Add script to authenticate orgs via env var in Docker image

[jlantz]

The SF CLI Docker image would be more immediately useful in CI/CD builds and devcontainers if it supported handling authentication to orgs via passed env vars.

Almost every example GitHub Actions build I've seen starts off by writing the sfdx auth url to a file, then calling sf to authenticate, then hopefully deleting that file. That's redundant logic in every build.

I've done something similar to what I'm proposing with the open source D2X Docker image I'm building on top of the SF CLI Docker image to include CumulusCI. Here's the script I include in that image to handle authenticating a DEV_HUB, PACKAGING_ORG, and TARGET_ORG via sfdx auth url or JWT (I'm not certain the JWT is functional):
https://github.com/muselab-d2x/d2x/blob/cumulusci-next/devhub.sh

I'm not proposing raw inclusion of that script. I'd like to have a discussion to figure out what approach would be the best for the SF CLI docker image. The script was mostly a functional hack and could definitely use improvement or complete rewrite, potentially in TS?

I propose three org types that can be passed in:

• DEV_HUB: Set as the default devhub. Used for scratch org interactions. Ideally restricted only to scratch orgs and not packaging
• PACKAGING_ORG: For packaging operations, either the 1GP packaging org or credentials with packaging permissions to the devhub. For 2GP promotion, credential must have promotion permissions
• TARGET_ORG: Any other org that is being targeted in the build

With this setup, it's much easier to build more concise reusable workflows that focus on the pipeline's logic rather than plumbing. It's also completely optional, you just call the script from your build.

Here's an example GitHub Actions workflow using the script and passing the env vars:

name: Unmanaged Feature Test

on:
  workflow_call:
    inputs:
      org:
        type: string
        default: feature
    secrets:
      # Either dev-hub-auth-url or dev-hub-username, dev-hub-client-id, and dev-hub-private-key are required
      dev-hub-auth-url:
        required: false
      dev-hub-username:
        required: false
      dev-hub-client-id:
        required: false
      dev-hub-private-key:
        required: false
      gh-email:
        required: true      
      github-token:
        required: true

jobs:
    feature-test:
        name: "Feature Test"
        runs-on: ubuntu-latest
        container:
            image: ghcr.io/muselab-d2x/d2x:cumulusci-next
            options: --user root
            credentials:
                username: ${{ github.actor }}
                password: ${{ secrets.github-token }}
            env:
                DEV_HUB_AUTH_URL: "${{ secrets.dev-hub-auth-url }}"
                DEV_HUB_USERNAME: "${{ secrets.dev-hub-username }}"
                DEV_HUB_CLIENT_ID: "${{ secrets.dev-hub-client-id }}"
                DEV_HUB_PRIVATE_KEY: "${{ secrets.dev-hub-private-key }}"
                CUMULUSCI_SERVICE_github: "{ \"username\": \"${{ github.actor }}\", \"token\": \"${{ secrets.github-token }}\", \"email\": \"${{ secrets.gh-email }}\" }"
        steps:
            - name: Checkout
              uses: actions/checkout@v2
            - name: Auth to DevHub
              run: /usr/local/bin/devhub.sh
            - name: Set ${{ inputs.org }} org as default org
              run: cci org default ${{ inputs.org }}
            - name: Run Feature Test
              run: cci flow run ci_feature
            - name: Delete Scratch Org
              if: ${{ always() }}
              run: |
                cci org scratch_delete ${{ inputs.org }}
              shell: bash

I'm happy to work on this contribution. I'd love to get some guidance on the standards for such a script to be included in the Docker image.

[jlantz]

For an example of what this could eliminate from each build script...

            # Store secret for dev hub
            - name: 'Populate auth file with DEVHUB_SFDX_URL secret'
              shell: bash
              run: |
                  echo ${{ secrets.DEVHUB_SFDX_URL }} > ./DEVHUB_SFDX_URL.txt
                  secretFileSize=$(wc -c "./DEVHUB_SFDX_URL.txt" | awk '{print $1}')
                  if [ $secretFileSize == 1 ]; then
                      echo "Missing DEVHUB_SFDX_URL secret. Is this workflow running on a fork?";
                      exit 1;
                  fi

            # Authenticate dev hub
            - name: 'Authenticate Dev Hub'
              run: sf org login sfdx-url -f ./DEVHUB_SFDX_URL.txt -a devhub -d

            # Remove auth file
            - name: 'Remove auth file'
              run: rm -f ./DEVHUB_SFDX_URL.txt

https://github.com/trailheadapps/dreamhouse-lwc/blob/main/.github/workflows/packaging-pr.yml#L31-L48

[RupertBarrow]

This feature would be cool. We all have those lines above in out GH actions.

[mshanemc]

cool!
don't forget that you can use echo $AUTH_URL | sf org login sfdx-url --sfdx-url-stdin

[jlantz]

Any standards for scripts? Should I use TS or bash?

[mshanemc]

for the docker scripts? I think they're currently bash