digitalocean / action-doctl Goto Github PK
View Code? Open in Web Editor NEWGitHub Actions for DigitalOcean - doctl
Home Page: https://www.digitalocean.com/
License: MIT License
GitHub Actions for DigitalOcean - doctl
Home Page: https://www.digitalocean.com/
License: MIT License
Hey DigitalOcean folks!
I use this action in both my continuous integration (PR) and continuous deployment (merged) workflows. For merge, I use it to trigger deployment of my App Platform app after running tests. For my pre-PR CI run, I use it to validate the app spec before merge.
This has been working really well for my own private use, but I've recently opened my repository for other contributors. Contributors are forking the repository and submitting PRs, which attempt to validate the app spec. But since actions from forks don't have access to secrets, the login is failing and I can't validate the spec.
I've played with the doctl CLI on my own machine and it appears spec validation doctl apps spec validate
does not require authentication to run.
So what I'm wondering is if it'd be possible to modify this action (I'd be happy to submit a PR for it, if appropriate) to make the token optional. This would allow offline behaviors, such as app spec validation, to be run without exposing secrets to open source collaborators.
In my use case, this would look something like the following:
- name: Install doctl
uses: digitalocean/action-doctl@v2
- name: Validate app spec
run: doctl apps spec validate .do/app.yaml
Docker Login1s
/usr/bin/docker run --name e87b521e1dc3a91a0e4500a87494a4728063e9_4ca6ab --label e87b52 --workdir /github/workspace --rm -e DIGITALOCEAN_ACCESS_TOKEN -e INPUT_ARGS -e HOME -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e GITHUB_ACTIONS=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/betteraskbot/betteraskbot":"/github/workspace" e87b52:1e1dc3a91a0e4500a87494a4728063e9 registry login
Run digitalocean/action-doctl@master
with:
args: registry login
env:
DIGITALOCEAN_ACCESS_TOKEN: ***
/usr/bin/docker run --name e87b521e1dc3a91a0e4500a87494a4728063e9_4ca6ab --label e87b52 --workdir /github/workspace --rm -e DIGITALOCEAN_ACCESS_TOKEN -e INPUT_ARGS -e HOME -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e GITHUB_ACTIONS=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/betteraskbot/betteraskbot":"/github/workspace" e87b52:1e1dc3a91a0e4500a87494a4728063e9 registry login
Recently GitHub actions deprecated the usage of set-env and add-path commands due to security vulnerabilities.
You can find more about that here: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
So currently I can't use the Doctl GitHub action. While there is a short-term solution to allow insecure commands, since I can't do that on an action-specific basis I don't really think that's a viable route.
Here's a screen capture of the error message:
How difficult would it be to fix this for the doctl github action?
I want to apply my manifest files via actions yml.
name: deploy-manifests
on:
push:
branches: master
paths:
- 'infra/**'
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: digitalocean/action-doctl@v2
with:
token: ${{ secrets.DIGITAL_OCEAN_ACCESS_TOKEN }}
- run: kubectl apply -f infra/k8s && kubectl apply -f infra/k8s-production
I can't seem to pass this error. Am I missing something ? I'm logged in without issue:
Validating token... OK
>>> Successfully logged into doctl
How can i ignore some files?
Thanks
I'm hoping to get some feedback from users of this GitHub Action.
When this was first authored, GitHub Actions was still in its beta phase. There have been many important changes to both how they are created and their user experience since that time. I am proposing breaking changes to the doctl action in order to bring its experience more inline with the how GitHub Actions now works.
The current doctl action is based on a Docker image that wraps the digitalocean/doctl
Docker image with a few conveniences using an entrypoint script. Though it is not fundamentally different than using docker://digitalocean/doctl
directly. When it was first authored DigitalOcean did not publish official Docker images for doctl while they are now available.
The current Docker-based approach has a number or drawbacks. The syntax is different than the more native approach, using:
with:
args:
over the more straight forward:
run:
More importantly, working with doctl commands that need access to the shared filesystem and environment accessible by other Actions in the same workflow step is difficult. This can be seen in the example right in our README:
- name: Save DigitalOcean kubeconfig
uses: digitalocean/action-doctl@master
env:
DIGITALOCEAN_ACCESS_TOKEN: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
with:
args: kubernetes cluster kubeconfig show k8s-cluster-name > $GITHUB_WORKSPACE/.kubeconfig
Rather than using doctl's kubeconfig save
subcommand, we recommend redirecting the the output of kubeconfig show
. This is because save
would save the kubeconfig file in the container's ~/.kube/config
rather than the shared runner.
