digitalocean / action-doctl Goto Github PK

doctl compute ssh is throwing te following error:

$ doctl compute ssh $DROPLET_ID --ssh-command pwd
Warning: Identity file /root/.ssh/id_rsa not accessible: No such file or directory.
Host key verification failed.

I'm currently using digitalocean/[email protected]

I've tried a few workarounds like generating the key, but I can't get it going. At first I thought I was running into this issue: digitalocean/doctl#263 but I don't think they're related as snap is not involved in this action as far as I'm aware, not to mention it was fixed a while ago.

I am using this action to retrieve k8s credentials as in the example. It used to work, but since yesterday I am getting ##[error]Docker run failed with exit code 1, without having changed anything to my action. I am not sure how I can debug this. I have tried creating a new DIGITALOCEAN_ACCESS_TOKEN, but still I am getting exit code 1.

Hello, i got this warning message when running in github action

Node.js 16 actions are deprecated. Please update the following actions to use Node.js 20: digitalocean/action-doctl@v2. For more information see: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/.

Can not install the action-doctl@v2

Error Info:

Run digitalocean/action-doctl@v2
/bin/tar xz --warning=no-unknown-keyword -C /home/runner/work/_temp/002cd389-8411-4c9c-b235-abbe9c712409 -f /home/runner/work/_temp/831228ce-c6ed-43ca-8ff8-9671aeb570c8
>>> doctl version v1.48.1 installed to /opt/hostedtoolcache/doctl/1.48.1/x64
Error: Input required and not supplied: token

with actions step:

- name: Install doctl
  uses: digitalocean/action-doctl@v2
  with:
    token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}

append:

I create a secret with DIGITALOCEAN_ACCESS_TOKEN in organizations, no the repo's secrets

Hi i am trying to use digitalocean/action-doctl@v2.
its giving me this error
Error: Unable to process command '::add-path::/opt/hostedtoolcache/doctl/1.100.0/x64' successfully.
Error: The add-path command is disabled. Please upgrade to using Environment Files or opt into unsecure command execution by setting the ACTIONS_ALLOW_UNSECURE_COMMANDS environment variable to true. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

doctl version v1.100.0 installed to /opt/hostedtoolcache/doctl/1.100.0/x64

i use this sentence:

- name: Install doctl
  uses: digitalocean/[email protected]
  with:
  token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}

- name: Log in to DigitalOcean Container Registry
  run: doctl registry login --expiry-seconds 240

- name: Build and push stack
  run: TAG=stag FRONTEND_ENV=staging sh ./scripts/build-push.sh

This script login to DO, then builds and push images with docker-compose.yml. All is ok - i success login with doctl and build images... But when i push to registry, i see this error inside workflow:

...
Successfully built 476bb87c7501
Successfully tagged registry.digitalocean.com/***/frontend:stag
The following deploy sub-keys are not supported and have been ignored: labels
The following deploy sub-keys are not supported and have been ignored: labels
The following deploy sub-keys are not supported and have been ignored: labels
The following deploy sub-keys are not supported and have been ignored: labels
The following deploy sub-keys are not supported and have been ignored: labels
Pushing backend (registry.digitalocean.com/***/backend:stag)...
**The push refers to repository [registry.digitalocean.com/***/backend]
unauthorized: authentication required
Error: Process completed with exit code 1.**

and i receive new access token in digital-ocean admin panel, that looks like: container-registry-{name}-{ts}

Using the snippet provided here: https://github.com/digitalocean/action-doctl#usage

- name: Install doctl uses: digitalocean/action-doctl@v2 with: token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
Installation of doctl succeeds but an incorrect version is installed.

Expecting version 2.1.0 (latest)
Version 1.64.0 is installed instead.

