Merge pull request #52 from chef/peter-at-progress/hab-auth-token

peter-at-progress · web-flow · commit 5e24c54c2f64 · 2026-04-29T13:09:21.000-04:00
Add HAB_AUTH_TOKEN support to automate-container-scan action
diff --git a/.github/actions/automate-container-scan/README.md b/.github/actions/automate-container-scan/README.md
@@ -20,6 +20,8 @@ This action provides automated vulnerability scanning for Chef Automate's embedd
   uses: chef/common-github-actions/.github/actions/automate-container-scan@main
   with:
     channel: current
+    license_id: ${{ secrets.GA_DOWNLOAD_GRYPE_LICENSE_ID }}
+    hab_auth_token: ${{ secrets.HAB_AUTH_TOKEN }}  # Required for dev channel
     out_dir: out
 ```
 
@@ -48,6 +50,8 @@ jobs:
         uses: ./common-github-actions/.github/actions/automate-container-scan
         with:
           channel: current
+          license_id: ${{ secrets.GA_DOWNLOAD_GRYPE_LICENSE_ID }}
+          hab_auth_token: ${{ secrets.HAB_AUTH_TOKEN }}
           out_dir: out
       
       - name: Upload scan results
@@ -66,8 +70,12 @@ jobs:
 | Input | Description | Required | Default |
 |-------|-------------|----------|---------|
 | `channel` | Release channel for Chef Automate (`stable` or `current`) | No | `current` |
+| `license_id` | Chef download license ID (required for commercial downloads) | Yes | N/A |
+| `hab_auth_token` | Habitat Builder Personal Access Token for protected channels (pass via secrets) | No | `""` |
 | `out_dir` | Output directory for scan results and logs | No | `out` |
 
+**Note on `hab_auth_token`**: This parameter is **required for the `dev` channel** and other protected Habitat channels that contain packages requiring authentication. The `current` and `stable` channels typically have public packages that don't require authentication. If you see `401 Unauthorized` errors during deployment, ensure you've provided a valid HAB_AUTH_TOKEN.
+
 ## Outputs
 
 ### Directory Structure
diff --git a/.github/actions/automate-container-scan/action.yml b/.github/actions/automate-container-scan/action.yml
@@ -10,6 +10,10 @@ inputs:
   license_id:
     description: "Chef download license ID (required for commercial downloads)"
     required: true
+  hab_auth_token:
+    description: "Habitat Builder Personal Access Token for protected channels (pass via secrets)"
+    required: false
+    default: ""
   out_dir:
     description: "Output directory for scan results and logs"
     required: false
@@ -33,6 +37,7 @@ runs:
         CHANNEL: ${{ inputs.channel }}
         OUT_DIR: ${{ inputs.out_dir }}
         ACTION_DIR: ${{ github.action_path }}
+        HAB_AUTH_TOKEN: ${{ inputs.hab_auth_token }}
 
 branding:
   icon: "shield"
diff --git a/.github/actions/automate-container-scan/run.sh b/.github/actions/automate-container-scan/run.sh
@@ -109,17 +109,33 @@ deploy_automate() {
         fail "sysctl configuration failed"
     fi
     
+    # Configure Habitat authentication if token provided
+    if [[ -n "${HAB_AUTH_TOKEN:-}" ]]; then
+        log "HAB_AUTH_TOKEN provided - configuring Habitat authentication"
+        # Create Habitat CLI config directory and config file with auth token
+        # This ensures the token is available to all hab processes, including those spawned by systemd
+        docker exec -w /root "${CONTAINER_ID}" bash -c "mkdir -p /hab/etc && cat > /hab/etc/cli.toml <<EOF
+auth_token = \"${HAB_AUTH_TOKEN}\"
+EOF" > "${LOGS_DIR}/hab-config.log" 2>&1 || log "WARNING: Failed to configure Habitat auth (may not be critical)"
+        
+        # Also set as environment variable for immediate processes
+        docker exec -w /root "${CONTAINER_ID}" bash -c "echo 'export HAB_AUTH_TOKEN=${HAB_AUTH_TOKEN}' >> /root/.bashrc" \
+            >> "${LOGS_DIR}/hab-config.log" 2>&1 || true
+    fi
+    
     # Deploy Automate (this takes 10-15 minutes)
     log "Deploying Automate (this may take 10-15 minutes)..."
     log "Progress will be logged to ${LOGS_DIR}/deploy.log"
     
+    # Run deploy command
+    local docker_exec_cmd="docker exec -w /root ${CONTAINER_ID} timeout 1800 chef-automate deploy --channel ${CHANNEL} --skip-preflight config.toml --accept-terms-and-mlsa"
+    
     # Run deploy with timeout and capture output
     # tee streams output to Actions log in real-time while also writing to file
     # --skip-preflight: the CLI is always downloaded from the 'current' channel (no 'dev' download URL
     # exists), so when deploying --channel dev the preflight CLI version check will always fail because
     # dev has a newer build than current. The skip is safe: the CLI is still fully capable of deploying.
-    if docker exec -w /root "${CONTAINER_ID}" timeout 1800 chef-automate deploy --channel ${CHANNEL} --skip-preflight config.toml --accept-terms-and-mlsa \
-        2>&1 | tee "${LOGS_DIR}/deploy.log"; then
+    if eval "${docker_exec_cmd}" 2>&1 | tee "${LOGS_DIR}/deploy.log"; then
         log "Automate deployment completed successfully"
     else
         log "ERROR: Automate deployment failed or timed out"
