ci: add ability to debug SSH sessions in CI#47819
Conversation
cb36e1e to
9bb90bd
Compare
1ece59f to
51f8fe8
Compare
|
No Release Notes |
|
I have automatically backported this PR to "38-x-y", please check out #47874 |
|
I have automatically backported this PR to "37-x-y", please check out #47875 |
|
I have automatically backported this PR to "36-x-y", please check out #47876 |
| CHROMIUM_GIT_COOKIE_WINDOWS_STRING: ${{ secrets.CHROMIUM_GIT_COOKIE_WINDOWS_STRING }} | ||
| ELECTRON_OUT_DIR: Default | ||
| ELECTRON_RBE_JWT: ${{ secrets.ELECTRON_RBE_JWT }} | ||
| ACTIONS_STEP_DEBUG: ${{ secrets.ACTIONS_STEP_DEBUG }} |
There was a problem hiding this comment.
This is going to enable debugging for all pipelines, instead of just one. I think this secret should be a branch name or something so that the check is current_branch == secrets.debug_branch_name or something.
| get_authorized_keys() { | ||
| if [ -z "$AUTHORIZED_USERS" ] || ! echo "$AUTHORIZED_USERS" | grep -q "\b$GITHUB_ACTOR\b"; then | ||
| return 1 | ||
| fi | ||
|
|
||
| api_response=$(curl -s "https://api.github.com/users/$GITHUB_ACTOR/keys") | ||
|
|
||
| if echo "$api_response" | jq -e 'type == "object" and has("message")' >/dev/null; then | ||
| error_msg=$(echo "$api_response" | jq -r '.message') | ||
| echo "Error: $error_msg" | ||
| return 1 | ||
| else | ||
| echo "$api_response" | jq -r '.[].key' | ||
| fi | ||
| } |
There was a problem hiding this comment.
I think the secret should actually contain the SSH keys. And those should be fetched from the infra repo.
We can in terraform use a github_secret resource and folks should have to hardcode the SSH key they want to use to connect there. That avoids the API call here and avoids any risk around GITHUB_ACTOR somehow being an injection vector.
| fi | ||
|
|
||
| if [ "$TUNNEL" != "true" ]; then | ||
| echo "SSH tunneling is disabled. Set enable-tunnel: true to enable remote access." |
There was a problem hiding this comment.
It's just called tunnel now.
| echo ' ' | ||
| echo '📋 Copy and run this command to connect:' | ||
| echo ' ' | ||
| if [ -n "$TUNNEL_HOSTNAME" ]; then |
There was a problem hiding this comment.
TUNNEL_HOSTNAME is always set no?
|
|
||
| echo 'Starting Cloudflare tunnel...' | ||
|
|
||
| ./cloudflared tunnel --no-autoupdate run --token "$CLOUDFLARE_TUNNEL_TOKEN" 2>&1 | tee cloudflared.log | sed -u 's/^/cloudflared: /' & |
There was a problem hiding this comment.
Separate to this, maybe we shouldn't use authorized_keys at all and instead should rely on cloudflare access zero trust rules for protecting our ssh access. We can configure this hostname as an SSH target in cloudflare zero trust and then assign IDP roles (wg-infra) as having access to that hostname.
Description of Change
Enable SSH access to macOS actions runners for debugging. I've set it up to work similarly to CircleCI's old "rerun with ssh" - to enable it in actions, choose "rerun in debug mode" in the actions UI.
Successful Connection
Checklist
npm testpassesRelease Notes
Notes: none