This effects other doctl subcommands as well. Both compute ssh
and registry login
are difficult to use in any sane fashion under this approach. See for example #14 and #24
I am proposing to re-write this action in JavaScript using the native GitHub Actions Toolkit. Rather than running doctl subcommands, v2 would install doctl in the shared runner's PATH allowing it to be used directly. This would provide a much improved user experience.
Using this approach, the example from our README would now look like:
- name: Install doctl
uses: digitalocean/action-doctl@v2
with:
token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
- name: Save DigitalOcean kubeconfig
run: doctl kubernetes cluster kubeconfig save testing-cluster
This can simplify subsequent commands as the kubeconfig file is now available to them at their expected location removing workarounds specific to the current approach. For example, this:
- name: Deploy to DigitalOcean Kubernetes
run: kubectl --kubeconfig=$GITHUB_WORKSPACE/.kubeconfig apply -f $GITHUB_WORKSPACE/config/deployment.yml
becomes:
- name: Deploy to DigitalOcean Kubernetes
run: kubectl apply -f $GITHUB_WORKSPACE/config/deployment.yml
Similarly, the workflow for pushing a container to a private DigitalOcean registry is now possible as the doctl command can write to ~/.docker/config.json
. E.g.
- name: Login to Docker
run: doctl registry login
- name: Push image to registry
run: docker push registry.digitalocean.com/user/example
Current users may be referencing the action by specifying digitalocean/action-doctl@master
. In order to not break existing users, I am proposing that a v2
branch is created and made the default for the repository. User will need to explicitly opt-in but using digitalocean/action-doctl@v2
to pick up these changes.
A proof of concept is currently available in the v2-experiment
branch and can be used right now on Linux, MacOS, and Windows workflows with:
- name: Install doctl
uses: digitalocean/action-doctl@v2-experiment
See here for a diff between the current code base and the proposal: v2...v2-experiment
Using the snippet provided here: https://github.com/digitalocean/action-doctl#usage
- name: Install doctl uses: digitalocean/action-doctl@v2 with: token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
Installation of doctl succeeds but an incorrect version is installed.
Expecting version 2.1.0 (latest)
Version 1.64.0 is installed instead.
Run digitalocean/action-doctl@v2
with:
token: ***
version: latest
/usr/bin/tar xz --warning=no-unknown-keyword -C /home/runner/work/_temp/c2ae0e11-6ec8-4463-8038-7d9677ae74dd -f /home/runner/work/_temp/532dec3b-d30c-4230-bb01-fff68e70f25bdoctl version v1.64.0 installed to /opt/hostedtoolcache/doctl/1.64.0/x64
/opt/hostedtoolcache/doctl/1.64.0/x64/doctl auth init -t ***
Action file:
name: Deploy function to DO
on:
push:
branches:
- master
jobs:
deploy:
runs-on: ubuntu
steps:
- name: Check out code
uses: actions/checkout@v3
- name: Install doctl
uses: digitalocean/action-doctl@v2
with:
token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
- name: Setup serverless
run: doctl serverless install
- name: Connect to serverless
run: doctl serverless connect
- name: Deploy function
run: doctl serverless deploy . --remote-build
Great! But what if I want to deploy into a droplet app with docker?
I'm not quite sure if this is due to this action, or more of an issue with doctl
itself. I have the following GitHub steps defined:
build:
runs-on: ubuntu-latest
steps:
- name: Check Out Repo
uses: actions/checkout@v2
- name: Install DigitalOcean Controller
uses: digitalocean/action-doctl@v2
with:
token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
- name: Set up Docker Builder
uses: docker/setup-buildx-action@v1
- name: Authenticate with DigitalOcean Container Registry
run: doctl registry login
- name: Build and Push to DigitalOcean Container Registry
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: registry.digitalocean.com/$FOO/$BAR:latest
- name: Logout from DigitalOcean Container Registry
run: doctl registry logout
Each time this GitHub action runs, a new entry is added to the Tokens/Keys list is added with the name container-registry-$FOO-$TIMESTAMP
. By now I seem to have hundreds of tokens in there. Is there a way to modify the use of this action to either not create so many tokens, or cleanup the tokens once they're no longer needed?
