action.yml

name: Pipelines Credentials
description: Fetch Pipelines Credentials
inputs:
  PIPELINES_TOKEN_PATH:
    required: true
  FALLBACK_TOKEN:
    required: true
  api_base_url:
    default: "https://api.prod.app.gruntwork.io/api/v1"
outputs:
  PIPELINES_TOKEN:
    value: ${{ steps.get_token.outputs.PIPELINES_TOKEN }}

runs:
  using: composite
  steps:
    - name: Fetch Pipelines Token
      id: get_token
      uses: actions/github-script@v7
      env:
        FALLBACK_TOKEN: ${{ inputs.FALLBACK_TOKEN }}
        PIPELINES_TOKEN_PATH: ${{ inputs.PIPELINES_TOKEN_PATH }}
        API_BASE_URL: ${{ inputs.api_base_url }}
      with:
        script: |
          try {
            const aud = "https://api.prod.app.gruntwork.io"
            const apiBaseURL = process.env.API_BASE_URL

            const idToken = await core.getIDToken(aud)

            const isRetryableError = (response) => {
              return response.status >= 500 || response.status === 429
            }

            const loginWithRetries = async (tries) => {
              const providerTokenResponse = await fetch(`${apiBaseURL}/tokens/auth/login`, {
                method: "POST",
                headers: {
                  "Authorization": `Bearer ${idToken}`
                }
              })

              if (providerTokenResponse.ok) {
                return providerTokenResponse
              } else {
                if (tries > 0 && isRetryableError(providerTokenResponse)) {
                  console.log(`Failed to get provider token: ${providerTokenResponse.status} ${providerTokenResponse.statusText}. Retrying...`)

                  // Random backoff between 0 and 3 seconds
                  await new Promise(resolve => setTimeout(resolve, Math.floor(Math.random() * 3000)))

                  return loginWithRetries(tries - 1)
                } else {
                  return providerTokenResponse
                }
              }
            }

            const providerTokenResponse = await loginWithRetries(3)

            if (providerTokenResponse.ok) {
              const providerTokenJson = await providerTokenResponse.json()
              const pipelinesTokenResponse = await fetch(`${apiBaseURL}/tokens/pat/${process.env.PIPELINES_TOKEN_PATH}`, {
                method: "GET",
                headers: {
                  "Authorization": `Bearer ${providerTokenJson.token}`
                }
              })

              if (pipelinesTokenResponse.ok) {
                const pipelinesTokenJson = await pipelinesTokenResponse.json()
                console.log("Setting PIPELINES_TOKEN to GitHubApp token")
                core.setOutput('PIPELINES_TOKEN', pipelinesTokenJson.token)

                return
              } else {
                console.log(`Failed to get pipelines token: ${pipelinesTokenResponse.status} ${pipelinesTokenResponse.statusText}`)
              }

            } else {
              console.log(`Failed to get provider token: ${providerTokenResponse.status} ${providerTokenResponse.statusText}`)
            }

          } catch (error) {
            console.log(`Failed to get pipelines token: ${error}`)
          }

          console.log("Setting PIPELINES_TOKEN to fallback token")

          if (! process.env.FALLBACK_TOKEN) {
            const errMsg = "The pipelines-credentials GitHub Action was unable to dynamically fetch credentials using the Gruntwork.io GitHub App, and no FALLBACK_TOKEN was provided. Ensure that the Gruntwork.io app is installed, or that a FALLBACK_TOKEN is provided."

            core.setFailed(errMsg)

            throw new Error(errMsg)
          }

          core.setOutput('PIPELINES_TOKEN', process.env.FALLBACK_TOKEN.trim())