Run digitalocean/action-doctl@v2
with:
token: ***
version: latest
/usr/bin/tar xz --warning=no-unknown-keyword -C /home/runner/work/_temp/c2ae0e11-6ec8-4463-8038-7d9677ae74dd -f /home/runner/work/_temp/532dec3b-d30c-4230-bb01-fff68e70f25b

doctl version v1.64.0 installed to /opt/hostedtoolcache/doctl/1.64.0/x64
/opt/hostedtoolcache/doctl/1.64.0/x64/doctl auth init -t ***

Action file:

name: Deploy function to DO
on:
  push:
    branches:
      - master
jobs:
  deploy:
    runs-on: ubuntu
    steps:
      - name: Check out code
        uses: actions/checkout@v3
      
      - name: Install doctl
        uses: digitalocean/action-doctl@v2
        with:
          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
      
      - name: Setup serverless
        run: doctl serverless install
      
      - name: Connect to serverless
        run: doctl serverless connect

      - name: Deploy function
        run: doctl serverless deploy . --remote-build

My action is failing without any error detail, it immediately throws os.machine is not a function. I'm using my own self hosted runner (Ubuntu 20.04)

Please help on this. Thanks

Followed this guide: https://docs.digitalocean.com/products/kubernetes/how-to/deploy-using-github-actions/

Access token with read/write always fails authentication.

Hi DO!

I have the following GitHub Actions Job:

steps:
- name: Save DigitalOcean kubeconfig
  uses: digitalocean/action-doctl@v2
  with:
    token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}

- name: Deploy to DigitalOcean Kubernetes
  run: |
    doctl kubernetes cluster kubeconfig save cluster-name
    cat ./k8s.yaml | gomplate | kubectl apply -f -
  env:
    TAG: ${{ github.sha }}
    NAMESPACE: development

It's working great so far, my gripe with it however though is that every build I do a new personal access token gets created. And if I go into the Tokens page (https://cloud.digitalocean.com/account/api/tokens) I have an endless list of tokens that I need to remove one-by-one.

Am I missing something or is this intended?

I'm trying to use a dedicated context for my CI, but the fact that the action uses a env variable for the token seems incompatible with context switch 🤔

2020-04-27T19:43:22.8735609Z ##[group]Run digitalocean/action-doctl@v2
2020-04-27T19:43:22.8735783Z with:
2020-04-27T19:43:22.8736271Z   token: ***
2020-04-27T19:43:22.8736401Z   version: latest
2020-04-27T19:43:22.8736540Z ##[endgroup]
2020-04-27T19:43:23.6680564Z [command]/bin/tar xz --warning=no-unknown-keyword -C /home/runner/work/_temp/9b34c612-fd03-4d56-8e1d-a3b434918500 -f /home/runner/work/_temp/d648c3a2-bc1d-4358-8c34-7b3f9016a740
2020-04-27T19:43:23.8930213Z >>> doctl version v1.42.0 installed to /opt/hostedtoolcache/doctl/1.42.0/x64
2020-04-27T19:43:23.8935719Z [command]/opt/hostedtoolcache/doctl/1.42.0/x64/doctl auth init -t ***
2020-04-27T19:43:23.9013680Z Using token [***]
2020-04-27T19:43:23.9013850Z 
2020-04-27T19:43:24.1624971Z Validating token... OK
2020-04-27T19:43:24.1625536Z 
2020-04-27T19:43:24.5845339Z >>> Successfully logged into doctl
2020-04-27T19:43:24.5925324Z ##[group]Run doctl auth switch --context=openvpn-gh
2020-04-27T19:43:24.5925584Z �[36;1mdoctl auth switch --context=openvpn-gh�[0m
2020-04-27T19:43:24.5962447Z shell: /bin/bash -e {0}
2020-04-27T19:43:24.5962612Z ##[endgroup]
2020-04-27T19:43:24.6101226Z Now using context [openvpn-gh] by default
2020-04-27T19:43:25.0168775Z ##[group]Run doctl compute droplet create openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-debian-9-x64 --size s-1vcpu-1gb --image debian-9-x64 --region lon1 --enable-ipv6 --ssh-keys be:66:76:61:a8:71:93:aa:e3:19:ba:d8:0d:d2:2d:d4
2020-04-27T19:43:25.0169188Z �[36;1mdoctl compute droplet create openvpn-action-$GITHUB_RUN_ID-$GITHUB_RUN_NUMBER-debian-9-x64 --size s-1vcpu-1gb --image debian-9-x64 --region lon1 --enable-ipv6 --ssh-keys be:66:76:61:a8:71:93:aa:e3:19:ba:d8:0d:d2:2d:d4�[0m
2020-04-27T19:43:25.0199829Z shell: /bin/bash -e {0}
2020-04-27T19:43:25.0199965Z ##[endgroup]
2020-04-27T19:43:25.0362570Z Error: Unable to initialize DigitalOcean API client: access token is required. (hint: run 'doctl auth init')

I'm hoping to get some feedback from users of this GitHub Action.

