Revert "Revert "token-based auth for azure container registry"" (#52652)

2024-10-15 20:13:46 +00:00 · 2024-10-15 20:13:46 +00:00 · 4bc9d945a6
--- a/.github/workflows/azure-prod-build-deploy.yml
+++ b/.github/workflows/azure-prod-build-deploy.yml
@ -34,6 +34,7 @@ jobs:
      RESOURCE_GROUP_NAME: docs-prod
      APP_SERVICE_NAME: ghdocs-prod
      SLOT_NAME: canary
+      ACR_TOKEN_NAME: acrToken

    steps:
      - name: 'Az CLI login'
@ -41,16 +42,6 @@ jobs:
        with:
          creds: ${{ secrets.PROD_AZURE_CREDENTIALS }}

-      - name: 'Docker login'
-        uses: azure/docker-login@15c4aadf093404726ab2ff205b2cdd33fa6d054c
-        with:
-          login-server: ${{ secrets.PROD_REGISTRY_SERVER }}
-          username: ${{ secrets.PROD_REGISTRY_USERNAME }}
-          password: ${{ secrets.PROD_REGISTRY_PASSWORD }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
-
      - name: Check out repo
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
@ -64,11 +55,30 @@ jobs:
          node-version-file: 'package.json'
          cache: npm

-      # Currently we only need this to run dependencies in
-      # src/workflows/check-canary-slots.js
+      # We need this to run a few scripts that were easier to write in JS/TS
      - name: Install dependencies
        run: npm install

+      # Create a temporary token for the Azure Container Registry
+      # and set it as a GitHub Actions environment variable
+      # Then clean up by deleting the temp token.
+      # Created token are viewable in the ACR resource UI
+      # under Repository permissions > Tokens
+      - name: 'Create Azure Container Registry Token'
+        env:
+          PROD_REGISTRY_SERVER: ${{ secrets.PROD_REGISTRY_SERVER }}
+        run: npm run create-acr-token
+
+      - name: 'Docker login'
+        uses: azure/docker-login@15c4aadf093404726ab2ff205b2cdd33fa6d054c
+        with:
+          login-server: ${{ secrets.PROD_REGISTRY_SERVER }}
+          username: ${{ env.ACR_TOKEN_NAME }}
+          password: ${{ env.ACR_TOKEN_VALUE }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db
+
      - name: Clone docs-early-access
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        with:
--- a/package.json
+++ b/package.json
@ -28,6 +28,7 @@
    "content-changes-table-comment": "tsx src/workflows/content-changes-table-comment.ts",
    "copy-fixture-data": "node src/tests/scripts/copy-fixture-data.js",
    "count-translation-corruptions": "tsx src/languages/scripts/count-translation-corruptions.ts",
+    "create-acr-token": "tsx src/workflows/acr-create-token.js",
    "debug": "cross-env NODE_ENV=development ENABLED_LANGUAGES=en nodemon --inspect src/frame/server.ts",
    "delete-orphan-translation-files": "tsx src/workflows/delete-orphan-translation-files.ts",
    "deleted-features-pr-comment": "tsx src/data-directory/scripts/deleted-features-pr-comment.ts",
--- a/src/workflows/acr-create-token.ts
+++ b/src/workflows/acr-create-token.ts
@ -0,0 +1,54 @@
+#!/usr/bin/env node
+import { execSync } from 'child_process'
+import * as core from '@actions/core'
+import dotenv from 'dotenv'
+
+type IsoDateString = string
+
+// For local testing set environment variables in the .env file
+dotenv.config()
+
+const acrTokenName = process.env.ACR_TOKEN_NAME
+const acrProdRegistryServer = process.env.PROD_REGISTRY_SERVER
+const repo = process.env.GITHUB_REPOSITORY
+
+function main() {
+  // Get the current time and add 30 minutes to it
+  // Convert Date format from YYYY-MM-DDTHH:mm:ss.sssZ to
+  // YYYY-MM-DDTHH:mm:ssZ (remove .sss)
+  const expirationDate: IsoDateString =
+    new Date(Date.now() + 30 * 60 * 1000).toISOString().split('.')[0] + 'Z'
+
+  let resp
+  try {
+    const cmd = `az acr token create \
+      --name ${acrTokenName} \
+      --registry ${acrProdRegistryServer} \
+      --repository ${repo} \
+      content/write \
+      content/read \
+      --expiration ${expirationDate} \
+      --output json`
+
+    console.log('Executing az acr token create command.')
+    resp = JSON.parse(execSync(cmd, { encoding: 'utf8' }))
+  } catch (error) {
+    console.error('An error occurred while creating ACR token with the Azure CLI')
+    throw error
+  }
+
+  const acrTokenValue = resp?.credentials?.passwords[0]?.value
+  if (!acrTokenValue) {
+    throw new Error(
+      'The response from the Azure CLI was not in the expected format: \n' +
+        JSON.stringify(resp, null, 2),
+    )
+  }
+
+  // Set the ACR_TOKEN_VALUE environment variable so
+  // that it can be used in the subsequent steps
+  core.exportVariable('ACR_TOKEN_VALUE', acrTokenValue)
+  execSync(`echo $ACR_TOKEN_VALUE`)
+}
+
+main()