Merge pull request #1398 from philips-labs/develop

release

Author: npalm

.github/workflows/release.yml

@@ -91,7 +91,7 @@ jobs:
 
     steps:
       - name: Generate provenance for release
-        uses: philips-labs/[email protected].0
+        uses: philips-labs/[email protected].2
         with:
           artifact_path: release-assets
           output_path: 'build.provenance'

README.md

@@ -24,8 +24,6 @@ This [Terraform](https://www.terraform.io/) module creates the required infrastr
 - [Providers](#providers)
 - [Modules](#modules)
 - [Resources](#resources)
-- [Modules](#modules-1)
-- [Resources](#resources-1)
 - [Inputs](#inputs)
 - [Outputs](#outputs)
 - [Contribution](#contribution)
@@ -159,7 +157,7 @@ resource "aws_iam_service_linked_role" "spot" {
 
 Next create a second terraform workspace and initiate the module, or adapt one of the [examples](./examples).
 
-Note that `github_app.key_base64` needs to be the base64-encoded `.pem` file, i.e., the output of `base64 app.private-key.pem` (not directly the content of `app.private-key.pem`).
+Note that `github_app.key_base64` needs to be a base64-encoded string of the `.pem` file i.e. the output of `base64 app.private-key.pem`. The decoded string can either be a multiline value or a single line value with new lines represented with literal `\n` characters.
 
 ```terraform
 module "github-runner" {

modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/package.json

@@ -22,7 +22,7 @@
     "@typescript-eslint/eslint-plugin": "^4.33.0",
     "@typescript-eslint/parser": "^4.33.0",
     "@vercel/ncc": "^0.31.1",
-    "aws-sdk": "^2.1019.0",
+    "aws-sdk": "^2.1023.0",
     "eslint": "^7.32.0",
     "eslint-plugin-prettier": "4.0.0",
     "jest": "^27.3.1",

modules/runner-binaries-syncer/lambdas/runner-binaries-syncer/yarn.lock

@@ -1027,10 +1027,10 @@ asynckit@^0.4.0:
   resolved "https://registry.yarnpkg.com/asynckit/-/asynckit-0.4.0.tgz#c79ed97f7f34cb8f2ba1bc9790bcc366474b4b79"
   integrity sha1-x57Zf380y48robyXkLzDZkdLS3k=
 
-aws-sdk@^2.1019.0:
-  version "2.1019.0"
-  resolved "https://registry.yarnpkg.com/aws-sdk/-/aws-sdk-2.1019.0.tgz#3859bcadcabc02aa7c663ee3aca42eb1345c8251"
-  integrity sha512-mnL9CROb3JHdAIbwjy0yr7Lj76KVA8+LyDFexIq/J/YtjbqdfEsb/KdeQIGEBCdlOqUrcJmeD0GcklZ4ve6fnQ==
+aws-sdk@^2.1023.0:
+  version "2.1023.0"
+  resolved "https://registry.yarnpkg.com/aws-sdk/-/aws-sdk-2.1023.0.tgz#0de16e4e8878ccec4fcd0146322dcf94fdbe09ba"
+  integrity sha512-RAI8sUfK+00yL9i3xz5kbM3+t/0mjjnKhKyauXAlJN4seDYtIX5+BqMghpkZwvLBdi6idXIuz+FHWETHZccyuA==
   dependencies:
     buffer "4.9.2"
     events "1.1.1"

modules/runners/lambdas/runners/package.json

@@ -27,21 +27,21 @@
     "jest": "27.3.1",
     "jest-mock-extended": "^2.0.1",
     "moment-timezone": "^0.5.33",
-    "nock": "^13.1.4",
+    "nock": "^13.2.0",
     "prettier": "2.4.1",
     "ts-jest": "^27.0.7",
     "ts-node": "^10.4.0",
     "ts-node-dev": "^1.1.6"
   },
   "dependencies": {
-    "@aws-sdk/client-ssm": "^3.39.0",
+    "@aws-sdk/client-ssm": "^3.40.0",
     "@octokit/auth-app": "3.6.0",
     "@octokit/rest": "^18.12.0",
     "@octokit/types": "^6.34.0",
     "@types/aws-lambda": "^8.10.85",
     "@types/express": "^4.17.11",
     "@types/node": "^16.11.6",
-    "aws-sdk": "^2.1019.0",
+    "aws-sdk": "^2.1024.0",
     "cron-parser": "^4.1.0",
     "tslog": "^3.2.2",
     "typescript": "^4.4.4"

modules/runners/lambdas/runners/src/scale-runners/gh-auth.test.ts

@@ -71,6 +71,34 @@ describe('Test createGithubAppAuth', () => {
     process.env.ENVIRONMENT = ENVIRONMENT;
   });
 
+  test('Creates auth object with line breaks in SSH key.', async () => {
+    // Arrange
+    const authOptions = {
+      appId: parseInt(GITHUB_APP_ID),
+      privateKey: `${decryptedValue}
+${decryptedValue}`,
+      installationId,
+    };
+
+    const b64PrivateKeyWithLineBreaks = Buffer.from(decryptedValue + '\n' + decryptedValue, 'binary').toString(
+      'base64',
+    );
+    mockedGet.mockResolvedValueOnce(GITHUB_APP_ID).mockResolvedValueOnce(b64PrivateKeyWithLineBreaks);
+
+    const mockedAuth = jest.fn();
+    mockedAuth.mockResolvedValue({ token });
+    mockedCreatAppAuth.mockImplementation(() => {
+      return mockedAuth;
+    });
+
+    // Act
+    await createGithubAppAuth(installationId);
+
+    // Assert
+    expect(mockedCreatAppAuth).toBeCalledTimes(1);
+    expect(mockedCreatAppAuth).toBeCalledWith(authOptions);
+  });
+
   test('Creates auth object for public GitHub', async () => {
     // Arrange
     const authOptions = {

modules/runners/lambdas/runners/src/scale-runners/gh-auth.ts

@@ -51,7 +51,12 @@ async function createAuth(installationId: number | undefined, ghesApiUrl: string
     privateKey: Buffer.from(
       await getParameterValue(process.env.PARAMETER_GITHUB_APP_KEY_BASE64_NAME),
       'base64',
-    ).toString(),
+      // replace literal \n characters with new lines to allow the key to be stored as a
+      // single line variable. This logic should match how the GitHub Terraform provider
+      // processes private keys to retain compatibility between the projects
+    )
+      .toString()
+      .replace('/[\\n]/g', String.fromCharCode(10)),
   };
   if (installationId) authOptions = { ...authOptions, installationId };