-
Notifications
You must be signed in to change notification settings - Fork 3
376 lines (279 loc) · 14.2 KB
/
integration.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
name: Integration Tests
on:
push:
branches:
- master
- main
paths:
- "!**/README.md"
pull_request:
permissions:
id-token: write
contents: read
# Cancel previous runs for PRs but not pushes to main
concurrency:
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request' && github.head_ref || github.sha }}
cancel-in-progress: true
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
lang: [go, rust]
defaults:
run:
working-directory: ${{matrix.lang}}
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
if: ${{ matrix.lang == 'rust'}}
- uses: Swatinem/[email protected]
if: ${{ matrix.lang == 'rust'}}
with:
# The build script creates a `release` build so use separate cache
key: "release"
- uses: actions/setup-go@v5
if: ${{ matrix.lang == 'go'}}
with:
go-version: ">=1.21.0"
cache-dependency-path: go/go.sum
- name: Run build script for compiled languages
run: "./build.sh"
- name: Upload built binaries
uses: actions/upload-artifact@v4
with:
name: ${{matrix.lang}}
path: ${{matrix.lang}}/vault
tests:
needs: build
runs-on: ubuntu-latest
env:
# VAULT_STACK overwrites default 'vault' for vaults
VAULT_STACK: nitor-vault-integration-testing
# at the moment we store to the values to fixed keys so this needs to have limited concurrency
concurrency: "integration-test"
steps:
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: ${{ secrets.AWS_CI_ROLE }}
role-session-name: GitHubVaultIntegrationTests
aws-region: eu-west-1
- uses: actions/checkout@v4
- name: Download artifacts
uses: actions/download-artifact@v4
with:
path: bin
- uses: pnpm/action-setup@v4
with:
version: 9
- uses: actions/setup-node@v4
with:
node-version: 20
cache: "pnpm"
cache-dependency-path: nodejs/pnpm-lock.yaml
- uses: actions/setup-python@v5
with:
python-version: 3.x
cache: pip
- name: Install zip
run: sudo apt-get install zip unzip
- name: Build node vault
run: pnpm install --frozen-lockfile && pnpm build
working-directory: nodejs
- name: Install Python vault
run: python -m pip install .
working-directory: python
- name: Add execute rights and run --version for all versions
run: |
chmod +x bin/go/vault bin/rust/vault nodejs/dist/cli/vault.js
vault --version
bin/go/vault --version
bin/rust/vault --version
nodejs/dist/cli/vault.js --version
- name: Check help output
run: |
echo "============================== Python Vault CLI =============================="
vault --help
echo "------------------------------------------------------------------------------"
echo "================================= Go Vault CLI ==============================="
bin/go/vault --help
echo "------------------------------------------------------------------------------"
echo "================================ Rust Vault CLI =============================="
bin/rust/vault -h
echo "------------------------------------------------------------------------------"
echo "=============================== Node.js Vault CLI ============================"
nodejs/dist/cli/vault.js --help
- name: Store secret with Python
run: vault -s 'secret-python' -v 'sha-${{github.sha}}' -w
- name: Store secret with Go
run: bin/go/vault -s 'secret-go' -v 'sha-${{github.sha}}' -w
- name: Store secret with Rust
run: bin/rust/vault -s 'secret-rust' -v 'sha-${{github.sha}}' -w
- name: Store secret with Nodejs
run: nodejs/dist/cli/vault.js s 'secret-nodejs' 'sha-${{github.sha}}' -w
- name: Validate storing worked Python
run: diff <(vault -l secret-python) <(echo -n sha-${{github.sha}})
- name: Validate Go and Rust secret equality with Python
run: diff <(vault -l secret-go) <(vault -l secret-rust)
- name: Validate Python secret equality with Rust and Go
run: diff <(bin/rust/vault -l secret-python) <(bin/go/vault -l secret-python)
- name: Validate Rust and Python secret equality with Go and Nodejs
run: diff <(bin/go/vault -l secret-rust) <(nodejs/dist/cli/vault.js lookup secret-python)
