Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Error when using secrets, ^,^ being added #552

Open
vaisov-gemba opened this issue Nov 12, 2024 · 6 comments
Open

Error when using secrets, ^,^ being added #552

vaisov-gemba opened this issue Nov 12, 2024 · 6 comments
Labels
bug Something isn't working

Comments

@vaisov-gemba
Copy link

TL;DR

When using multiple secrets in the secrets input for google-github-actions/deploy-cloudrun, additional ^,^ characters appear unexpectedly, preventing successful deployment.

Expected behavior

I expected the gcloud run deploy command to execute without unexpected characters and to deploy successfully, with each secret correctly assigned to its respective environment variable or volume path.

Observed behavior

The gcloud run deploy command failed to run correctly. Unexpected ^,^ characters were added in front of the first secret and between secrets, resulting in a failed deployment.

Action YAML

name: Deploy ExampleApp to Cloud Run

on:
  workflow_dispatch:
  push:
    branches:
      - development-pipeline

jobs:
  build:
    permissions:
      contents: 'read'
      id-token: 'write'

    runs-on: ubuntu-latest
    environment: ${{ github.ref == 'refs/heads/development' && 'development' || github.ref == 'refs/heads/testing' && 'testing' || github.ref == 'refs/heads/staging' && 'staging' || github.ref == 'refs/heads/main' && 'production' }}
        
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      
      - name: Authenticate to GCP
        uses: google-github-actions/auth@v2
        with:
          project_id: 'example-project-id'
          workload_identity_provider: 'projects/PROJECT_NUMBER/locations/global/workloadIdentityPools/example-pool/providers/github'

      - name: Set up Cloud SDK
        uses: google-github-actions/setup-gcloud@v2
        with:
          project_id: 'example-project-id'

      - name: Configure Docker for Google Artifact Registry 
        run: gcloud auth configure-docker region-docker.pkg.dev

      - name: Build and Push Container
        run: |
          docker build -t "region-docker.pkg.dev/example-project-id/api-services/example-app:${{ github.run_id }}" -f Dockerfile_exampleapp .
          docker push "region-docker.pkg.dev/example-project-id/api-services/example-app:${{ github.run_id }}"

      - id: 'deploy'
        uses: 'google-github-actions/deploy-cloudrun@v2'
        with:          
          service: 'example-app'
          region: 'example-region'
          image: 'region-docker.pkg.dev/example-project-id/api-services/example-app:${{ github.run_id }}'
          secrets: |-
            EXAMPLE_SECRET_ONE=example_secret_one:latest
            EXAMPLE_SECRET_TWO=example_secret_two:latest
            EXAMPLE_SECRET_THREE=example_secret_three:latest
            EXAMPLE_SECRET_FOUR=example_secret_four:latest
            /path/to/certificates/example-cert-path=example_cert_secret:latest
            /path/to/creds/example-cred-path=example_cred_secret:latest
          flags: '--ingress=internal --min-instances=1 --max-instances=1 --service-account=example-sa@example-project-id.iam.gserviceaccount.com --vpc-connector=example-connector --vpc-egress=private-ranges-only'

      - name: 'Use output'
        run: 'curl "${{ steps.deploy.outputs.url }}"'

Log output

Run google-github-actions/deploy-cloudrun@v2
  
Successfully authenticated
Running: gcloud run deploy example-app --image example-region-docker.pkg.dev/example-project-id/api-services/example-app:1234567890 --update-secrets ^,^EXAMPLE_SECRET_ONE=dev_example_secret_one:latest EXAMPLE_SECRET_TWO=dev_example_secret_two:latest EXAMPLE_SECRET_THREE=dev_example_secret_three:latest EXAMPLE_SECRET_FOUR=dev_example_secret_four:latest /path/to/certificates/example-cert-path=dev_example_cert:latest /path/to/creds/example-cred-path=dev_example_cred:latest --update-labels ^,^managed-by=github-actions,commit-sha=abcdef1234567890 --format json --region example-region --ingress internal --min-instances 1 --max-instances 1 --service-account [email protected] --vpc-connector example-connector --vpc-egress private-ranges-only
Error: google-github-actions/deploy-cloudrun failed with: failed to execute gcloud command `gcloud run deploy example-app --image example-region-docker.pkg.dev/example-project-id/api-services/example-app:1234567890 --update-secrets ^,^EXAMPLE_SECRET_ONE=dev_example_secret_one:latest EXAMPLE_SECRET_TWO=dev_example_secret_two:latest EXAMPLE_SECRET_THREE=dev_example_secret_three:latest EXAMPLE_SECRET_FOUR=dev_example_secret_four:latest /path/to/certificates/example-cert-path=dev_example_cert:latest /path/to/creds/example-cred-path=dev_example_cred:latest --update-labels ^,^managed-by=github-actions,commit-sha=abcdef1234567890 --format json --region example-region --ingress internal --min-instances 1 --max-instances 1 --service-account [email protected] --vpc-connector example-connector --vpc-egress private-ranges-only

