kevin/baron-sso
1
0
Fork 0
forked from baron/baron-sso
Code Pull Requests Activity

Split WORKS Drive archive variables

Browse Source
This commit is contained in:
admin-bot
2026-06-22 13:58:35 +09:00
parent 6ea5920c85
commit 12d8d0e832
8 changed files with 42 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.gitea/workflows/image_publish.yml
View File

@@ -175,7 +175,7 @@ jobs:
WORKS_DRIVE_OAUTH_CLIENT_ID: ${{ secrets.WORKS_DRIVE_OAUTH_CLIENT_ID }} WORKS_DRIVE_OAUTH_CLIENT_ID: ${{ secrets.WORKS_DRIVE_OAUTH_CLIENT_ID }}
WORKS_DRIVE_OAUTH_CLIENT_SECRET: ${{ secrets.WORKS_OAUTH_CLIENT_SECRET }} WORKS_DRIVE_OAUTH_CLIENT_SECRET: ${{ secrets.WORKS_OAUTH_CLIENT_SECRET }}
WORKS_DRIVE_OAUTH_REFRESH_TOKEN: ${{ secrets.WORKS_DRIVE_REFRESH_TOKEN }} WORKS_DRIVE_OAUTH_REFRESH_TOKEN: ${{ secrets.WORKS_DRIVE_REFRESH_TOKEN }}
WORKS_ADMIN_OAUTH_TOKEN_URL: ${{ vars.WORKS_ADMIN_OAUTH_TOKEN_URL }} WORKS_DRIVE_OAUTH_TOKEN_URL: ${{ vars.WORKS_DRIVE_OAUTH_TOKEN_URL }}
run: | run: |
set -euo pipefail set -euo pipefail
@@ -189,7 +189,7 @@ jobs:
elif [ -n "${WORKS_DRIVE_ACCESS_TOKEN_CMD:-}" ]; then elif [ -n "${WORKS_DRIVE_ACCESS_TOKEN_CMD:-}" ]; then
access_token="$(sh -c "${WORKS_DRIVE_ACCESS_TOKEN_CMD}")" access_token="$(sh -c "${WORKS_DRIVE_ACCESS_TOKEN_CMD}")"
else else
token_url="${WORKS_ADMIN_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}" token_url="${WORKS_DRIVE_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}"
response="$(curl -sS -w $'\n%{http_code}' -X POST \ response="$(curl -sS -w $'\n%{http_code}' -X POST \
-H "Content-Type: application/x-www-form-urlencoded" \ -H "Content-Type: application/x-www-form-urlencoded" \
--data-urlencode "grant_type=refresh_token" \ --data-urlencode "grant_type=refresh_token" \
@@ -230,7 +230,7 @@ jobs:
WORKS_DRIVE_TARGET: sharedrive WORKS_DRIVE_TARGET: sharedrive
WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }} WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}
WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID }} WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID }}
WORKS_ADMIN_API_BASE_URL: ${{ vars.WORKS_ADMIN_API_BASE_URL }} WORKS_DRIVE_API_BASE_URL: ${{ vars.WORKS_DRIVE_API_BASE_URL }}
run: | run: |
set -euo pipefail set -euo pipefail