When this was first authored, GitHub Actions was still in its beta phase. There have been many important changes to both how they are created and their user experience since that time. I am proposing breaking changes to the doctl action in order to bring its experience more inline with the how GitHub Actions now works.

Current Approach

The current doctl action is based on a Docker image that wraps the digitalocean/doctl Docker image with a few conveniences using an entrypoint script. Though it is not fundamentally different than using docker://digitalocean/doctl directly. When it was first authored DigitalOcean did not publish official Docker images for doctl while they are now available.

The current Docker-based approach has a number or drawbacks. The syntax is different than the more native approach, using:

  with:
    args:

over the more straight forward:

    run:

More importantly, working with doctl commands that need access to the shared filesystem and environment accessible by other Actions in the same workflow step is difficult. This can be seen in the example right in our README:

    - name: Save DigitalOcean kubeconfig
      uses: digitalocean/action-doctl@master
      env:
        DIGITALOCEAN_ACCESS_TOKEN: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
      with:
        args: kubernetes cluster kubeconfig show k8s-cluster-name > $GITHUB_WORKSPACE/.kubeconfig

Rather than using doctl's kubeconfig save subcommand, we recommend redirecting the the output of kubeconfig show. This is because save would save the kubeconfig file in the container's ~/.kube/config rather than the shared runner.

This effects other doctl subcommands as well. Both compute ssh and registry login are difficult to use in any sane fashion under this approach. See for example #14 and #24

Proposed Approach

I am proposing to re-write this action in JavaScript using the native GitHub Actions Toolkit. Rather than running doctl subcommands, v2 would install doctl in the shared runner's PATH allowing it to be used directly. This would provide a much improved user experience.

Using this approach, the example from our README would now look like:

    - name: Install doctl
      uses: digitalocean/action-doctl@v2
      with:
        token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}

    - name: Save DigitalOcean kubeconfig
      run: doctl kubernetes cluster kubeconfig save testing-cluster

This can simplify subsequent commands as the kubeconfig file is now available to them at their expected location removing workarounds specific to the current approach. For example, this:

 - name: Deploy to DigitalOcean Kubernetes
   run: kubectl --kubeconfig=$GITHUB_WORKSPACE/.kubeconfig apply -f $GITHUB_WORKSPACE/config/deployment.yml

becomes:

     - name: Deploy to DigitalOcean Kubernetes
       run: kubectl apply -f $GITHUB_WORKSPACE/config/deployment.yml

Similarly, the workflow for pushing a container to a private DigitalOcean registry is now possible as the doctl command can write to ~/.docker/config.json. E.g.

    - name: Login to Docker
      run: doctl registry login

    - name: Push image to registry
      run: docker push registry.digitalocean.com/user/example

Backwards Compatibility

Current users may be referencing the action by specifying digitalocean/action-doctl@master. In order to not break existing users, I am proposing that a v2 branch is created and made the default for the repository. User will need to explicitly opt-in but using digitalocean/action-doctl@v2 to pick up these changes.