Additional information

Same happens also if I provide secrets in one line (space separated)

@vaisov-gemba vaisov-gemba added the bug Something isn't working label Nov 12, 2024
@sethvargo
Copy link
Member

Hi there - could you please provide the debug output for the complete GitHub Actions workflow run?

The separator is working as intended, it's a gcloud feature for using a custom separator. What is the full error message? The current message is truncated, so I cannot see the full error.

@Wazbat
Copy link

Wazbat commented Nov 20, 2024

I myself use | rather than |- and it seems to work fine

- id: 'deploy'
  uses: 'google-github-actions/deploy-cloudrun@v2'
  with:
    service: ${{ vars.SERVICE_NAME }}
    image: europe-docker.pkg.dev/project/repo/image@${{ needs.build.outputs.digest }}
    env_vars: |
      PROJECT_ID=${{ vars.PROJECT_ID }}
      NAMESPACE=${{ vars.NAMESPACE }}
      GCP_STORAGE_BUCKET_NAME=${{ vars.GCP_STORAGE_BUCKET_NAME }}
    secrets: |
      MONGO_URI=${{ vars.MONGO_SECRET_NAME }}
      SOME_SERVICE_API_KEY=${{ vars.SOME_SERVICE_API_KEY_SECRET_NAME }}

Those environment vars are just secretname:latest

@sethvargo
Copy link
Member

| vs |- just trims whitespace (which we do anyway).

@vaisov-gemba
Copy link
Author

Debug output:

##[debug]Evaluating condition for step: 'Run google-github-actions/deploy-cloudrun@v2'
##[debug]Evaluating: success()
##[debug]Evaluating success:
##[debug]=> true
##[debug]Result: true
##[debug]Starting: Run google-github-actions/deploy-cloudrun@v2
##[debug]Loading inputs
##[debug]Evaluating: format('europe-west2-docker.pkg.dev/example-project-123456/api-services-test/sample-service-test:{0}', github.run_id)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> 'europe-west2-docker.pkg.dev/example-project-123456/api-services-test/sample-service-test:{0}'
##[debug]..Evaluating Index:
##[debug]....Evaluating github:
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'run_id'
##[debug]..=> '1234567890'
##[debug]=> 'europe-west2-docker.pkg.dev/example-project-123456/api-services-test/sample-service-test:1234567890'
##[debug]Result: 'europe-west2-docker.pkg.dev/example-project-123456/api-services-test/sample-service-test:1234567890'
##[debug]Loading env
Run google-github-actions/deploy-cloudrun@v2
  with:
    service: sample-service-test
    region: europe-west2
    image: europe-west2-docker.pkg.dev/example-project-123456/api-services-test/sample-service-test:1234567890
    secrets: CONNECTIONSTRINGS__DEFAULT=dev_connectionstrings_default:latest
  CLIENT=dev_alphabet_client:latest
  MASTER=dev_alphabet_master:latest
  REFMASTER=dev_alphabet_refmaster:latest
  /Container/Certificates/sample-service-tls=dev_tls_certificate:latest
  /Container/PubSubCreds=dev_pubsub_creds:latest
    flags: --ingress=internal --min-instances=1 --max-instances=1 --service-account [email protected] --vpc-connector=serverless-connector --vpc-egress=private-ranges-only
    env_vars_update_strategy: merge
    secrets_update_strategy: merge
    skip_default_labels: false
    no_traffic: false
  env:
    CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /path/to/credentials.json
    GOOGLE_APPLICATION_CREDENTIALS: /path/to/credentials.json
    GOOGLE_GHA_CREDS_PATH: /path/to/credentials.json
    CLOUDSDK_CORE_PROJECT: example-project-123456
    CLOUDSDK_PROJECT: example-project-123456
    GCLOUD_PROJECT: example-project-123456
    GCP_PROJECT: example-project-123456
    GOOGLE_CLOUD_PROJECT: example-project-123456
    CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud
    CLOUDSDK_METRICS_ENVIRONMENT_VERSION: 2.1.2
  