4
.gitea/workflows/production_image_deploy.yml
View File

@@ -109,8 +109,8 @@ jobs:
WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }} WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}
WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID }} WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID }}
WORKS_DRIVE_DOCKER_IMAGE_DIR: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DIR || 'baron-sso' }} WORKS_DRIVE_DOCKER_IMAGE_DIR: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DIR || 'baron-sso' }}
WORKS_ADMIN_API_BASE_URL: ${{ vars.WORKS_ADMIN_API_BASE_URL }} WORKS_DRIVE_API_BASE_URL: ${{ vars.WORKS_DRIVE_API_BASE_URL }}
WORKS_ADMIN_OAUTH_TOKEN_URL: ${{ vars.WORKS_ADMIN_OAUTH_TOKEN_URL }} WORKS_DRIVE_OAUTH_TOKEN_URL: ${{ vars.WORKS_DRIVE_OAUTH_TOKEN_URL }}
WORKS_DRIVE_ACCESS_TOKEN_INPUT: ${{ secrets.WORKS_DRIVE_ACCESS_TOKEN }} WORKS_DRIVE_ACCESS_TOKEN_INPUT: ${{ secrets.WORKS_DRIVE_ACCESS_TOKEN }}
WORKS_DRIVE_ACCESS_TOKEN_FILE: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_FILE }} WORKS_DRIVE_ACCESS_TOKEN_FILE: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_FILE }}
WORKS_DRIVE_ACCESS_TOKEN_CMD: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_CMD }} WORKS_DRIVE_ACCESS_TOKEN_CMD: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_CMD }}

4
.gitea/workflows/staging_image_deploy.yml
View File

@@ -107,8 +107,8 @@ jobs:
WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }} WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}
WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID }} WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID }}
WORKS_DRIVE_DOCKER_IMAGE_DIR: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DIR || 'baron-sso' }} WORKS_DRIVE_DOCKER_IMAGE_DIR: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DIR || 'baron-sso' }}
WORKS_ADMIN_API_BASE_URL: ${{ vars.WORKS_ADMIN_API_BASE_URL }} WORKS_DRIVE_API_BASE_URL: ${{ vars.WORKS_DRIVE_API_BASE_URL }}
WORKS_ADMIN_OAUTH_TOKEN_URL: ${{ vars.WORKS_ADMIN_OAUTH_TOKEN_URL }} WORKS_DRIVE_OAUTH_TOKEN_URL: ${{ vars.WORKS_DRIVE_OAUTH_TOKEN_URL }}
WORKS_DRIVE_ACCESS_TOKEN_INPUT: ${{ secrets.WORKS_DRIVE_ACCESS_TOKEN }} WORKS_DRIVE_ACCESS_TOKEN_INPUT: ${{ secrets.WORKS_DRIVE_ACCESS_TOKEN }}
WORKS_DRIVE_ACCESS_TOKEN_FILE: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_FILE }} WORKS_DRIVE_ACCESS_TOKEN_FILE: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_FILE }}
WORKS_DRIVE_ACCESS_TOKEN_CMD: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_CMD }} WORKS_DRIVE_ACCESS_TOKEN_CMD: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_CMD }}

