `kong:"name='publish-dir',env='NETLIFY_PUBLISH_DIR'"` + PublishDir string `kong:"name='publish-dir',env='NETLIFY_PUBLISH_DIR'"` } func (s *NetlifyDeployCmd) Run() error { @@ -59,11 +57,11 @@ func (s *NetlifyDeployCmd) Run() error { } siteName := cleanSiteName(s.SiteName) - c := newNetlifyClient(s.AuthToken) + c := newNetlifyClient(getEnvOrSecret("NETLIFY_AUTH_TOKEN")) site, err := c.CreateSite(c.ctx, &netlify.SiteSetup{ Site: netlify.Site{ - AccountSlug: s.AccountSlug, + AccountSlug: getEnvOrSecret("NETLIFY_ACCOUNT_SLUG"), Name: siteName, }, }, false)