WIP

plietar · plietar · commit c78800b0f712 · 2025-02-14T15:39:44.000Z
diff --git a/.github/workflows/runner.yaml b/.github/workflows/runner.yaml
@@ -23,7 +23,7 @@ jobs:
 
       - uses: ./
         with:
-          # packit-url: https://packit.dide.ic.ac.uk/reside
+          packit-url: https://packit.dide.ic.ac.uk/reside
           reports: |
             - name: "incoming_data"
             - name: "explicit"
diff --git a/action.yaml b/action.yaml
@@ -1,13 +1,19 @@
 name: 'orderly'
 description: 'Action to run an orderly workflow on Packit.'
 inputs:
+  packit-url:
+    description: "URL of a packit instance to be configured as a remote location"
+    required: false
   reports:
     type: 'string'
     description: 'List of reports to run'
+    default: "[]"
 
 runs:
   using: "composite"
   steps:
     - shell: bash
       run:
-        echo ${{ inputs.reports }}
+        data=$(mktemp)
+        echo '${{ inputs.reports }}' > $data
+        Rscript --verbose '${{ github.action_path }}/run.R' '${{ inputs.packit-url }}' "$run"
diff --git a/run.R b/run.R
@@ -1,13 +1,34 @@
-PACKIT_URL <- "https://packit.dide.ic.ac.uk/reside"
-
-get_packit_audience <- function(base_url) {
-  response <- httr2::request(base_url) |>
+get_packit_audience <- function(url) {
+  response <- httr2::request(url) |>
     httr2::req_url_path_append("packit/api/auth/login/service/audience") |>
     httr2::req_perform() |>
     httr2::resp_body_json()
   response$audience
 }
 
+check_audience <- function(url) {
+  # The server will match its configured audience against the one found in the
+  # token exactly. A mismatch could occur if, for example, the user provided a
+  # non-canonical URL that routes to the same place but isn't strictly equal
+  # (eg. using `https://hostname:443` instead of just `https://hostname`).
+  #
+  # It is tempting to just use the audience provided by the server instead of
+  # PACKIT_URL and not have to worry about it ever failing to match. If we did
+  # that though, a malicious server could present an arbitrary audience and use
+  # the token we give it to login to a completely different service on behalf on
+  # this action, and we do not want to allow that.
+  #
+  # This warning provides an easy diagnostic and resolution path for the benign
+  # case of a non-canonical URL, while avoiding the aforementioned pitfall.
+  expected_audience <- get_packit_audience(url)
+  if (expected_audience != url) {
+    cli::cli_warn(
+      paste("The Packit URL is {.url {url}}, but the server is expecting",
+            "the audience to be {.url {expected_audience}}. Authentication is",
+            "likely to fail."))
+  }
+}
+
 get_oidc_token <- function(audience) {
   url <- Sys.getenv("ACTIONS_ID_TOKEN_REQUEST_URL", NA)
   token <- Sys.getenv("ACTIONS_ID_TOKEN_REQUEST_TOKEN", NA)
@@ -26,19 +47,28 @@ get_oidc_token <- function(audience) {
   response$value
 }
 
-get_packit_token <- function(base_url, token) {
-  response <- httr2::request(base_url) |>
+get_packit_token_service <- function(url, token) {
+  response <- httr2::request(url) |>
     httr2::req_url_path_append("packit/api/auth/login/service") |>
     httr2::req_body_json(list(token = token)) |>
     httr2::req_perform() |>
     httr2::resp_body_json()
   response$token
 }
 
-task_run <- function(branch, hash, name) {
-  req <- httr2::request(PACKIT_URL) |>
+get_packit_token_api <- function(url, token) {
+  response <- httr2::request(url) |>
+    httr2::req_url_path_append("packit/api/auth/login/api") |>
+    httr2::req_body_json(list(token = token)) |>
+    httr2::req_perform() |>
+    httr2::resp_body_json()
+  response$token
+}
+
+task_run <- function(url, token, branch, hash, name) {
+  req <- httr2::request(url) |>
     httr2::req_url_path_append("packit/api/runner/run") |>
-    httr2::req_auth_bearer_token(packit_token) |>
+    httr2::req_auth_bearer_token(token) |>
     httr2::req_body_json(list(name = name, branch = branch, hash = hash))
 
   task <- httr2::req_perform(req) |>
@@ -47,59 +77,62 @@ task_run <- function(branch, hash, name) {
   task$taskId
 }
 