13
docs/works-drive-docker-image-archive.md
View File

@@ -21,6 +21,8 @@ Gitea Actions의 shared image publish workflow는 `baron_sso/<service>:<image_ta
- 선택 variable `WORKS_DRIVE_DOCKER_IMAGE_DIR=baron-sso` - 선택 variable `WORKS_DRIVE_DOCKER_IMAGE_DIR=baron-sso`
- variable `WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID` - variable `WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID`
- 선택 variable `WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID` - 선택 variable `WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID`
- 선택 variable `WORKS_DRIVE_API_BASE_URL`
- 선택 variable `WORKS_DRIVE_OAUTH_TOKEN_URL`
- secret `WORKS_DRIVE_ACCESS_TOKEN`, 또는 variable `WORKS_DRIVE_ACCESS_TOKEN_FILE`, 또는 variable `WORKS_DRIVE_ACCESS_TOKEN_CMD`, 또는 refresh-token 방식의 secret `WORKS_DRIVE_REFRESH_TOKEN` - secret `WORKS_DRIVE_ACCESS_TOKEN`, 또는 variable `WORKS_DRIVE_ACCESS_TOKEN_FILE`, 또는 variable `WORKS_DRIVE_ACCESS_TOKEN_CMD`, 또는 refresh-token 방식의 secret `WORKS_DRIVE_REFRESH_TOKEN`
- refresh-token 방식을 쓸 경우 secret `WORKS_DRIVE_OAUTH_CLIENT_ID`, secret `WORKS_OAUTH_CLIENT_SECRET` - refresh-token 방식을 쓸 경우 secret `WORKS_DRIVE_OAUTH_CLIENT_ID`, secret `WORKS_OAUTH_CLIENT_SECRET`
@@ -44,6 +46,15 @@ Refresh Token Rotation이 켜져 있으면 WORKS가 refresh 응답에 새 Refres
- Rotation을 켠 경우 publish run에서 rotated refresh token 경고가 나오면 `WORKS_DRIVE_REFRESH_TOKEN` secret을 수동 갱신한다. - Rotation을 켠 경우 publish run에서 rotated refresh token 경고가 나오면 `WORKS_DRIVE_REFRESH_TOKEN` secret을 수동 갱신한다.
- secret 자동 갱신이 필요하면 Gitea secret write 전용 token을 별도 설계로 추가한다. - secret 자동 갱신이 필요하면 Gitea secret write 전용 token을 별도 설계로 추가한다.
## 변수 분리 원칙
WORKS Drive archive 접근용 변수와 서비스 런타임용 WORKS Admin 변수는 분리한다.
- archive 업로드/다운로드: `WORKS_DRIVE_API_BASE_URL`, `WORKS_DRIVE_OAUTH_TOKEN_URL`
- backend 런타임 설정: `STG_WORKS_ADMIN_API_BASE_URL`, `STG_WORKS_ADMIN_OAUTH_TOKEN_URL`, `PROD_WORKS_ADMIN_API_BASE_URL`, `PROD_WORKS_ADMIN_OAUTH_TOKEN_URL`
archive script는 호환성을 위해 기존 `WORKS_ADMIN_API_BASE_URL`, `WORKS_ADMIN_OAUTH_TOKEN_URL`도 fallback으로 읽지만, Gitea image publish/deploy workflow에서는 `WORKS_DRIVE_*` 변수를 사용한다.
## 저장 구조 ## 저장 구조
기본 최상위 디렉터리는 다음 환경 변수로 지정한다. 기본 최상위 디렉터리는 다음 환경 변수로 지정한다.
@@ -117,6 +128,8 @@ scripts/docker-image/upload_works_drive.sh
- `WORKS_DRIVE_TARGET=sharedrive` - `WORKS_DRIVE_TARGET=sharedrive`
- `WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID` - `WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID`
- 선택: `WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID` - 선택: `WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID`
- 선택: `WORKS_DRIVE_API_BASE_URL`
- 선택: `WORKS_DRIVE_OAUTH_TOKEN_URL`
- `WORKS_DRIVE_ACCESS_TOKEN`, `WORKS_DRIVE_ACCESS_TOKEN_FILE`, `WORKS_DRIVE_ACCESS_TOKEN_CMD`, `WORKS_DRIVE_OAUTH_REFRESH_TOKEN`, 또는 서비스 계정 OAuth 변수 - `WORKS_DRIVE_ACCESS_TOKEN`, `WORKS_DRIVE_ACCESS_TOKEN_FILE`, `WORKS_DRIVE_ACCESS_TOKEN_CMD`, `WORKS_DRIVE_OAUTH_REFRESH_TOKEN`, 또는 서비스 계정 OAuth 변수
업로드 전 packaging만 확인하려면 다음을 사용한다. 업로드 전 packaging만 확인하려면 다음을 사용한다.

