Skip to content

Commit 8a9cd69

Browse files
authored
Use GHA id-token as sccache-dist auth token (#503)
1 parent da358e7 commit 8a9cd69

8 files changed

Lines changed: 9 additions & 20 deletions

.github/workflows/build-in-devcontainer.yaml

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -118,7 +118,7 @@ jobs:
118118
with:
119119
extra_attributes: "rapids.PACKAGER=${{ matrix.PACKAGER }},rapids.CUDA_VER=${{ matrix.CUDA_VER }},rapids.ARCH=${{ matrix.ARCH }}"
120120

121-
- name: Check if repo has devcontainer
121+
- name: Setup job env
122122
env:
123123
ARCH: ${{ matrix.ARCH }}
124124
CUDA_VER: ${{ matrix.CUDA_VER }}
@@ -130,6 +130,13 @@ jobs:
130130
ARTIFACT_SLUG=${RUN_ID}-${RUN_ATTEMPT}-$RANDOM
131131
BUILD_SLUG=cuda${CUDA_VER}-${PACKAGER}-${ARCH}
132132
REPOSITORY=$(basename "$(pwd)")
133+
SCCACHE_DIST_AUTH_TOKEN=$(
134+
curl -fsSL -H "Authorization: Bearer $(
135+
curl -fsSL -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
136+
"${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=token.rapids.nvidia.com" \
137+
| jq -r '.value'
138+
)" https://token.rapids.nvidia.com/gh/token/exchange \
139+
| jq -r '.token')
133140
EOF
134141
135142
- uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
@@ -161,6 +168,7 @@ jobs:
161168
# We have to pass them in explicitly.
162169
env: |
163170
REPOSITORY=${{ env.REPOSITORY }}
171+
SCCACHE_DIST_AUTH_TOKEN=${{ env.SCCACHE_DIST_AUTH_TOKEN }}
164172
SCCACHE_IDLE_TIMEOUT=0
165173
SCCACHE_REGION=${{ vars.AWS_REGION }}
166174
SCCACHE_ERROR_LOG=/home/coder/${{ env.REPOSITORY }}/sccache.log

.github/workflows/conda-cpp-build.yaml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -172,13 +172,11 @@ jobs:
172172
# Install latest rapidsai/sccache client and configure sccache-dist
173173
- name: Setup sccache-dist
174174
uses: rapidsai/shared-actions/setup-sccache-dist@main
175-
if: ${{ inputs.sccache-dist-token-secret-name != '' }}
176175
env:
177176
AWS_REGION: "${{env.AWS_REGION}}"
178177
AWS_ACCESS_KEY_ID: "${{env.AWS_ACCESS_KEY_ID}}"
179178
AWS_SECRET_ACCESS_KEY: "${{env.AWS_SECRET_ACCESS_KEY}}"
180179
with:
181-
auth: "${{ secrets[inputs.sccache-dist-token-secret-name] }}" # zizmor: ignore[overprovisioned-secrets]
182180
log-file: "${{ env.RAPIDS_ARTIFACTS_DIR }}/sccache.log"
183181
request-timeout: ${{ inputs.sccache-dist-request-timeout }}
184182
# Per the docs at https://docs.github.com/en/rest/rate-limit/rate-limit?apiVersion=2022-11-28#get-rate-limit-status-for-the-authenticated-user,
@@ -201,7 +199,6 @@ jobs:
201199
$INPUTS_SCRIPT
202200
env:
203201
INPUTS_SCRIPT: "${{ inputs.script }}"
204-
SCCACHE_DIST_TOKEN_NAME: "${{ inputs.sccache-dist-token-secret-name }}"
205202
STEP_NAME: "C++ build"
206203
# NEEDS alternative-gh-token-secret-name - may require a token with more permissions
207204
GH_TOKEN: ${{ inputs.alternative-gh-token-secret-name && secrets[inputs.alternative-gh-token-secret-name] || github.token }} # zizmor: ignore[overprovisioned-secrets]

