From f89ba2ae2366727391ff15223f0ce2c87b1188b0 Mon Sep 17 00:00:00 2001
From: Kevin Hooke <kh816@cam.ac.uk>
Date: Wed, 6 Nov 2024 16:32:45 +0000
Subject: [PATCH] changed conditional logic on deploy_tokens

---
 auto-devops/maven.gitlab-ci.yml | 70 ++++++++++++++++-----------------
 1 file changed, 34 insertions(+), 36 deletions(-)

diff --git a/auto-devops/maven.gitlab-ci.yml b/auto-devops/maven.gitlab-ci.yml
index 9160a61..6d0ee6e 100644
--- a/auto-devops/maven.gitlab-ci.yml
+++ b/auto-devops/maven.gitlab-ci.yml
@@ -25,51 +25,49 @@ variables:
   MAVEN_IMAGE: maven:$MAVEN_VERSION
 
 # Retrieve Access Token used to retrieve published Maven packages from GitLab Maven Repository
-.maven:use-access-tokens:
-  rules:
-    - if: $MAVEN_ACCESS_TOKENS_DISABLED
-      when: never
-    - !reference [".maven.deploy_tokens", script]
-
 .maven.deploy_tokens:
-  script: |
-    if ! [ -x "$(command -v apt-get)" ]; then
-      apk add --no-cache curl jq git
-    else
-      apt-get update && apt-get install -y curl jq git
-    fi
+  - |
+    if [ $MAVEN_ACCESS_TOKENS_DISABLED = "0" ]; then
+      if ! [ -x "$(command -v apt-get)" ]; then
+        apk add --no-cache curl jq git
+      else
+        apt-get update && apt-get install -y curl jq git
+      fi
 
-    echo "Retrieving an access token for the default service account of the runner pod..."
-      DEFAULT_TOKEN=$(
-        curl --fail-with-body -s -S -H "Metadata-Flavor: Google" \
-          "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
-        | jq -r ".access_token"
-      )
+      echo "Retrieving an access token for the default service account of the runner pod..."
+        DEFAULT_TOKEN=$(
+          curl --fail-with-body -s -S -H "Metadata-Flavor: Google" \
+            "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token" \
+          | jq -r ".access_token"
+        )
 
-      echo "Generating an access token for the $GITLAB_TOKEN_ACCESSOR_SERVICE_ACCOUNT service account..."
-      ACCESS_TOKEN=$(
-        curl --fail-with-body -s -S -X POST \
-          -H "Authorization: Bearer $DEFAULT_TOKEN" \
-          -H "Content-Type: application/json; charset=utf-8" \
-          "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${GITLAB_TOKEN_ACCESSOR_SERVICE_ACCOUNT/@/%40}:generateAccessToken" \
-          -d '{"scope": ["https://www.googleapis.com/auth/cloud-platform"]}' \
-        | jq -r ".accessToken"
-      )
+        echo "Generating an access token for the $GITLAB_TOKEN_ACCESSOR_SERVICE_ACCOUNT service account..."
+        ACCESS_TOKEN=$(
+          curl --fail-with-body -s -S -X POST \
+            -H "Authorization: Bearer $DEFAULT_TOKEN" \
+            -H "Content-Type: application/json; charset=utf-8" \
+            "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/${GITLAB_TOKEN_ACCESSOR_SERVICE_ACCOUNT/@/%40}:generateAccessToken" \
+            -d '{"scope": ["https://www.googleapis.com/auth/cloud-platform"]}' \
+          | jq -r ".accessToken"
+        )
 
-      echo "Retrieving the GitLab bot access token from Google Secret Manager..."
-      export GITLAB_TOKEN=$(
-        curl --fail-with-body -s -S -H "Authorization: Bearer $ACCESS_TOKEN" \
-          -H "Content-Type: application/json" \
-          "https://secretmanager.googleapis.com/v1/projects/$GITLAB_DEPLOY_GROUP_DEPLOY_TOKEN_SECRET_PROJECT/secrets/$GITLAB_DEPLOY_GROUP_DEPLOY_TOKEN_SECRET_NAME/versions/latest:access" \
-        | jq -r ".payload.data" | base64 -d
-      )
+        echo "Retrieving the GitLab bot access token from Google Secret Manager..."
+        export GITLAB_TOKEN=$(
+          curl --fail-with-body -s -S -H "Authorization: Bearer $ACCESS_TOKEN" \
+            -H "Content-Type: application/json" \
+            "https://secretmanager.googleapis.com/v1/projects/$GITLAB_DEPLOY_GROUP_DEPLOY_TOKEN_SECRET_PROJECT/secrets/$GITLAB_DEPLOY_GROUP_DEPLOY_TOKEN_SECRET_NAME/versions/latest:access" \
+          | jq -r ".payload.data" | base64 -d
+        )
 
-      export AUTO_DEVOPS_BUILD_IMAGE_EXTRA_ARGS=--build-arg="GITLAB_TOKEN=${GITLAB_TOKEN}"
+        export AUTO_DEVOPS_BUILD_IMAGE_EXTRA_ARGS=--build-arg="GITLAB_TOKEN=${GITLAB_TOKEN}"
+    else
+      echo "MAVEN_ACCESS_TOKENS_DISABLED=1, skipping access tokens"
+    fi
 
 # Template maven job.
 .maven:
   image: $MAVEN_IMAGE
-  before_script: !reference [".maven:use-access-tokens"]
+  before_script: !reference [".maven.deploy_tokens"]
   # Cache downloaded dependencies and plugins between builds. To keep cache across branches add
   # 'key: "$CI_JOB_NAME"' Be aware that `mvn deploy` will install the built jar into this
   # repository. If you notice your cache size increasing, consider adding
-- 
GitLab