4
scripts/deploy/upload_and_run_image_deploy.sh
View File

@@ -28,7 +28,7 @@ refresh_works_drive_access_token() {
[[ -n "${WORKS_DRIVE_OAUTH_CLIENT_SECRET:-}" ]] || die "WORKS_DRIVE_OAUTH_CLIENT_SECRET is required when using WORKS_DRIVE_OAUTH_REFRESH_TOKEN." [[ -n "${WORKS_DRIVE_OAUTH_CLIENT_SECRET:-}" ]] || die "WORKS_DRIVE_OAUTH_CLIENT_SECRET is required when using WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
[[ -n "${WORKS_DRIVE_OAUTH_REFRESH_TOKEN:-}" ]] || die "WORKS_DRIVE_OAUTH_REFRESH_TOKEN is required for refresh-token mode." [[ -n "${WORKS_DRIVE_OAUTH_REFRESH_TOKEN:-}" ]] || die "WORKS_DRIVE_OAUTH_REFRESH_TOKEN is required for refresh-token mode."
local token_url="${WORKS_ADMIN_OAUTH_TOKEN_URL:-${WORKS_DRIVE_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}}" local token_url="${WORKS_DRIVE_OAUTH_TOKEN_URL:-${WORKS_ADMIN_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}}"
local response local response
local access_token local access_token
local rotated_refresh_token local rotated_refresh_token
@@ -96,7 +96,7 @@ printf '%s\n' "$works_drive_access_token" | ssh "${DEPLOY_USER}@${DEPLOY_HOST}"
export WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID='${WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID}'; \ export WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID='${WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID}'; \
export WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID='${WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID:-}'; \ export WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID='${WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID:-}'; \
export WORKS_DRIVE_DOCKER_IMAGE_DIR='${WORKS_DRIVE_DOCKER_IMAGE_DIR:-baron-sso}'; \ export WORKS_DRIVE_DOCKER_IMAGE_DIR='${WORKS_DRIVE_DOCKER_IMAGE_DIR:-baron-sso}'; \
export WORKS_ADMIN_API_BASE_URL='${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}'; \ export WORKS_DRIVE_API_BASE_URL='${WORKS_DRIVE_API_BASE_URL:-${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}}'; \
echo '==> Validating image deploy compose config'; \ echo '==> Validating image deploy compose config'; \
docker compose --env-file .env -f docker-compose.yml config >/dev/null; \ docker compose --env-file .env -f docker-compose.yml config >/dev/null; \
echo '==> Downloading and loading WORKS Drive application images'; \ echo '==> Downloading and loading WORKS Drive application images'; \

2
scripts/docker-image/download_works_drive.sh
View File

@@ -136,7 +136,7 @@ load_image_archive() {
image_tag="${IMAGE_TAG:-$(dotenv_value IMAGE_TAG)}" image_tag="${IMAGE_TAG:-$(dotenv_value IMAGE_TAG)}"
drive_id="${WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID:-${WORKS_DRIVE_SHARED_DRIVE_ID:-}}" drive_id="${WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID:-${WORKS_DRIVE_SHARED_DRIVE_ID:-}}"
access_token="${WORKS_DRIVE_ACCESS_TOKEN:-}" access_token="${WORKS_DRIVE_ACCESS_TOKEN:-}"
api_base_url="${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}" api_base_url="${WORKS_DRIVE_API_BASE_URL:-${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}}"
curl_bin="${WORKS_DRIVE_CURL_BIN:-curl}" curl_bin="${WORKS_DRIVE_CURL_BIN:-curl}"
image_root_dir="${WORKS_DRIVE_DOCKER_IMAGE_DIR:-${WORKS_SHAREDRIVE_DOCKER_IMAGE_DIR:-baron-sso}}" image_root_dir="${WORKS_DRIVE_DOCKER_IMAGE_DIR:-${WORKS_SHAREDRIVE_DOCKER_IMAGE_DIR:-baron-sso}}"
download_root="${WORKS_DOCKER_IMAGE_DOWNLOAD_DIR:-/tmp/baron-sso-docker-image-download}" download_root="${WORKS_DOCKER_IMAGE_DOWNLOAD_DIR:-/tmp/baron-sso-docker-image-download}"

