PLT-142 Add aws-params-env-action (#7)

* Pull in aws-params-env-action

* Move workflow files to root of .github/workflows

* Fix source-root for CodeQL

* Add pull_request trigger

.gitattributes

@@ -0,0 +1 @@
+/actions/aws-params-env-action/dist/** -diff linguist-generated=true

.github/dependabot.yml

@@ -0,0 +1,15 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /actions/aws-params-env-action/
+    schedule:
+      interval: daily
+    # Security updates only
+    open-pull-requests-limit: 0
+
+  - package-ecosystem: npm
+    directory: /actions/aws-params-env-action/
+    schedule:
+      interval: daily
+    # Security updates only
+    open-pull-requests-limit: 0

.github/workflows/aws-params-env-action-check-dist.yml

@@ -0,0 +1,57 @@
+# `dist/index.js` is a special file in Actions.
+# When you reference an action with `uses:` in a workflow,
+# `index.js` is the code that will run.
+# For our project, we generate this file through a build process from other source files.
+# We need to make sure the checked-in `index.js` actually matches what we expect it to be.
+name: Check dist/ for aws-params-env-action
+
+on:
+  push:
+    paths:
+      - 'actions/aws-params-env-action/**'
+      - '!actions/aws-params-env-action/**.md'
+  pull_request:
+    paths:
+      - 'actions/aws-params-env-action/**'
+      - '!actions/aws-params-env-action/**.md'
+  workflow_dispatch:
+
+defaults:
+  run:
+    working-directory: actions/aws-params-env-action
+
+jobs:
+  check-dist:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set Node.js 16.x
+        uses: actions/setup-node@v3.6.0
+        with:
+          node-version: 16.x
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Rebuild the dist/ directory
+        run: |
+          npm run build
+          npm run package
+
+      - name: Compare the expected and actual dist/ directories
+        run: |
+          if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
+            echo "Detected uncommitted changes after build.  See status below:"
+            git diff
+            exit 1
+          fi
+        id: diff
+
+      # If index.js was different than expected, upload the expected version as an artifact
+      - uses: actions/upload-artifact@v3
+        if: ${{ failure() && steps.diff.conclusion == 'failure' }}
+        with:
+          name: dist
+          path: dist/

.github/workflows/aws-params-env-action-test.yml

@@ -0,0 +1,24 @@
+name: Test aws-params-env-action
+
+on:
+  push:
+    paths:
+      - 'actions/aws-params-env-action/**'
+      - '!actions/aws-params-env-action/**.md'
+  pull_request:
+    paths:
+      - 'actions/aws-params-env-action/**'
+      - '!actions/aws-params-env-action/**.md'
+  workflow_dispatch:
+
+defaults:
+  run:
+    working-directory: actions/aws-params-env-action
+
+jobs:
+  test-and-check-build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: npm ci
+      - run: npm run all

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,73 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: CodeQL analysis for aws-params-env-action
+
+on:
+  push:
+    paths:
+      - 'actions/aws-params-env-action/**'
+      - '!actions/aws-params-env-action/**.md'
+  pull_request:
+    paths:
+      - 'actions/aws-params-env-action/**'
+      - '!actions/aws-params-env-action/**.md'
+  schedule:
+    - cron: '31 7 * * 3'
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'TypeScript' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        source-root: actions/aws-params-env-action/src
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL analysis
+      uses: github/codeql-action/analyze@v2

.gitignore

@@ -0,0 +1,5 @@
+node_modules
+
+# Ignore built ts files
+/actions/aws-params-env-action/__tests__/runner/*
+/actions/aws-params-env-action/lib/**/*