.github/workflows/conda-cpp-tests.yaml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -254,13 +254,11 @@ jobs:
254254
# Install latest rapidsai/sccache client and configure sccache-dist
255255
- name: Setup sccache-dist
256256
uses: rapidsai/shared-actions/setup-sccache-dist@main
257-
if: ${{ inputs.sccache-dist-token-secret-name != '' }}
258257
env:
259258
AWS_REGION: "${{env.AWS_REGION}}"
260259
AWS_ACCESS_KEY_ID: "${{env.AWS_ACCESS_KEY_ID}}"
261260
AWS_SECRET_ACCESS_KEY: "${{env.AWS_SECRET_ACCESS_KEY}}"
262261
with:
263-
auth: "${{ secrets[inputs.sccache-dist-token-secret-name] }}" # zizmor: ignore[overprovisioned-secrets]
264262
log-file: "${{ env.RAPIDS_ARTIFACTS_DIR }}/sccache.log"
265263
request-timeout: ${{ inputs.sccache-dist-request-timeout }}
266264
# Per the docs at https://docs.github.com/en/rest/rate-limit/rate-limit?apiVersion=2022-11-28#get-rate-limit-status-for-the-authenticated-user,
@@ -301,7 +299,6 @@ jobs:
301299
$INPUTS_SCRIPT
302300
env:
303301
INPUTS_SCRIPT: "${{ inputs.script }}"
304-
SCCACHE_DIST_TOKEN_NAME: "${{ inputs.sccache-dist-token-secret-name }}"
305302
# NEEDS alternative-gh-token-secret-name - may require a token with more permissions
306303
GH_TOKEN: ${{ inputs.alternative-gh-token-secret-name && secrets[inputs.alternative-gh-token-secret-name] || github.token }} # zizmor: ignore[overprovisioned-secrets]
307304
- name: Generate test report

.github/workflows/conda-python-build.yaml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -194,13 +194,11 @@ jobs:
194194
# Install latest rapidsai/sccache client and configure sccache-dist
195195
- name: Setup sccache-dist
196196
uses: rapidsai/shared-actions/setup-sccache-dist@main
197-
if: ${{ inputs.sccache-dist-token-secret-name != '' }}
198197
env:
199198
AWS_REGION: "${{env.AWS_REGION}}"
200199
AWS_ACCESS_KEY_ID: "${{env.AWS_ACCESS_KEY_ID}}"
201200
AWS_SECRET_ACCESS_KEY: "${{env.AWS_SECRET_ACCESS_KEY}}"
202201
with:
203-
auth: "${{ secrets[inputs.sccache-dist-token-secret-name] }}" # zizmor: ignore[overprovisioned-secrets]
204202
log-file: "${{ env.RAPIDS_ARTIFACTS_DIR }}/sccache.log"
205203
request-timeout: ${{ inputs.sccache-dist-request-timeout }}
206204
# Per the docs at https://docs.github.com/en/rest/rate-limit/rate-limit?apiVersion=2022-11-28#get-rate-limit-status-for-the-authenticated-user,

.github/workflows/conda-python-tests.yaml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -259,13 +259,11 @@ jobs:
259259
# Install latest rapidsai/sccache client and configure sccache-dist
260260
- name: Setup sccache-dist
261261
uses: rapidsai/shared-actions/setup-sccache-dist@main
262-
if: ${{ inputs.sccache-dist-token-secret-name != '' }}
263262
env:
264263
AWS_REGION: "${{env.AWS_REGION}}"
265264
AWS_ACCESS_KEY_ID: "${{env.AWS_ACCESS_KEY_ID}}"
266265
AWS_SECRET_ACCESS_KEY: "${{env.AWS_SECRET_ACCESS_KEY}}"
267266
with:
268-
auth: "${{ secrets[inputs.sccache-dist-token-secret-name] }}" # zizmor: ignore[overprovisioned-secrets]
269267
log-file: "${{ env.RAPIDS_ARTIFACTS_DIR }}/sccache.log"
270268
request-timeout: ${{ inputs.sccache-dist-request-timeout }}
271269
# Per the docs at https://docs.github.com/en/rest/rate-limit/rate-limit?apiVersion=2022-11-28#get-rate-limit-status-for-the-authenticated-user,
@@ -306,7 +304,6 @@ jobs:
306304
$INPUTS_SCRIPT
307305
env:
308306
INPUTS_SCRIPT: "${{ inputs.script }}"
309-
SCCACHE_DIST_TOKEN_NAME: "${{ inputs.sccache-dist-token-secret-name }}"
310307
# NEEDS alternative-gh-token-secret-name - may require a token with more permissions
311308
GH_TOKEN: ${{ inputs.alternative-gh-token-secret-name && secrets[inputs.alternative-gh-token-secret-name] || github.token }} # zizmor: ignore[overprovisioned-secrets]
312309
- name: Generate test report