8
scripts/docker-image/upload_works_drive.sh
View File

@@ -23,6 +23,8 @@ if [[ -f "$repo_root/.env" ]]; then
WORKS_DRIVE_ACCESS_TOKEN_FILE WORKS_DRIVE_ACCESS_TOKEN_FILE
WORKS_DRIVE_ACCESS_TOKEN_CMD WORKS_DRIVE_ACCESS_TOKEN_CMD
WORKS_DRIVE_OAUTH_SCOPE WORKS_DRIVE_OAUTH_SCOPE
WORKS_DRIVE_API_BASE_URL
WORKS_DRIVE_OAUTH_TOKEN_URL
WORKS_DRIVE_OVERWRITE WORKS_DRIVE_OVERWRITE
WORKS_DRIVE_DRY_RUN WORKS_DRIVE_DRY_RUN
WORKS_DRIVE_CURL_BIN WORKS_DRIVE_CURL_BIN
@@ -72,7 +74,7 @@ folder_cache_file="${WORKS_DOCKER_IMAGE_FOLDER_CACHE_FILE:-${archive_root}/.work
image_root_dir="${WORKS_DRIVE_DOCKER_IMAGE_DIR:-${WORKS_SHAREDRIVE_DOCKER_IMAGE_DIR:-baron-sso}}" image_root_dir="${WORKS_DRIVE_DOCKER_IMAGE_DIR:-${WORKS_SHAREDRIVE_DOCKER_IMAGE_DIR:-baron-sso}}"
dry_run="${WORKS_DRIVE_DRY_RUN:-false}" dry_run="${WORKS_DRIVE_DRY_RUN:-false}"
target="${WORKS_DRIVE_TARGET:-sharedrive}" target="${WORKS_DRIVE_TARGET:-sharedrive}"
api_base_url="${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}" api_base_url="${WORKS_DRIVE_API_BASE_URL:-${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}}"
curl_bin="${WORKS_DRIVE_CURL_BIN:-curl}" curl_bin="${WORKS_DRIVE_CURL_BIN:-curl}"
overwrite="${WORKS_DRIVE_OVERWRITE:-true}" overwrite="${WORKS_DRIVE_OVERWRITE:-true}"
upload_scope="${WORKS_DRIVE_OAUTH_SCOPE:-file}" upload_scope="${WORKS_DRIVE_OAUTH_SCOPE:-file}"
@@ -266,7 +268,7 @@ build_jwt_assertion() {
request_service_account_token() { request_service_account_token() {
local client_id="${WORKS_DRIVE_OAUTH_CLIENT_ID:-}" local client_id="${WORKS_DRIVE_OAUTH_CLIENT_ID:-}"
local client_secret="${WORKS_DRIVE_OAUTH_CLIENT_SECRET:-}" local client_secret="${WORKS_DRIVE_OAUTH_CLIENT_SECRET:-}"
local token_url="${WORKS_ADMIN_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}" local token_url="${WORKS_DRIVE_OAUTH_TOKEN_URL:-${WORKS_ADMIN_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}}"
local assertion local assertion
local response local response
local response_body local response_body
@@ -296,7 +298,7 @@ request_refresh_access_token() {
local client_id="${WORKS_DRIVE_OAUTH_CLIENT_ID:-}" local client_id="${WORKS_DRIVE_OAUTH_CLIENT_ID:-}"
local client_secret="${WORKS_DRIVE_OAUTH_CLIENT_SECRET:-}" local client_secret="${WORKS_DRIVE_OAUTH_CLIENT_SECRET:-}"
local refresh_token="${WORKS_DRIVE_OAUTH_REFRESH_TOKEN:-}" local refresh_token="${WORKS_DRIVE_OAUTH_REFRESH_TOKEN:-}"
local token_url="${WORKS_ADMIN_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}" local token_url="${WORKS_DRIVE_OAUTH_TOKEN_URL:-${WORKS_ADMIN_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}}"
local response local response
local response_body local response_body
local http_status local http_status