actions/aws-params-env-action/.eslintignore

@@ -0,0 +1,4 @@
+dist/
+lib/
+node_modules/
+jest.config.js

actions/aws-params-env-action/.eslintrc.json

@@ -0,0 +1,55 @@
+{
+    "plugins": ["jest", "@typescript-eslint"],
+    "extends": ["plugin:github/recommended"],
+    "parser": "@typescript-eslint/parser",
+    "parserOptions": {
+      "ecmaVersion": 9,
+      "sourceType": "module",
+      "project": "./tsconfig.json"
+    },
+    "rules": {
+      "i18n-text/no-en": "off",
+      "eslint-comments/no-use": "off",
+      "import/no-namespace": "off",
+      "no-unused-vars": "off",
+      "@typescript-eslint/no-unused-vars": "error",
+      "@typescript-eslint/explicit-member-accessibility": ["error", {"accessibility": "no-public"}],
+      "@typescript-eslint/no-require-imports": "error",
+      "@typescript-eslint/array-type": "error",
+      "@typescript-eslint/await-thenable": "error",
+      "@typescript-eslint/ban-ts-comment": "error",
+      "camelcase": "off",
+      "@typescript-eslint/consistent-type-assertions": "error",
+      "@typescript-eslint/explicit-function-return-type": ["error", {"allowExpressions": true}],
+      "@typescript-eslint/func-call-spacing": ["error", "never"],
+      "@typescript-eslint/no-array-constructor": "error",
+      "@typescript-eslint/no-empty-interface": "error",
+      "@typescript-eslint/no-explicit-any": "error",
+      "@typescript-eslint/no-extraneous-class": "error",
+      "@typescript-eslint/no-for-in-array": "error",
+      "@typescript-eslint/no-inferrable-types": "error",
+      "@typescript-eslint/no-misused-new": "error",
+      "@typescript-eslint/no-namespace": "error",
+      "@typescript-eslint/no-non-null-assertion": "warn",
+      "@typescript-eslint/no-unnecessary-qualifier": "error",
+      "@typescript-eslint/no-unnecessary-type-assertion": "error",
+      "@typescript-eslint/no-useless-constructor": "error",
+      "@typescript-eslint/no-var-requires": "error",
+      "@typescript-eslint/prefer-for-of": "warn",
+      "@typescript-eslint/prefer-function-type": "warn",
+      "@typescript-eslint/prefer-includes": "error",
+      "@typescript-eslint/prefer-string-starts-ends-with": "error",
+      "@typescript-eslint/promise-function-async": "error",
+      "@typescript-eslint/require-array-sort-compare": "error",
+      "@typescript-eslint/restrict-plus-operands": "error",
+      "semi": "off",
+      "@typescript-eslint/semi": ["error", "never"],
+      "@typescript-eslint/type-annotation-spacing": "error",
+      "@typescript-eslint/unbound-method": "error"
+    },
+    "env": {
+      "node": true,
+      "es6": true,
+      "jest/globals": true
+    }
+  }

actions/aws-params-env-action/.prettierignore

@@ -0,0 +1,3 @@
+dist/
+lib/
+node_modules/

actions/aws-params-env-action/.prettierrc.json

@@ -0,0 +1,10 @@
+{
+  "printWidth": 80,
+  "tabWidth": 2,
+  "useTabs": false,
+  "semi": false,
+  "singleQuote": true,
+  "trailingComma": "none",
+  "bracketSpacing": false,
+  "arrowParens": "avoid"
+}

actions/aws-params-env-action/CODEOWNERS

@@ -0,0 +1 @@
+* @gsf

actions/aws-params-env-action/LICENSE

@@ -0,0 +1,22 @@
+
+The MIT License (MIT)
+
+Copyright (c) 2018 GitHub, Inc. and contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

actions/aws-params-env-action/README.md

@@ -0,0 +1,40 @@
+# AWS Parameter Store Environment Variables
+
+The `aws-params-env-action` sets workflow environment variables from values in AWS Systems Manager Parameter Store. Parameters of type SecureString are masked.
+
+## Prerequisites
+
+To use this action, you must have AWS credentials and region configured in the action environment. This can be done by using the [configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) step, for example, or by running the action on a self-hosted runner in AWS with an instance profile.
+
+## Usage
+
+The only input is `params`, which accepts whitespace-separated pairs of the form "ENV_VAR=/aws/param" where "ENV_VAR" will be the name of a variable added to the environment for subsequent steps in the workflow. The value of that variable will be the value retrieved from AWS Parameter Store for a parameter named "/aws/param". Here is an example step:
+
+```
+- name: Set env vars from AWS params
+  uses: gsf/aws-params-env-action@v1
+  with:
+    params: |
+      VAR1=/aws/parameter/a
+      ENV_VAR2=/param/b
+      SECRET_X=/secret/param/x
+```
+
+All steps in the workflow following this will have VAR1, ENV_VAR2, and SECRET_X variables in the environment with values from the referenced parameters in AWS Parameter Store. If /secret/param/x is a parameter of type SecureString then its value will be masked. This essentially replaces the verbosity and manual masking of a step like this:
+
+```
+- name: Set env vars
+  run: |
+    shopt -s expand_aliases # https://github.com/actions/toolkit/issues/766#issuecomment-928305811
+    alias param="aws ssm get-parameter --output text --query Parameter.Value --with-decryption --name"
+
+    parameter_a="$(param /aws/parameter/a)"
+    echo "VAR1=$parameter_a" >> "$GITHUB_ENV"
+
+    param_b="$(param /param/b)"
+    echo "ENV_VAR2=$param_b" >> "$GITHUB_ENV"
+
+    secret_x="$(param /secret/param/x)"
+    echo "::add-mask::$secret_x"
+    echo "SECRET_X=$secret_x" >> "$GITHUB_ENV"
+```