For up to date versions of wrangler, secrets are uploaded via the
'secret:bulk' command, which batches updates in a single API call.
For versions of wrangler without that capability, the action falls back
to the single 'secret put' command for each secret. It races all these
with a Promise.all()
Unfortunately, the single secret API cannot handle concurrency - at
best, these calls have to wait on one another, holding requests open
all the while. Often it times out and errors.
This fixes the legacy secret upload errors by making these calls
serially instead of concurrently.
Instead of using a mix of `child_process.exec`, `child_process.execSync` and a promisified version of `child_process.exec`, we now (mostly) just use `@actions/exec`. That runs `child_process.spawn` under the hood and handles a lot of character escaping for us. We can also now pass Buffers directly into the subprocess as stdin instead of relying on shell piping.
This ends up fixing a few problems we had where secrets and env var values containing shell metacharacters were being misinterpreted.
Unfortunately, `@actions/exec` doesn't support running with a shell. That means we still have to roll our own wrapper around `child_process.exec` to avoid a breaking change to `preCommands` and `postCommands`, since users might be expecting these to run within a shell.
Also worth noting that we're no longer hiding stdout and stderr from the secret uploading step. We were previously doing this out of an abundance of caution, but it made debugging issues very difficult if secret upload failed for some reason. I feel ok doing this since we're no longer echoing & piping the secret values, wrangler doesn't ever output secret values, and as a last line of defense GitHub masks any secret values that accidentally get logged.
Some of the stderr, stdout, info & groupings can be a little noisy for some users and use cases.
This feature allows for a option to be passed 'quiet: true' this would significantly reduce the noise.
There will still be output that lets the user know Wrangler Installed and Wrangler Action completed successfully.
Any failure status will still be output to the user as well, to prevent silent failures.
resolves#142
Previously, we prevented any error logs from propagating too far to prevent leaking of any potentially sensitive information. However, this made it difficult for developers to debug their code.
In this release, we have updated our error handling to allow for more error messaging from pre/post and custom commands. We still discourage the use of these commands for secrets or other sensitive information, but we believe this change will make it easier for developers to debug their code.
Relates to #137
* Removes dependencies such as Docker, decreasing spin-up time
* Adds community-requested features, including bulk secrets API utilization from Wrangler
* Fixes CI/CD
* Adds testing
* Improves command implementation
* Begins using Node for the Action engine/runner
* Openly discusses all changes with the community
GitHub Discussions opened and Issues monitored
BREAKING CHANGES:
* Docker is no longer a dependency
* Wrangler v1 is no longer supported
Additional related Internal tickets:
Major Version Default: https://jira.cfdata.org/browse/DEVX-632
Rewrite Project: DEVX-804,802,800,632