20
test/production_image_workflows_policy_test.sh
View File

@@ -68,8 +68,12 @@ grep -Fq "WORKS_DRIVE_OAUTH_CLIENT_SECRET: \${{ secrets.WORKS_OAUTH_CLIENT_SECRE
|| fail "publish workflow must use the Gitea-compatible WORKS OAuth client secret name." || fail "publish workflow must use the Gitea-compatible WORKS OAuth client secret name."
grep -Fq "WORKS_DRIVE_OAUTH_REFRESH_TOKEN: \${{ secrets.WORKS_DRIVE_REFRESH_TOKEN }}" "$publish_workflow" \ grep -Fq "WORKS_DRIVE_OAUTH_REFRESH_TOKEN: \${{ secrets.WORKS_DRIVE_REFRESH_TOKEN }}" "$publish_workflow" \
|| fail "publish workflow must support WORKS Drive refresh-token auth." || fail "publish workflow must support WORKS Drive refresh-token auth."
grep -Fq "WORKS_DRIVE_OAUTH_TOKEN_URL: \${{ vars.WORKS_DRIVE_OAUTH_TOKEN_URL }}" "$publish_workflow" \
|| fail "publish workflow must use the WORKS Drive OAuth token URL variable for archive access."
grep -Fq "WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: \${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}" "$publish_workflow" \ grep -Fq "WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: \${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}" "$publish_workflow" \
|| fail "publish workflow must use the Docker-image-specific WORKS Drive ID variable." || fail "publish workflow must use the Docker-image-specific WORKS Drive ID variable."
grep -Fq "WORKS_DRIVE_API_BASE_URL: \${{ vars.WORKS_DRIVE_API_BASE_URL }}" "$publish_workflow" \
|| fail "publish workflow must use the WORKS Drive API base URL variable for archive access."
grep -Fq 'WORKS_DRIVE_SHARED_DRIVE_ID="${WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID}"' "$publish_workflow" \ grep -Fq 'WORKS_DRIVE_SHARED_DRIVE_ID="${WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID}"' "$publish_workflow" \
|| fail "publish workflow must map WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID into the shared upload script." || fail "publish workflow must map WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID into the shared upload script."
grep -Fq "Resolve WORKS Drive access token" "$publish_workflow" \ grep -Fq "Resolve WORKS Drive access token" "$publish_workflow" \
@@ -104,8 +108,10 @@ grep -Fq "scripts/deploy/upload_and_run_image_deploy.sh" "$staging_deploy_workfl
|| fail "staging deploy workflow must use the shared remote deploy script." || fail "staging deploy workflow must use the shared remote deploy script."
grep -Fq "WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: \${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}" "$staging_deploy_workflow" \ grep -Fq "WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: \${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}" "$staging_deploy_workflow" \
|| fail "staging deploy workflow must pass the Docker-image-specific WORKS Drive ID variable." || fail "staging deploy workflow must pass the Docker-image-specific WORKS Drive ID variable."
grep -Fq "WORKS_ADMIN_OAUTH_TOKEN_URL: \${{ vars.WORKS_ADMIN_OAUTH_TOKEN_URL }}" "$staging_deploy_workflow" \ grep -Fq "WORKS_DRIVE_API_BASE_URL: \${{ vars.WORKS_DRIVE_API_BASE_URL }}" "$staging_deploy_workflow" \
|| fail "staging deploy workflow must pass the WORKS OAuth token URL into the remote image deploy step." || fail "staging deploy workflow must pass the WORKS Drive API base URL into the remote image deploy step."
grep -Fq "WORKS_DRIVE_OAUTH_TOKEN_URL: \${{ vars.WORKS_DRIVE_OAUTH_TOKEN_URL }}" "$staging_deploy_workflow" \
|| fail "staging deploy workflow must pass the WORKS Drive OAuth token URL into the remote image deploy step."
grep -Fq "name: Deploy Baron SSO Production Images" "$deploy_workflow" \ grep -Fq "name: Deploy Baron SSO Production Images" "$deploy_workflow" \
