|
1 | | -# setup-plural |
2 | | -github action to install and configure plural in github actions |
| 1 | +# setup-plural Github Action |
| 2 | + |
| 3 | +Github action to install and configure the plural CLI and local authentication. Can be used to use the CLI in github actions workflows, or to provide the auth information for subsequent plural-related github actions like `pluralsh/trigger-pull-request` or `pluralsh/trigger-pipeline`. |
| 4 | + |
| 5 | +## Inputs |
| 6 | + |
| 7 | +```yaml |
| 8 | +email: |
| 9 | + description: The user email to log in with via OIDC federated credential. This is the preferred and most secure method of authentication |
| 10 | + required: false |
| 11 | +consoleToken: |
| 12 | + description: 'Plural Console authentication token' |
| 13 | + required: false |
| 14 | +consoleUrl: |
| 15 | + description: 'Plural Console endpoint' |
| 16 | + required: false |
| 17 | +config: # this is going to be deprecated, and only relevant for authenticating to app.plural.sh, not an individual Plural Console instance. |
| 18 | + description: Plural CLI Config File (you should prefer using OIDC federated credentials for authentication) |
| 19 | + required: false |
| 20 | +vsn: |
| 21 | + description: the plural cli version to use |
| 22 | + required: false |
| 23 | + default: '0.12.14' |
| 24 | +plat: |
| 25 | + description: the cli platform to specify |
| 26 | + required: false |
| 27 | + default: 'amd64' |
| 28 | +``` |
| 29 | +
|
| 30 | +## Example Usage |
| 31 | +
|
| 32 | +```yaml |
| 33 | +- name: Authenticate |
| 34 | + id: plural |
| 35 | + uses: pluralsh/setup-plural@v2 |
| 36 | + with: |
| 37 | + consoleUrl: https://my.console.cloud.plural.sh |
| 38 | + email: [email protected] # the email bound to your OIDC federated credentials |
| 39 | +``` |
| 40 | +
|
| 41 | +## Federated Credentials |
| 42 | +
|
| 43 | +If you want to authenticate to a Plural Console instance from Github Actions, we strongly recommend you utilize federated credentials. These have the following benefits: |
| 44 | +
|
| 45 | +1. Don't require you to configure any secrets which contain auth tokens |
| 46 | +2. Guaranteed short-lifespan tokens |
| 47 | +3. Can configured additional scopes for what the action can actually do. If you use the `pullRequest` scope it can only trigger plural pr automations for instance. |
| 48 | + |
| 49 | +This not only makes the integration much more secure, it's also frankly easier to manage, especially at scale since you don't need to worry about burdens like secret management and rotation. |
| 50 | + |
| 51 | +Here's a basic example: |
| 52 | + |
| 53 | +```yaml |
| 54 | +apiVersion: deployments.plural.sh/v1alpha1 |
| 55 | +kind: FederatedCredential |
| 56 | +metadata: |
| 57 | + name: gh-actions |
| 58 | +spec: |
| 59 | + issuer: https://token.actions.githubusercontent.com |
| 60 | + user: [email protected] # the user you want the federated credential to bind to. |
| 61 | + scopes: |
| 62 | + - createPullRequest |
| 63 | + claimsLike: |
| 64 | + # repo:pluralsh/console:ref:refs/heads/genstage-stack-gs-reconciler |
| 65 | + sub: "repo:pluralsh/console:ref:refs/heads/main |
| 66 | +``` |
0 commit comments