.github/workflows/custom-job.yaml

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -169,13 +169,11 @@ jobs:
169169
# Install latest rapidsai/sccache client and configure sccache-dist
170170
- name: Setup sccache-dist
171171
uses: rapidsai/shared-actions/setup-sccache-dist@main
172-
if: ${{ inputs.sccache-dist-token-secret-name != '' }}
173172
env:
174173
AWS_REGION: "${{env.AWS_REGION}}"
175174
AWS_ACCESS_KEY_ID: "${{env.AWS_ACCESS_KEY_ID}}"
176175
AWS_SECRET_ACCESS_KEY: "${{env.AWS_SECRET_ACCESS_KEY}}"
177176
with:
178-
auth: "${{ secrets[inputs.sccache-dist-token-secret-name] }}" # zizmor: ignore[overprovisioned-secrets]
179177
log-file: "${{ env.RAPIDS_ARTIFACTS_DIR }}/sccache.log"
180178
request-timeout: ${{ inputs.sccache-dist-request-timeout }}
181179
# Per the docs at https://docs.github.com/en/rest/rate-limit/rate-limit?apiVersion=2022-11-28#get-rate-limit-status-for-the-authenticated-user,

.github/workflows/wheels-build.yaml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -240,13 +240,11 @@ jobs:
240240
# Install latest rapidsai/sccache client and configure sccache-dist
241241
- name: Setup sccache-dist
242242
uses: rapidsai/shared-actions/setup-sccache-dist@main
243-
if: ${{ inputs.sccache-dist-token-secret-name != '' }}
244243
env:
245244
AWS_REGION: "${{env.AWS_REGION}}"
246245
AWS_ACCESS_KEY_ID: "${{env.AWS_ACCESS_KEY_ID}}"
247246
AWS_SECRET_ACCESS_KEY: "${{env.AWS_SECRET_ACCESS_KEY}}"
248247
with:
249-
auth: "${{ secrets[inputs.sccache-dist-token-secret-name] }}" # zizmor: ignore[overprovisioned-secrets]
250248
log-file: "${{ env.RAPIDS_ARTIFACTS_DIR }}/sccache.log"
251249
request-timeout: ${{ inputs.sccache-dist-request-timeout }}
252250
# Per the docs at https://docs.github.com/en/rest/rate-limit/rate-limit?apiVersion=2022-11-28#get-rate-limit-status-for-the-authenticated-user,
@@ -276,7 +274,6 @@ jobs:
276274
fi
277275
env:
278276
INPUTS_SCRIPT: "${{ inputs.script }}"
279-
SCCACHE_DIST_TOKEN_NAME: "${{ inputs.sccache-dist-token-secret-name }}"
280277
# NEEDS alternative-gh-token-secret-name - may require a token with more permissions
281278
GH_TOKEN: ${{ inputs.alternative-gh-token-secret-name && secrets[inputs.alternative-gh-token-secret-name] || github.token }} # zizmor: ignore[overprovisioned-secrets]
282279
# Use a shell that loads the rc file so that we get the compiler settings

.github/workflows/wheels-test.yaml

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -283,13 +283,11 @@ jobs:
283283
# Install latest rapidsai/sccache client and configure sccache-dist
284284
- name: Setup sccache-dist
285285
uses: rapidsai/shared-actions/setup-sccache-dist@main
286-
if: ${{ inputs.sccache-dist-token-secret-name != '' }}
287286
env:
288287
AWS_REGION: "${{env.AWS_REGION}}"
289288
AWS_ACCESS_KEY_ID: "${{env.AWS_ACCESS_KEY_ID}}"
290289
AWS_SECRET_ACCESS_KEY: "${{env.AWS_SECRET_ACCESS_KEY}}"
291290
with:
292-
auth: "${{ secrets[inputs.sccache-dist-token-secret-name] }}" # zizmor: ignore[overprovisioned-secrets]
293291
log-file: "${{ env.RAPIDS_ARTIFACTS_DIR }}/sccache.log"
294292
request-timeout: ${{ inputs.sccache-dist-request-timeout }}
295293
# Per the docs at https://docs.github.com/en/rest/rate-limit/rate-limit?apiVersion=2022-11-28#get-rate-limit-status-for-the-authenticated-user,
@@ -330,7 +328,6 @@ jobs:
330328
$INPUTS_SCRIPT
331329
env:
332330
INPUTS_SCRIPT: "${{ inputs.script }}"
333-
SCCACHE_DIST_TOKEN_NAME: "${{ inputs.sccache-dist-token-secret-name }}"
334331
# NEEDS alternative-gh-token-secret-name - may require a token with more permissions
335332
GH_TOKEN: ${{ inputs.alternative-gh-token-secret-name && secrets[inputs.alternative-gh-token-secret-name] || github.token }} # zizmor: ignore[overprovisioned-secrets]
336333
RAPIDS_AUX_SECRET_1: ${{ inputs.rapids-aux-secret-1 != '' && secrets[inputs.rapids-aux-secret-1] || '' }} # zizmor: ignore[overprovisioned-secrets]

0 commit comments

Comments
 (0)