- name: Validate Go and Python secret equality with Rust and Go
run: diff <(bin/rust/vault -l secret-go) <(bin/go/vault -l secret-python)
- name: Validate Python and Nodejs secret equality with Rust
run: diff <(bin/rust/vault -l secret-python) <(bin/rust/vault -l secret-nodejs)
- name: Validate Rust and Go secret equality with Nodejs and Go
run: diff <(bin/rust/vault -l secret-rust) <(nodejs/dist/cli/vault.js lookup secret-nodejs)
- name: Delete secret with Python
run: vault -d 'secret-python'
- name: Delete secret with Go
run: bin/go/vault -d 'secret-go'
- name: Delete secret with Rust
run: bin/rust/vault -d 'secret-rust'
- name: Delete secret with Nodejs
run: nodejs/dist/cli/vault.js d 'secret-nodejs'
- name: Verify that keys have been deleted using Rust
run: |
bin/rust/vault exists secret-python | grep -q "key 'secret-python' does not exist"
bin/rust/vault exists secret-go | grep -q "key 'secret-go' does not exist"
bin/rust/vault exists secret-rust | grep -q "key 'secret-rust' does not exist"
bin/rust/vault exists secret-nodejs | grep -q "key 'secret-nodejs' does not exist"
- name: Create dummy text file
run: echo "Vault test ${{ github.sha }} ${{ github.ref_name }}" > test.txt
- name: Zip the text file
run: zip "secret-${{github.sha}}.zip" test.txt
- name: Store zip file using Python
run: vault --store --file "secret-${{github.sha}}.zip"
- name: Lookup the stored zip file and write to output
run: vault -l "secret-${{github.sha}}.zip" > output-python.zip
- name: Extract the retrieved zip file
run: unzip output-python.zip -d extracted-python
- name: Verify the extracted file content
run: diff extracted-python/test.txt test.txt
- name: Delete secret with Python
run: vault -d "secret-${{github.sha}}.zip"
- name: Verify that key has been deleted with Rust
run: bin/rust/vault exists secret-${{github.sha}}.zip | grep -q "does not exist"
- name: Store zip file using Rust vault
run: bin/rust/vault --store --file "secret-${{github.sha}}.zip"
- name: Lookup the stored zip file and write to output
run: bin/rust/vault -l "secret-${{github.sha}}.zip" > output-rust.zip
- name: Extract the retrieved zip file
run: unzip output-rust.zip -d extracted-rust
- name: Verify the extracted file content
run: diff extracted-rust/test.txt test.txt
- name: Delete secret with Rust
run: bin/rust/vault -d "secret-${{github.sha}}.zip"
- name: Verify that keys have been deleted using Rust
run: |
bin/rust/vault exists secret-python | grep -q "key 'secret-python' does not exist"
bin/rust/vault exists secret-python-pyo3 | grep -q "key 'secret-python-pyo3' does not exist"
bin/rust/vault exists secret-go | grep -q "key 'secret-go' does not exist"
bin/rust/vault exists secret-rust | grep -q "key 'secret-rust' does not exist"
bin/rust/vault exists secret-nodejs | grep -q "key 'secret-nodejs' does not exist"
- name: Check Python vault package
run: python -m pip show nitor-vault
- name: Store secret using Python library
run: |
python -c "from n_vault import Vault; Vault().store('secret-python-library', 'sha-${{github.sha}}')"
- name: Verify secret using Python library
run: |
python -c "from n_vault import Vault; print('true') if Vault().exists('secret-python-library') else print('false')" | grep -q "true"
- name: Validate storing worked with Rust
run: diff <(bin/rust/vault -l secret-python-library) <(echo -n sha-${{github.sha}})
- name: Lookup with Python library
run: |
diff <(python -c "from n_vault import Vault; print(Vault().lookup('secret-python-library').decode('utf-8'), end='', flush=True)") <(echo -n sha-${{github.sha}})
- name: List with Python library
run: python -c "from n_vault import Vault; print('\n'.join(Vault().list_all()))"
- name: Delete with Python library
run: python -c "from n_vault import Vault; Vault().delete('secret-python-library')"
- name: Verify that key has been deleted with Rust
run: bin/rust/vault exists secret-python-library | grep -q "key 'secret-python-library' does not exist"
- name: Install Python PyO3 vault
run: python -m pip install --force-reinstall .