Testing

A proof of concept is currently available in the v2-experiment branch and can be used right now on Linux, MacOS, and Windows workflows with:

    - name: Install doctl
      uses: digitalocean/action-doctl@v2-experiment

See here for a diff between the current code base and the proposal: v2...v2-experiment

I'm not quite sure if this is due to this action, or more of an issue with doctl itself. I have the following GitHub steps defined:

  build:
    runs-on: ubuntu-latest
    steps:
      - name: Check Out Repo 
        uses: actions/checkout@v2
      - name: Install DigitalOcean Controller
        uses: digitalocean/action-doctl@v2
        with:
          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
      - name: Set up Docker Builder
        uses: docker/setup-buildx-action@v1
      - name: Authenticate with DigitalOcean Container Registry
        run: doctl registry login
      - name: Build and Push to DigitalOcean Container Registry
        uses: docker/build-push-action@v2
        with:
          context: .
          push: true
          tags: registry.digitalocean.com/$FOO/$BAR:latest
      - name: Logout from DigitalOcean Container Registry
        run: doctl registry logout

Each time this GitHub action runs, a new entry is added to the Tokens/Keys list is added with the name container-registry-$FOO-$TIMESTAMP. By now I seem to have hundreds of tokens in there. Is there a way to modify the use of this action to either not create so many tokens, or cleanup the tokens once they're no longer needed?

I want to apply my manifest files via actions yml.

name: deploy-manifests

on: 
  push:
    branches: master
    paths:
      - 'infra/**'

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: digitalocean/action-doctl@v2
        with:
          token: ${{ secrets.DIGITAL_OCEAN_ACCESS_TOKEN }}
      - run: kubectl apply -f infra/k8s && kubectl apply -f infra/k8s-production

I can't seem to pass this error. Am I missing something ? I'm logged in without issue:

Validating token... OK

>>> Successfully logged into doctl

Recently GitHub actions deprecated the usage of set-env and add-path commands due to security vulnerabilities.
You can find more about that here: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/

So currently I can't use the Doctl GitHub action. While there is a short-term solution to allow insecure commands, since I can't do that on an action-specific basis I don't really think that's a viable route.

Here's a screen capture of the error message:

How difficult would it be to fix this for the doctl github action?

How can i ignore some files?
Thanks

Hey DigitalOcean folks!

I use this action in both my continuous integration (PR) and continuous deployment (merged) workflows. For merge, I use it to trigger deployment of my App Platform app after running tests. For my pre-PR CI run, I use it to validate the app spec before merge.

This has been working really well for my own private use, but I've recently opened my repository for other contributors. Contributors are forking the repository and submitting PRs, which attempt to validate the app spec. But since actions from forks don't have access to secrets, the login is failing and I can't validate the spec.

I've played with the doctl CLI on my own machine and it appears spec validation doctl apps spec validate does not require authentication to run.

So what I'm wondering is if it'd be possible to modify this action (I'd be happy to submit a PR for it, if appropriate) to make the token optional. This would allow offline behaviors, such as app spec validation, to be run without exposing secrets to open source collaborators.

In my use case, this would look something like the following:

      - name: Install doctl
        uses: digitalocean/action-doctl@v2

      - name: Validate app spec
        run: doctl apps spec validate .do/app.yaml

May be worth providing a reminder in the Usage section or a pre-requisite section that directing users to set up a DigitalOcean API token and add it as a GitHub repo or organization secret prior to usage steps.

Details on doing so are certainly out of scope but a friendly reminder could save newer users some setup time.

Hi. To be able to run this action on an arm64 platform, we may need to change the downloadDoctl function to download the corresponding doctl version. Currently it downloads amd64 version on all linux systems, even if they are arm64-based.

The examples in the README reference the HCL syntax. This makes it hard to know what to do with the YAML syntax of GitHub actions. I tried to do the following and it didn't work:

    - name: Configure Kubernetes
      uses: digitalocean/[email protected]
      with:
        entrypoint: /usr/local/bin/doctl
        args: kubernetes cluster kubeconfig show kubermemes > $HOME/.kubeconfig

Node 12 runtime is being deprecated in favor of Node 16 (source). Using v2.1.1 currently logs a warning but in the future it won't work.

Great! But what if I want to deploy into a droplet app with docker?

Error: The `add-path` command is deprecated and will be disabled on November 16th. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2020-10-01-github-actions-deprecating-set-env-and-add-path-commands/
>>> doctl version v1.51.0 installed to /home/runner/runner/_work/_tool/doctl/1.51.0/x64

Probably should udpate the octokit dependency