|| fail "deploy workflow must have the expected name." || fail "deploy workflow must have the expected name."
@@ -127,8 +133,10 @@ grep -Fq "scripts/deploy/upload_and_run_image_deploy.sh" "$deploy_workflow" \
|| fail "production deploy workflow must use the shared remote deploy script." || fail "production deploy workflow must use the shared remote deploy script."
grep -Fq "WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: \${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}" "$deploy_workflow" \ grep -Fq "WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: \${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}" "$deploy_workflow" \
|| fail "production deploy workflow must pass the Docker-image-specific WORKS Drive ID variable." || fail "production deploy workflow must pass the Docker-image-specific WORKS Drive ID variable."
grep -Fq "WORKS_ADMIN_OAUTH_TOKEN_URL: \${{ vars.WORKS_ADMIN_OAUTH_TOKEN_URL }}" "$deploy_workflow" \ grep -Fq "WORKS_DRIVE_API_BASE_URL: \${{ vars.WORKS_DRIVE_API_BASE_URL }}" "$deploy_workflow" \
|| fail "production deploy workflow must pass the WORKS OAuth token URL into the remote image deploy step." || fail "production deploy workflow must pass the WORKS Drive API base URL into the remote image deploy step."
grep -Fq "WORKS_DRIVE_OAUTH_TOKEN_URL: \${{ vars.WORKS_DRIVE_OAUTH_TOKEN_URL }}" "$deploy_workflow" \
|| fail "production deploy workflow must pass the WORKS Drive OAuth token URL into the remote image deploy step."
grep -Fq "Same image tag contract as staging" "$deploy_workflow" \ grep -Fq "Same image tag contract as staging" "$deploy_workflow" \
|| fail "production deploy workflow must document that it uses the same image tag as staging." || fail "production deploy workflow must document that it uses the same image tag as staging."
grep -Fq "TRAEFIK_PUBLIC_NETWORK=traefik-public" "$bundle_script" \ grep -Fq "TRAEFIK_PUBLIC_NETWORK=traefik-public" "$bundle_script" \
@@ -137,8 +145,8 @@ grep -Fq "scripts/docker-image/download_works_drive.sh" "$remote_deploy_script"
|| fail "shared remote deploy script must load requested image archives from WORKS Drive before running." || fail "shared remote deploy script must load requested image archives from WORKS Drive before running."
grep -Fq "refresh_works_drive_access_token" "$remote_deploy_script" \ grep -Fq "refresh_works_drive_access_token" "$remote_deploy_script" \
|| fail "shared remote deploy script must refresh WORKS Drive access tokens when a refresh token is available." || fail "shared remote deploy script must refresh WORKS Drive access tokens when a refresh token is available."
grep -Fq 'WORKS_ADMIN_OAUTH_TOKEN_URL:-${WORKS_DRIVE_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}' "$remote_deploy_script" \ grep -Fq 'WORKS_DRIVE_OAUTH_TOKEN_URL:-${WORKS_ADMIN_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}' "$remote_deploy_script" \
|| fail "shared remote deploy script must honor WORKS_ADMIN_OAUTH_TOKEN_URL for refresh-token grants." || fail "shared remote deploy script must prefer WORKS_DRIVE_OAUTH_TOKEN_URL for refresh-token grants."
grep -Fq "docker compose --env-file .env -f docker-compose.yml config" "$remote_deploy_script" \ grep -Fq "docker compose --env-file .env -f docker-compose.yml config" "$remote_deploy_script" \
|| fail "shared remote deploy script must validate the remote compose config before running." || fail "shared remote deploy script must validate the remote compose config before running."
grep -Fq "docker compose --env-file .env -f docker-compose.yml pull --ignore-pull-failures" "$remote_deploy_script" \ grep -Fq "docker compose --env-file .env -f docker-compose.yml pull --ignore-pull-failures" "$remote_deploy_script" \