i use this sentence:
- name: Install doctl
uses: digitalocean/[email protected]
with:
token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
- name: Log in to DigitalOcean Container Registry
run: doctl registry login --expiry-seconds 240
- name: Build and push stack
run: TAG=stag FRONTEND_ENV=staging sh ./scripts/build-push.sh
This script login to DO, then builds and push images with docker-compose.yml. All is ok - i success login with doctl and build images... But when i push to registry, i see this error inside workflow:
...
Successfully built 476bb87c7501
Successfully tagged registry.digitalocean.com/***/frontend:stag
The following deploy sub-keys are not supported and have been ignored: labels
The following deploy sub-keys are not supported and have been ignored: labels
The following deploy sub-keys are not supported and have been ignored: labels
The following deploy sub-keys are not supported and have been ignored: labels
The following deploy sub-keys are not supported and have been ignored: labels
Pushing backend (registry.digitalocean.com/***/backend:stag)...
**The push refers to repository [registry.digitalocean.com/***/backend]
unauthorized: authentication required
Error: Process completed with exit code 1.**
and i receive new access token in digital-ocean admin panel, that looks like: container-registry-{name}-{ts}
Hi. To be able to run this action on an arm64
platform, we may need to change the downloadDoctl
function to download the corresponding doctl
version. Currently it downloads amd64
version on all linux systems, even if they are arm64
-based.
I am using this action to retrieve k8s credentials as in the example. It used to work, but since yesterday I am getting ##[error]Docker run failed with exit code 1
, without having changed anything to my action. I am not sure how I can debug this. I have tried creating a new DIGITALOCEAN_ACCESS_TOKEN
, but still I am getting exit code 1.
I'm trying to use a dedicated context for my CI, but the fact that the action uses a env variable for the token seems incompatible with context switch 🤔
2020-04-27T19:43:22.8735609Z ##[group]Run digitalocean/action-doctl@v2
2020-04-27T19:43:22.8735783Z with:
2020-04-27T19:43:22.8736271Z token: ***
2020-04-27T19:43:22.8736401Z version: latest
2020-04-27T19:43:22.8736540Z ##[endgroup]
2020-04-27T19:43:23.6680564Z [command]/bin/tar xz --warning=no-unknown-keyword -C /home/runner/work/_temp/9b34c612-fd03-4d56-8e1d-a3b434918500 -f /home/runner/work/_temp/d648c3a2-bc1d-4358-8c34-7b3f9016a740
2020-04-27T19:43:23.8930213Z >>> doctl version v1.42.0 installed to /opt/hostedtoolcache/doctl/1.42.0/x64
2020-04-27T19:43:23.8935719Z [command]/opt/hostedtoolcache/doctl/1.42.0/x64/doctl auth init -t ***
2020-04-27T19:43:23.9013680Z Using token [***]
2020-04-27T19:43:23.9013850Z
2020-04-27T19:43:24.1624971Z Validating token... OK
2020-04-27T19:43:24.1625536Z
2020-04-27T19:43:24.5845339Z >>> Successfully logged into doctl
2020-04-27T19:43:24.5925324Z ##[group]Run doctl auth switch --context=openvpn-gh
2020-04-27T19:43:24.5925584Z �[36;1mdoctl auth switch --context=openvpn-gh�[0m
2020-04-27T19:43:24.5962447Z shell: /bin/bash -e {0}
2020-04-27T19:43:24.5962612Z ##[endgroup]
2020-04-27T19:43:24.6101226Z Now using context [openvpn-gh] by default
2020-04-27T19:43:25.0168775Z ##[group]Run doctl compute droplet create openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-debian-9-x64 --size s-1vcpu-1gb --image debian-9-x64 --region lon1 --enable-ipv6 --ssh-keys be:66:76:61:a8:71:93:aa:e3:19:ba:d8:0d:d2:2d:d4
2020-04-27T19:43:25.0169188Z �[36;1mdoctl compute droplet create openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-debian-9-x64 --size s-1vcpu-1gb --image debian-9-x64 --region lon1 --enable-ipv6 --ssh-keys be:66:76:61:a8:71:93:aa:e3:19:ba:d8:0d:d2:2d:d4�[0m
2020-04-27T19:43:25.0199829Z shell: /bin/bash -e {0}
2020-04-27T19:43:25.0199965Z ##[endgroup]
2020-04-27T19:43:25.0362570Z Error: Unable to initialize DigitalOcean API client: access token is required. (hint: run 'doctl auth init')
Hi DO!