##[debug]isExplicit: 502.0.0
##[debug]explicit? true
##[debug]checking cache: /opt/hostedtoolcache/gcloud/502.0.0/x64
##[debug]Found tool in cache gcloud 502.0.0 x64
##[debug]isExplicit: 502.0.0
##[debug]explicit? true
##[debug]checking cache: /opt/hostedtoolcache/gcloud/502.0.0/x64
##[debug]Found tool in cache gcloud 502.0.0 x64
##[debug]Running command: gcloud --quiet auth login --force --cred-file /path/to/credentials.json
Successfully authenticated
Running: gcloud run deploy sample-service-test --image europe-west2-docker.pkg.dev/example-project-123456/api-services-test/sample-service-test:1234567890 --update-secrets ^,^CONNECTIONSTRINGS__DEFAULT=dev_connectionstrings_default:latest,CLIENT=dev_alphabet_client:latest,MASTER=dev_alphabet_master:latest,REFMASTER=dev_alphabet_refmaster:latest,/Container/Certificates/sample-service-tls=dev_tls_certificate:latest,/Container/PubSubCreds=dev_pubsub_creds:latest --update-labels ^,^managed-by=github-actions,commit-sha=xxx --format json --region europe-west2 --ingress internal --min-instances 1 --max-instances 1 --service-account [email protected] --vpc-connector serverless-connector --vpc-egress private-ranges-only
##[debug]{
##[debug]  "toolCommand": "gcloud",
##[debug]  "args": [
##[debug]    "run",
##[debug]    "deploy",
##[debug]    "sample-service-test",
##[debug]    "--image",
##[debug]    "europe-west2-docker.pkg.dev/example-project-123456/api-services-test/sample-service-test:1234567890",
##[debug]    "--update-secrets",
##[debug]    "^,^CONNECTIONSTRINGS__DEFAULT=dev_connectionstrings_default:latest,CLIENT=dev_alphabet_client:latest,MASTER=dev_alphabet_master:latest,REFMASTER=dev_alphabet_refmaster:latest,/Container/Certificates/sample-service-tls=dev_tls_certificate:latest,/Container/PubSubCreds=dev_pubsub_creds:latest",
##[debug]    "--update-labels",
##[debug]    "^,^managed-by=github-actions,commit-sha=xxx",
##[debug]    "--format",
##[debug]    "json",
##[debug]    "--region",
##[debug]    "europe-west2",
##[debug]    "--ingress",
##[debug]    "internal",
##[debug]    "--min-instances",
##[debug]    "1",
##[debug]    "--max-instances",
##[debug]    "1",
##[debug]    "--service-account",
##[debug]    "[email protected]",
##[debug]    "--vpc-connector",
##[debug]    "serverless-connector",
##[debug]    "--vpc-egress",
##[debug]    "private-ranges-only"
##[debug]  ],
##[debug]  "options": {
##[debug]    "silent": true,
##[debug]    "ignoreReturnCode": true
##[debug]  }
##[debug]}
Error: google-github-actions/deploy-cloudrun failed with: failed to execute gcloud command `gcloud run deploy sample-service-test --image europe-west2-docker.pkg.dev/example-project-123456/api-services-test/sample-service-test:1234567890 --update-secrets ^,^CONNECTIONSTRINGS__DEFAULT=dev_connectionstrings_default:latest,CLIENT=dev_alphabet_client:latest,MASTER=dev_alphabet_master:latest,REFMASTER=dev_alphabet_refmaster:latest,/Container/Certificates/sample-service-tls=dev_tls_certificate:latest,/Container/PubSubCreds=dev_pubsub_creds:latest --update-labels ^,^managed-by=github-actions,commit-sha=xxx --format json --region europe-west2 --ingress internal --min-instances 1 --max-instances 1 --service-account [email protected] --vpc-conn
##[debug]Node Action run completed with exit code 1
##[debug]Finishing: Run google-github-actions/deploy-cloudrun@v2

@sethvargo
Copy link
Member

I'm still not seeing the full error message - it's truncated:

screenshot-20241121203650@2x

I think GitHub Actions might truncate the line. Can you temporarily remove a few of the flags and secrets so we can see the full error message?

@bdashrad
Copy link

^,^ is likely intentional, although a comma could cause you problems if your values contain commas.

https://cloud.google.com/sdk/gcloud/reference/topic/escaping

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Development

No branches or pull requests

4 participants