├── .github └── workflows │ └── security-considerations.yml ├── CODEOWNERS ├── CONTRIBUTING.md ├── Dockerfile ├── LICENSE.md ├── README.md ├── SECURITY.md ├── action.yml └── entrypoint.sh /.github/workflows/security-considerations.yml: -------------------------------------------------------------------------------- 1 | name: Security Considerations 2 | 3 | on: 4 | pull_request: 5 | types: [opened, edited, reopened] 6 | branches: [main, master, develop] 7 | 8 | jobs: 9 | security-considerations: 10 | runs-on: ubuntu-latest 11 | steps: 12 | - uses: cloud-gov/security-considerations-action@main 13 | -------------------------------------------------------------------------------- /CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @cloud-gov/customer-success-squad 2 | 3 | -------------------------------------------------------------------------------- /CONTRIBUTING.md: -------------------------------------------------------------------------------- 1 | **Contribution Policy** 2 | 3 | Cloud.gov is an open source project operated by the U.S. General Services Administration (GSA) to support federal agency missions. While we value transparency and collaboration, we must balance openness with the responsibilities of operating a secure, compliant, and trusted federal platform. 4 | 5 | ✅ **Who can contribute** 6 | We welcome contributions from: 7 | 8 | - Employees of U.S. federal agencies 9 | - Contractors working under a current agreement with a U.S. government entity 10 | - GSA-approved contributors as part of official interagency collaboration 11 | 12 | ❌ **Who we cannot accept contributions from** 13 | To avoid the appearance of government endorsement, manage supply chain risk, and maintain the integrity of our compliance posture, we do **not** accept unsolicited contributions from: 14 | 15 | - Individuals unaffiliated with the U.S. government 16 | - International contributors or organizations 17 | - Unvetted accounts or first-time contributors submitting minor changes 18 | 19 | If you're unsure whether your contribution fits, feel free to open an issue first so we can discuss it. 20 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM cloudfoundry/cli:8 2 | RUN apk update && apk upgrade && apk add --no-cache bash jq curl grep coreutils 3 | ADD entrypoint.sh /entrypoint.sh 4 | ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] 5 | -------------------------------------------------------------------------------- /LICENSE.md: -------------------------------------------------------------------------------- 1 | As a work of the United States Government, this project is in the 2 | public domain within the United States. 3 | 4 | Additionally, we waive copyright and related rights in the work worldwide through the CC0 1.0 Universal public domain dedication. 5 | 6 | ## CC0 1.0 Universal Summary 7 | 8 | This is a human-readable summary of the [Legal Code (read the full text)](https://creativecommons.org/publicdomain/zero/1.0/legalcode). 9 | 10 | ### No Copyright 11 | 12 | The person who associated a work with this deed has dedicated the work to 13 | the public domain by waiving all of his or her rights to the work worldwide 14 | under copyright law, including all related and neighboring rights, to the 15 | extent allowed by law. 16 | 17 | You can copy, modify, distribute and perform the work, even for commercial 18 | purposes, all without asking permission. 19 | 20 | ### Other Information 21 | 22 | In no way are the patent or trademark rights of any person affected by CC0, 23 | nor are the rights that other persons may have in the work or in how the 24 | work is used, such as publicity or privacy rights. 25 | 26 | Unless expressly stated otherwise, the person who associated a work with 27 | this deed makes no warranties about the work, and disclaims liability for 28 | all uses of the work, to the fullest extent permitted by applicable law. 29 | When using or citing the work, you should not imply endorsement by the 30 | author or the affirmer. 31 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Cloud.gov CF CLI Tools 2 | 3 | A Github action for using CF CLI tools while deploying and managing apps on [cloud.gov](https://cloud.gov). 4 | 5 | ## Usage 6 | 7 | Follow the instructions for setting up a [cloud.gov service account](https://cloud.gov/docs/services/cloud-gov-service-account/). Store you username (CG_USERNAME) and password (CG_PASSWORD) as [encrypted secrets](https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets). 8 | 9 | ## Sample workflow 10 | 11 | The following is an example of a workflow that uses this action. This example shows how to deploy a simple .NET Core app to cloud.gov 12 | 13 | ```yml 14 | name: .NET Core Deploy 15 | 16 | on: 17 | pull_request: 18 | branches: [ {branch-name} ] 19 | 20 | jobs: 21 | build: 22 | runs-on: ubuntu-latest 23 | 24 | steps: 25 | - uses: actions/checkout@v2 26 | - name: Setup .NET Core 27 | uses: actions/setup-dotnet@v1 28 | with: 29 | dotnet-version: 3.1.101 30 | 31 | - name: Install dependencies 32 | run: dotnet restore 33 | 34 | - name: Build 35 | run: dotnet build 36 | 37 | deploy: 38 | runs-on: ubuntu-latest 39 | needs: build 40 | 41 | steps: 42 | - uses: actions/checkout@v2 43 | - name: Deploy to cloud.gov 44 | uses: cloud-gov/cg-cli-tools@main 45 | with: 46 | cf_username: ${{ secrets.CG_USERNAME }} 47 | cf_password: ${{ secrets.CG_PASSWORD }} 48 | cf_org: your-org 49 | cf_space: your-space 50 | 51 | ``` 52 | 53 | The default action is to do a `cf push -f manifest.yml --strategy rolling`. 