Skip to content

PREQ-2280 improve cache reliability #17

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mikolaj-matuszny-ext-sonarsource merged 1 commit into from
Oct 3, 2025
Merged

PREQ-2280 improve cache reliability #17

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 2 additions & 8 deletions action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,16 +43,10 @@ runs:
AUDIENCE: cognito-identity.amazonaws.com
AWS_REGION: eu-central-1
run: |
# Get GitHub Actions ID token
ACCESS_TOKEN=$(curl -sLS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$AUDIENCE" | jq -r ".value")
# Get GitHub Actions ID token using script
ACCESS_TOKEN=$("$GITHUB_ACTION_PATH/scripts/get-github-token.sh")
echo "::add-mask::$ACCESS_TOKEN"

# Validate required parameters
if [[ "$ACCESS_TOKEN" == "null" || -z "$ACCESS_TOKEN" ]]; then
echo "::error::Failed to obtain GitHub Actions ID token"
exit 1
fi

# Get Identity ID
identityId=$(aws cognito-identity get-id \
--identity-pool-id "$POOL_ID" \
Expand Down
112 changes: 112 additions & 0 deletions scripts/get-github-token.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
#!/usr/bin/env bash
#
# GitHub Actions ID Token Retrieval with Exponential Backoff
#
# This script retrieves a GitHub Actions OIDC token with retry logic
# to handle transient network failures and timeout issues.
#
# Environment variables required:
# - ACTIONS_ID_TOKEN_REQUEST_TOKEN: GitHub Actions token request token
# - ACTIONS_ID_TOKEN_REQUEST_URL: GitHub Actions token request URL
# - AUDIENCE: The audience for the token (e.g., cognito-identity.amazonaws.com)
#
# Exit codes:
# 0: Success - token retrieved and printed to stdout
# 1: Failure - unable to retrieve token after all retry attempts
#

set -euo pipefail

readonly MAX_ATTEMPTS=5
readonly INITIAL_TIMEOUT=10
readonly MAX_TIMEOUT=60


log_warning() {
echo "::warning::$*" >&2
}

log_error() {
echo "::error::$*" >&2
}

get_github_token() {
local timeout=$INITIAL_TIMEOUT

for attempt in $(seq 1 $MAX_ATTEMPTS); do
local http_code
local response
response=$(curl -sLS \
--connect-timeout 10 \
--max-time "$timeout" \
-w "\n%{http_code}" \
-H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=$AUDIENCE" 2>&1)
local curl_exit=$?

if [[ $curl_exit -eq 0 ]]; then
http_code=$(echo "$response" | tail -n1)
local token
token=$(echo "$response" | head -n-1 | jq -r ".value" 2>/dev/null)

if [[ "$token" != "null" && -n "$token" ]]; then
echo "$token"
return 0
fi
log_warning "Attempt $attempt/$MAX_ATTEMPTS: Invalid token response (HTTP $http_code)"
else
case $curl_exit in
6) log_warning "Attempt $attempt/$MAX_ATTEMPTS: Could not resolve host" ;;
7) log_warning "Attempt $attempt/$MAX_ATTEMPTS: Failed to connect" ;;
28) log_warning "Attempt $attempt/$MAX_ATTEMPTS: Operation timeout after ${timeout}s" ;;
35) log_warning "Attempt $attempt/$MAX_ATTEMPTS: SSL/TLS handshake failed" ;;
52) log_warning "Attempt $attempt/$MAX_ATTEMPTS: Empty response from server" ;;
56) log_warning "Attempt $attempt/$MAX_ATTEMPTS: Network data receive failure" ;;
*) log_warning "Attempt $attempt/$MAX_ATTEMPTS: Curl error $curl_exit" ;;
esac
fi

# Exponential backoff with jitter
if [[ $attempt -lt $MAX_ATTEMPTS ]]; then
local base_wait=$((2 ** attempt))
local jitter=$((RANDOM % 3))I
local wait_time=$((base_wait + jitter))
log_warning "Retrying in ${wait_time}s..."
sleep "$wait_time"

timeout=$((timeout * 2))
[[ $timeout -gt $MAX_TIMEOUT ]] && timeout=$MAX_TIMEOUT
fi
done

return 1
}

main() {
if [[ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]]; then
log_error "ACTIONS_ID_TOKEN_REQUEST_TOKEN environment variable is not set"
exit 1
fi

if [[ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ]]; then
log_error "ACTIONS_ID_TOKEN_REQUEST_URL environment variable is not set"
exit 1
fi

if [[ -z "${AUDIENCE:-}" ]]; then
log_error "AUDIENCE environment variable is not set"
exit 1
fi

local token
if ! token=$(get_github_token); then
log_error "Failed to obtain GitHub Actions ID token after $MAX_ATTEMPTS attempts"
log_error "This may indicate network issues or GitHub Actions service problems"
log_error "Check GitHub Actions status: https://www.githubstatus.com/"
exit 1
fi

echo "$token"
}

main "$@"
Loading