-task_status <- function(task_id, include_logs = FALSE) {
-  req <- httr2::request(PACKIT_URL) |>
-    httr2::req_auth_bearer_token(packit_token) |>
+task_status <- function(url, token, task_id, include_logs = FALSE) {
+  req <- httr2::request(url) |>
+    httr2::req_auth_bearer_token(token) |>
     httr2::req_url_path_append("packit/api/runner/status", task_id) |>
     httr2::req_url_query(includeLogs = include_logs)
 
   httr2::req_perform(req) |>
     httr2::resp_body_json()
 }
 
-task_wait <- function(task_id) {
+task_wait <- function(url, token, task_id) {
   while (TRUE) {
-    status <- task_status(task_id)
+    status <- task_status(url, token, task_id)
     if (status$status != "RUNNING") {
       return (invisible(status))
     }
     Sys.sleep(1)
   }
 }
 
-# The server will match its configured audience against the one found in the
-# token exactly. A mismatch could occur if, for example, the user provided a
-# non-canonical URL that routes to the same place but isn't strictly equal
-# (eg. using `https://hostname:443` instead of just `https://hostname`).
-#
-# It is tempting to just use the audience provided by the server instead of
-# PACKIT_URL and not have to worry about it ever failing to match. If we did
-# that though, a malicious server could present an arbitrary audience and use
-# the token we give it to login to a completely different service on behalf on
-# this action, and we do not want to allow that.
-#
-# This warning provides an easy diagnostic and resolution path for the benign
-# case of a non-canonical URL, while avoiding the aforementioned pitfall.
-expected_audience <- get_packit_audience(PACKIT_URL)
-if (expected_audience != PACKIT_URL) {
-  cli::cli_warn(
-    paste("The Packit URL is {.url {PACKIT_URL}}, but the server is expecting",
-          "the audience to be {.url {expected_audience}}. Authentication is",
-          "likely to fail."))
+authenticate <- function(url) {
+  packit_token <- Sys.getenv("PACKIT_TOKEN", NA)
+  if (!is.na(packit_token)) {
+    return (packit_token)
+  }
+
+  github_token <- Sys.getenv("GITHUB_TOKEN", NA)
+  if (!is.na(github_token)) {
+    return(get_packit_token_api(url, github_token))
+  }
+
+  check_audience(url)
+  github_token <- get_oidc_token(url)
+  get_packit_token_service(url, github_token)
 }
 
-github_token <- get_oidc_token(PACKIT_URL)
-packit_token <- get_packit_token(PACKIT_URL, github_token)
+main <- function(args = commandArgs(trailingOnly = TRUE)) {
+  url <- args[[1]]
+  input <- args[[2]]
+
+  ref_name <- Sys.getenv("GITHUB_REF_NAME", "main")
+  sha <- Sys.getenv("GITHUB_SHA", "HEAD")
 
-ref_name <- Sys.getenv("GITHUB_REF_NAME", "main")
-sha <- Sys.getenv("GITHUB_SHA", "HEAD")
-name <- "incoming_data"
+  token <- authenticate(url)
+  data <- yaml::read_yaml(file = input)
 
-task_id <- task_run(ref_name, sha, name)
-task_wait(task_id)
-status <- task_status(task_id)
-writeLines(unlist(status$logs))
+  for (entry in data) {
+    task_id <- task_run(url, token, ref_name, sha, entry$name)
+    task_wait(url, token, task_id)
+    status <- task_status(url, token, task_id, include_logs = TRUE)
+    writeLines(unlist(status$logs))
 
-if (status$status != "COMPLETE") {
-  cli::cli_abort("Task failed")
+    if (status$status != "COMPLETE") {
+      cli::cli_abort("Task failed")
+    }
+  }
 }
+
+main()