54 | 55 | You can also supply: 56 | 57 | - `cf_api:` to specify a Cloud Foundry API endpoint (instead of the default `api.fr.cloud.gov`) 58 | - `cf_manifest:` to use a different manifest file (instead of the default `manifest.yml`) 59 | - `cf_vars_file:` to [specify values for variables in the manifest file](https://docs.cloudfoundry.org/devguide/deploy-apps/manifest-attributes.html#variable-substitution) 60 | - `cf_command:` to specify a CF sub-command to run (instead of the default `push -f $MANIFEST -vars-file $VARS_FILE --strategy rolling`) 61 | - `command:` to specify another command altogether (for example: a script which checks if required services are present and creates them if they're missing) 62 | 63 | ## A note on versions 64 | 65 | By default this action uses the cf CLI v8 to take advantage of some of the [new features in that version](https://docs.cloudfoundry.org/cf-cli/v8.html#new-workflows). If you need to use v7 of the CLI, you can target the `cli-v7` branch when setting up your workflow, like so: `cloud-gov/cg-cli-tools@cli-v7` 66 | 67 | ## Protecting secret values in attributes for the deployment 68 | 69 | If you have secret values in the attributes (environment variables) of the deployment that should remain secret, it is best to use the `--var` flag with `cf push` in this action so that you can pass a Github secret to the command, which will automatically mask the variable in the deployment logs. Use `cf_command` like so: 70 | 71 | ``` 72 | cf_command: "push -f --var var-name=${{ secrets.SECRET_VAR_VALUE }} --strategy rolling" 73 | ``` 74 | 75 | **Example**: For the PHP Buildpack, if you want to use New Relic, all you have to do is [provide the license as an environment variable](https://docs.cloudfoundry.org/buildpacks/php/gsg-php-newrelic.html). However if you do not mask the environment variable as part of the deployment, subsequent deploys will show the license in the diff. 76 | 77 | ## Other options 78 | 79 | There are other tools and utilities that you can use to deploy your application to cloud.gov. Here is a list of some of the more common options. 80 | 81 | - 82 | - 83 | - 84 | - 85 | - 86 | -------------------------------------------------------------------------------- /SECURITY.md: -------------------------------------------------------------------------------- 1 | 2 | **Reporting Security Issues** 3 | 4 | Please refrain from reporting security vulnerabilities through public GitHub issues. 5 | 6 | Instead, kindly report them via the information provided in [cloud.gov's security.txt](https://cloud.gov/.well-known/security.txt). 7 | 8 | When reporting, include the following details (as much as possible) to help us understand the nature and extent of the potential issue: 9 | 10 | - Type of issue (e.g., buffer overflow, SQL injection, cross-site scripting, etc.) 11 | - Full paths of related source file(s) 12 | - Location of affected source code (tag/branch/commit or direct URL) 13 | - Any special configuration required to reproduce the issue 14 | - Step-by-step instructions to reproduce the issue 15 | - Proof-of-concept or exploit code (if available) 16 | - Impact of the issue, including potential exploitation by attackers 17 | 18 | Providing this information will facilitate a quicker triage of your report. 19 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: "Cloud.gov CF CLI Tools" 2 | description: "Deploy and manage apps on cloud.gov" 3 | inputs: 4 | cf_api: 5 | description: "Target API endpoint. Defaults to api.fr.cloud.gov." 6 | required: false 7 | cf_username: 8 | description: "Username for API authentication" 9 | required: true 10 | cf_password: 11 | description: "Password for API authentication" 12 | required: true 13 | cf_org: 14 | description: "Target organization" 15 | required: true 16 | cf_space: 17 | description: "Target space" 18 | required: true 19 | cf_manifest: 20 | description: "Manifest file name to use for pushing. Defaults to 'manifest.yml'." 21 | required: false 22 | cf_vars_file: 23 | description: "Name of the vars file to use" 24 | required: false 25 | cf_command: 26 | description: "CF CLI subcommand to run. Mutually exclusive with 'command:'." 27 | required: false 28 | command: 29 | description: "Command to run. Mutually exclusive with 'cf_command:'." 30 | required: false 31 | runs: 32 | using: "docker" 33 | image: "Dockerfile" 34 | -------------------------------------------------------------------------------- /entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | CF_API=${INPUT_CF_API:-api.fr.cloud.gov} 6 | # Authenticate and target CF org and space. 7 | cf api "$CF_API" 8 | cf auth "$INPUT_CF_USERNAME" "$INPUT_CF_PASSWORD" 9 | cf target -o "$INPUT_CF_ORG" -s "$INPUT_CF_SPACE" 10 | 11 | # If they specified a full command, run it 12 | if [[ -n "$INPUT_COMMAND" ]]; then 13 | echo "Running command: $INPUT_COMMAND" 14 | eval $INPUT_COMMAND 15 | exit 16 | fi 17 | 18 | # If they specified a cf CLI subcommand, run it 19 | if [[ -n "$INPUT_CF_COMMAND" ]]; then 20 | echo "Running command: $INPUT_CF_COMMAND" 21 | eval cf $INPUT_CF_COMMAND 22 | exit 23 | fi 24 | 25 | # Otherwise, assume they want to do a cf push. 26 | 27 | # If they didn't specify and don't have a default-named manifest.yml, then the 28 | # push will fail with a pretty accurate message: "Incorrect Usage: The specified 29 | # path 'manifest.yml' does not exist." 30 | MANIFEST=${INPUT_CF_MANIFEST:-manifest.yml} 31 | 32 | # If they specified a vars file, use it 33 | if [[ -r "$INPUT_CF_VARS_FILE" ]]; then 34 | echo "Pushing with vars file: $INPUT_CF_VARS_FILE" 35 | cf push -f "$MANIFEST" --vars-file "$INPUT_CF_VARS_FILE" --strategy rolling 36 | else 37 | echo "Pushing with manifest file: $MANIFEST" 38 | cf push -f "$MANIFEST" --strategy rolling 39 | fi 40 | --------------------------------------------------------------------------------