working-directory: python-pyo3
- name: Check version
run: vault --version
- name: Check help output
run: |
echo "============================ Python-pyo3 Vault CLI ==========================="
vault -h
echo "------------------------------------------------------------------------------"
echo "================================ Rust Vault CLI =============================="
bin/rust/vault -h
echo "------------------------------------------------------------------------------"
- name: Store secret with Python-pyo3
run: vault -s 'secret-python-pyo3' -v 'sha-${{github.sha}}' -w
- name: Validate storing worked Python-pyo3
run: diff <(vault -l secret-python-pyo3) <(echo -n sha-${{github.sha}})
- name: Store secret with Go
run: bin/go/vault -s 'secret-go' -v 'sha-${{github.sha}}' -w
- name: Store secret with Rust
run: bin/rust/vault -s 'secret-rust' -v 'sha-${{github.sha}}' -w
- name: Store secret with Nodejs
run: nodejs/dist/cli/vault.js s 'secret-nodejs' 'sha-${{github.sha}}' -w
- name: Validate Go and Rust secret equality with Python-pyo3
run: diff <(vault -l secret-go) <(vault -l secret-rust)
- name: Validate Python-pyo3 secret equality with Rust and Go
run: diff <(bin/rust/vault -l secret-python-pyo3) <(bin/go/vault -l secret-python-pyo3)
- name: Validate Nodejs and Python-pyo3 secret equality with Nodejs
run: diff <(nodejs/dist/cli/vault.js l secret-nodejs) <(vault -l secret-python-pyo3)
- name: Delete secret with Python-pyo3
run: vault -d 'secret-python-pyo3'
- name: Delete secret with Python-pyo3
run: vault -d 'secret-rust'
- name: Delete secret with Python-pyo3
run: vault -d 'secret-go'
- name: Delete secret with Python-pyo3
run: vault -d 'secret-nodejs'
- name: Verify that keys have been deleted using Python-pyo3
run: |
vault exists secret-python | grep -q "key 'secret-python' does not exist"
vault exists secret-python-pyo3 | grep -q "key 'secret-python-pyo3' does not exist"
vault exists secret-go | grep -q "key 'secret-go' does not exist"
vault exists secret-rust | grep -q "key 'secret-rust' does not exist"
vault exists secret-nodejs | grep -q "key 'secret-nodejs' does not exist"
- name: Store zip file using Python-pyo3
run: vault store --file "secret-${{github.sha}}.zip"
- name: Lookup the stored zip file and write to output
run: vault lookup "secret-${{github.sha}}.zip" > output-python-pyo3.zip
- name: Extract the retrieved zip file
run: unzip output-python-pyo3.zip -d extracted-python-pyo3
- name: Verify the extracted file content
run: diff extracted-python-pyo3/test.txt test.txt
- name: Delete secret with Python-pyo3
run: vault delete "secret-${{github.sha}}.zip"
- name: Verify that key has been deleted with Rust
run: bin/rust/vault exists secret-${{github.sha}}.zip | grep -q "does not exist"
- name: Verify that key has been deleted with Python-pyo3
run: vault exists secret-${{github.sha}}.zip | grep -q "does not exist"
- name: Check Python vault package
run: python -m pip show nitor-vault
- name: Check stack status with Python library
run: python -c "from n_vault import Vault; print(Vault().stack_status())"
- name: Check stack status with Rust CLI
run: bin/rust/vault stack
- name: Delete all keys with Python library
run: python -c "from n_vault import Vault; Vault().delete_many(Vault().list_all())"
- name: List with Python library
run: python -c "from n_vault import Vault; print('\n'.join(Vault().list_all()))" | grep -ve '^\s*$' | wc -l | grep -q "0"
- name: Store secret using Python library
run: |
python -c "from n_vault import Vault; Vault().store('secret-python-library', 'sha-${{github.sha}}')"
- name: Verify secret using Python library
run: |
python -c "from n_vault import Vault; print('true') if Vault().exists('secret-python-library') else print('false')" | grep -q "true"
- name: Validate storing worked with Rust
run: diff <(bin/rust/vault -l secret-python-library) <(echo -n sha-${{github.sha}})
- name: Lookup with Python library
run: |
diff <(python -c "from n_vault import Vault; print(Vault().lookup('secret-python-library').decode('utf-8'), end='', flush=True)") <(echo -n sha-${{github.sha}})
- name: List with Python library
run: python -c "from n_vault import Vault; print('\n'.join(Vault().list_all()))" | wc -l | grep -q "1"
- name: Delete with Python library
run: python -c "from n_vault import Vault; Vault().delete('secret-python-library')"
- name: Verify that key has been deleted with Rust
run: bin/rust/vault exists secret-python-library | grep -q "key 'secret-python-library' does not exist"