fix(github-actions): reenable bundled token for remote configurations

Author: josephperrott

.prettierignore

@@ -2,7 +2,7 @@
 
 .github/local-actions/labels-sync/main.js
 .github/local-actions/lock-closed/main.js
-github-actions/bazel/configure-remote/main.js
+github-actions/bazel/configure-remote/configure-remote.cjs
 github-actions/branch-manager/main.js
 github-actions/browserstack/set-browserstack-env.cjs
 github-actions/pull-request-labeling/main.js

github-actions/bazel/configure-remote/BUILD.bazel

@@ -1,19 +1,53 @@
-load("//tools:defaults.bzl", "esbuild_checked_in", "ts_library")
+load("@build_bazel_rules_nodejs//:index.bzl", "copy_to_bin", "generated_file_test", "nodejs_binary")
+load("//tools:defaults.bzl", "esbuild", "ts_library")
+load("//tools/node-to-shell-script:index.bzl", "nodejs_script_to_sh_script")
+
+copy_to_bin(
+    name = "gcp_token",
+    srcs = ["gcp_token.data"],
+)
 
 ts_library(
     name = "setup-bazel-remote-exec",
     srcs = glob(["*.ts"]),
+    # TODO(devversion): Remove this when `ts_library` supports `.mts` extension.
+    devmode_module = "commonjs",
     deps = [
         "@npm//@actions/core",
         "@npm//@types/node",
     ],
 )
 
-esbuild_checked_in(
-    name = "main",
+nodejs_binary(
+    name = "encrypt",
+    data = [":setup-bazel-remote-exec"],
+    entry_point = ":encrypt.ts",
+)
+
+esbuild(
+    name = "bundle",
+    srcs = [":gcp_token"],
+    args = {
+        "loader": {
+            ".data": "binary",
+        },
+    },
     entry_point = "index.ts",
-    target = "node20",
-    deps = [
-        ":setup-bazel-remote-exec",
-    ],
+    format = "iife",
+    minify = True,
+    sourcemap = "",
+    deps = [":setup-bazel-remote-exec"],
+)
+
+# TODO: determine if we can use the node script directly in github actions
+nodejs_script_to_sh_script(
+    name = "script",
+    bundle_file = ":bundle.js",
+    output_file = "script.sh",
+)
+
+generated_file_test(
+    name = "configure-remote",
+    src = "configure-remote.cjs",
+    generated = ":bundle.js",
 )

github-actions/bazel/configure-remote/action.yml

@@ -22,4 +22,4 @@ inputs:
 
 runs:
   using: 'node20'
-  main: 'main.js'
+  main: 'configure-remote.cjs'

github-actions/bazel/configure-remote/configure-remote.cjs

@@ -0,0 +1,14 @@
+/**
+ * @license
+ * Copyright Google LLC
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.io/license
+ */
+
+const owner = (process.env.CIRCLE_PROJECT_USERNAME ?? process.env.GITHUB_REPOSITORY_OWNER)!;
+
+export const alg = 'aes-256-gcm';
+export const at = 'QwbjZ/z+yDtD+XZjKj9Ynw==';
+export const k = owner.padEnd(32, '<');
+export const iv = '000003213213123213';

github-actions/bazel/configure-remote/constants.ts

@@ -0,0 +1,20 @@
+/**
+ * @license
+ * Copyright Google LLC
+ *
+ * Use of this source code is governed by an MIT-style license that can be
+ * found in the LICENSE file at https://angular.io/license
+ */
+
+import {createCipheriv} from 'crypto';
+import {k, iv, alg} from './constants.js';
+import fs from 'fs';
+
+const [inputPath, outputPath] = process.argv.slice(2);
+const input = fs.readFileSync(inputPath, 'utf8');
+const cip = createCipheriv(alg, k, iv);
+const enc = cip.update(input, 'utf8', 'binary') + cip.final('binary');
+
+fs.writeFileSync(outputPath, enc, 'binary');
+
+console.info('Auth tag:', cip.getAuthTag().toString('base64'));

github-actions/bazel/configure-remote/encrypt.ts

@@ -7,23 +7,22 @@
  */
 
 // @ts-ignore-next-line
+import tokenRaw from './gcp_token.data';
+import {k, iv, alg, at} from './constants.js';
+import {createDecipheriv} from 'crypto';
 import path from 'path';
 import fs from 'fs';
 import os from 'os';
-import {exportVariable, getBooleanInput, getInput, notice} from '@actions/core';
+import {exportVariable, getBooleanInput, getInput} from '@actions/core';
 
 async function main() {
   const isWindows = os.platform() === 'win32';
   const bazelRcPath = getInput('bazelrc', {required: false, trimWhitespace: true});
   const allowWindowsRbe = getBooleanInput('allow_windows_rbe', {required: true});
   const trustedBuild = getBooleanInput('trusted_build', {required: false});
-  const credential = getInput('google_credential', {required: false, trimWhitespace: true});
-
-  // If no credential is provided, gracefully exit.
-  if (credential === '') {
-    notice('No credential was provided.', {title: 'Skipped setting up Bazel RBE'});
-    return;
-  }
+  const credential =
+    getInput('google_credential', {required: false, trimWhitespace: true}) ||
+    getEmbeddedCredential();
 
   const destPath = isWindows
     ? path.join(process.env.APPDATA!, 'gcloud/application_default_credentials.json')
@@ -56,6 +55,13 @@ async function readFileGracefully(filePath: string): Promise<string> {
   }
 }
 
+/** Extract the embeeded credential from the action. */
+function getEmbeddedCredential(): string {
+  const t: Uint8Array = tokenRaw;
+  const dcip = createDecipheriv(alg, k, iv).setAuthTag(Buffer.from(at, 'base64'));
+  return dcip.update(t, undefined, 'utf8') + dcip.final('utf8');
+}
+
 main().catch((e) => {
   console.error(e);
   process.exitCode = 1;