I have the following GitHub Actions Job:
steps:
- name: Save DigitalOcean kubeconfig
uses: digitalocean/action-doctl@v2
with:
token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
- name: Deploy to DigitalOcean Kubernetes
run: |
doctl kubernetes cluster kubeconfig save cluster-name
cat ./k8s.yaml | gomplate | kubectl apply -f -
env:
TAG: ${{ github.sha }}
NAMESPACE: development
It's working great so far, my gripe with it however though is that every build I do a new personal access token gets created. And if I go into the Tokens page (https://cloud.digitalocean.com/account/api/tokens) I have an endless list of tokens that I need to remove one-by-one.
Am I missing something or is this intended?
Can not install the action-doctl@v2
Error Info:
Run digitalocean/action-doctl@v2
/bin/tar xz --warning=no-unknown-keyword -C /home/runner/work/_temp/002cd389-8411-4c9c-b235-abbe9c712409 -f /home/runner/work/_temp/831228ce-c6ed-43ca-8ff8-9671aeb570c8
>>> doctl version v1.48.1 installed to /opt/hostedtoolcache/doctl/1.48.1/x64
Error: Input required and not supplied: token
with actions step:
- name: Install doctl
uses: digitalocean/action-doctl@v2
with:
token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
append:
I create a secret with DIGITALOCEAN_ACCESS_TOKEN in organizations, no the repo's secrets
Run doctl registry garbage-collection start
doctl registry garbage-collection start
shell: /usr/bin/bash -e {0}
Warning: Are you sure you want to run garbage collection -- this will put your registry in read-only mode until it finishes (y/N) ? Error: Operation aborted.
Error: Process completed with exit code 1.
Node 12 runtime is being deprecated in favor of Node 16 (source). Using v2.1.1 currently logs a warning but in the future it won't work.
Error: The `add-path` command is deprecated and will be disabled on November 16th. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
>>> doctl version v1.51.0 installed to /home/runner/runner/_work/_tool/doctl/1.51.0/x64
Probably should udpate the octokit dependency
Followed this guide: https://docs.digitalocean.com/products/kubernetes/how-to/deploy-using-github-actions/
Access token with read/write always fails authentication.
The examples in the README reference the HCL syntax. This makes it hard to know what to do with the YAML syntax of GitHub actions. I tried to do the following and it didn't work:
- name: Configure Kubernetes
uses: digitalocean/[email protected]
with:
entrypoint: /usr/local/bin/doctl
args: kubernetes cluster kubeconfig show kubermemes > $HOME/.kubeconfig
Hi i am trying to use digitalocean/action-doctl@v2.
its giving me this error
Error: Unable to process command '::add-path::/opt/hostedtoolcache/doctl/1.100.0/x64' successfully.
Error: The add-path
command is disabled. Please upgrade to using Environment Files or opt into unsecure command execution by setting the ACTIONS_ALLOW_UNSECURE_COMMANDS
environment variable to true
. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
doctl version v1.100.0 installed to /opt/hostedtoolcache/doctl/1.100.0/x64
May be worth providing a reminder in the Usage section or a pre-requisite section that directing users to set up a DigitalOcean API token and add it as a GitHub repo or organization secret prior to usage steps.
Details on doing so are certainly out of scope but a friendly reminder could save newer users some setup time.
Hello, i got this warning message when running in github action
Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: digitalocean/action-doctl@v2. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.
doctl compute ssh
is throwing te following error:
$ doctl compute ssh $DROPLET_ID --ssh-command pwd
Warning: Identity file /root/.ssh/id_rsa not accessible: No such file or directory.
Host key verification failed.
I'm currently using digitalocean/[email protected]
I've tried a few workarounds like generating the key, but I can't get it going. At first I thought I was running into this issue: digitalocean/doctl#263 but I don't think they're related as snap is not involved in this action as far as I'm aware, not to mention it was fixed a while ago.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.