1+ # .github/workflows/manage-auth0-redirects.yml
2+ name : Manage Auth0 Redirect URLs
3+
4+ on :
5+ workflow_run :
6+ # Triggered by the completion of the 'PR Trigger' workflow
7+ workflows : ["PR Trigger"] # Name of the workflow defined above
8+ types : [completed] # Trigger when Workflow A completes, regardless of success/failure
9+ # IMPORTANT: This workflow MUST run in the context of your BASE repository.
10+ # Restrict it to your main development branches where secrets are available
11+ # and the workflow file itself is protected by branch rules.
12+ branches : [main] # <<< CONFIGURE YOUR BASE BRANCHES HERE (e.g., main, develop, production)
13+
14+ jobs :
15+ manage_redirect :
16+ runs-on : ubuntu-latest
17+ # This job runs even if the triggering workflow_run (Workflow A) failed,
18+ # especially to handle 'closed' PRs for cleanup. We check the PR action within the job.
19+ environment : auth0
20+ env :
21+ AUTH0_DOMAIN : ${{ env.AUTH0_DOMAIN }}
22+ AUTH0_APP_CLIENT_ID : ${{ env.AUTH0_APP_CLIENT_ID }}
23+ # Base URL pattern for your ephemeral PR environments.
24+ # {pr_id} will be replaced with the pull request number.
25+ # EXAMPLE: "https://pr-{pr_id}.my-app.staging.example.com/callback"
26+ REDIRECT_URL_PATTERN : " https://pr-{pr_id}.your-staging-domain.com/callback" # <<< CONFIGURE THIS
27+
28+ steps :
29+ - name : Set up jq and Install Auth0 CLI
30+ run : |
31+ sudo apt-get update && sudo apt-get install -y jq
32+ # Install the Auth0 CLI
33+ curl -sSfL https://raw.githubusercontent.com/auth0/auth0-cli/main/cli/install.sh | sh
34+
35+ name : Extract Pull Request Info from Workflow Run Event
36+ id : pr_info
37+ run : |
38+ # Fetch the full workflow run payload to get the original event that triggered Workflow A.
39+ # The GITHUB_TOKEN is available here because this job runs in the base repository context.
40+ # The event_url points to the original event payload (e.g., the pull_request event).
41+ EVENT_PAYLOAD=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
42+ -H "Accept: application/vnd.github.v3+json" \
43+ "${{ github.event.workflow_run.event_url }}")
44+
45+ EVENT_TYPE=$(echo "$EVENT_PAYLOAD" | jq -r '.event_name')
46+ PR_ACTION=""
47+ PR_NUMBER=""
48+
49+ # Verify if the event was a pull_request and extract details
50+ if [ "$EVENT_TYPE" == "pull_request" ]; then
51+ PR_ACTION=$(echo "$EVENT_PAYLOAD" | jq -r '.payload.action')
52+ PR_NUMBER=$(echo "$EVENT_PAYLOAD" | jq -r '.payload.pull_request.number')
53+ echo "Detected PR Action: $PR_ACTION"
54+ echo "Detected PR Number: $PR_NUMBER"
55+ else
56+ echo "Workflow was not triggered by a pull_request event (${EVENT_TYPE}). No Auth0 callback action taken."
57+ # Exit successfully if not a PR event we care about, to avoid unnecessary failures.
58+ exit 0
59+ fi
60+
61+ if [ -z "$PR_NUMBER" ]; then
62+ echo "Error: Could not determine PR number from the payload. This might indicate an unexpected PR state or payload structure."
63+ exit 1 # Fail if PR number is critical and missing.
64+ fi
65+
66+ # Export these as environment variables for subsequent steps
67+ echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_ENV
68+ echo "PR_ACTION=$PR_ACTION" >> $GITHUB_ENV
69+
70+ name : Manage Auth0 Redirect URL
71+ # Only proceed if a PR number was successfully extracted in the previous step
72+ if : env.PR_NUMBER
73+ run : |
74+ # --- Define a helper function to run Auth0 CLI with scoped credentials ---
75+ # This function is crucial for security. It ensures AUTH0_DOMAIN, AUTH0_CLIENT_ID,
76+ # and AUTH0_CLIENT_SECRET are ONLY set for the duration of the `./auth0` command.
77+ # This prevents them from leaking to the shell environment of the entire `run:` step
78+ # or being accidentally accessed by other commands.
79+ run_auth0_cli() {
80+ AUTH0_DOMAIN="${{ env.AUTH0_DOMAIN }}" \
81+ AUTH0_CLIENT_ID="${{ secrets.AUTH0_MANAGEMENT_CLIENT_ID }}" \
82+ AUTH0_CLIENT_SECRET="${{ secrets.AUTH0_MANAGEMENT_SECRET }}" \
83+ ./auth0 "$@" # Passes all arguments to the Auth0 CLI
84+ }
85+
86+ # --- Helper function to fetch the current callbacks array from Auth0 ---
87+ get_current_callbacks_json() {
88+ # Uses the run_auth0_cli helper for secure credential handling
89+ run_auth0_cli clients show "${{ env.AUTH0_APP_CLIENT_ID }}" --json | jq -r '.callbacks // []'
90+ }
91+
92+ # --- Helper function to update the callbacks in Auth0 ---
93+ update_callbacks_in_auth0() {
94+ local callbacks_json="$1" # Expects a JSON array of URLs
95+ local callbacks_string=""
96+
97+ # Convert the JSON array to a comma-separated string, as required by Auth0 CLI
98+ if [ "$(echo "$callbacks_json" | jq 'length')" -gt 0 ]; then
99+ callbacks_string=$(echo "$callbacks_json" | jq -r 'join(",")')
100+ fi
101+
102+ echo "Attempting to update Auth0 callbacks with string: '$callbacks_string'"
103+
104+ # Use the run_auth0_cli helper to perform the update securely
105+ run_auth0_cli clients update "${{ env.AUTH0_APP_CLIENT_ID }}" \
106+ --callbacks "$callbacks_string"
107+
108+ echo "Auth0 callbacks updated successfully."
109+ }
110+
111+ # --- Main logic based on the detected PR action ---
112+ PR_NUMBER="${{ env.PR_NUMBER }}"
113+ PR_ACTION="${{ env.PR_ACTION }}"
114+ # Construct the specific redirect URL for this PR's ephemeral environment
115+ DYNAMIC_REDIRECT_URL=$(echo "${{ env.REDIRECT_URL_PATTERN }}" | sed "s|{pr_id}|$PR_NUMBER|")
116+
117+ case "$PR_ACTION" in
118+ # Actions to add or update the URL
119+ opened|reopened|synchronize)
120+ echo "PR action is '$PR_ACTION'. Adding/updating redirect URL: $DYNAMIC_REDIRECT_URL"
121+ CURRENT_CALLBACKS_JSON=$(get_current_callbacks_json)
122+ # Add the new URL, ensuring uniqueness (jq 'unique' and '+' operator)
123+ UPDATED_CALLBACKS_JSON=$(echo "$CURRENT_CALLBACKS_JSON" | jq --arg url "$DYNAMIC_REDIRECT_URL" 'unique | . + [$url] | unique')
124+ update_callbacks_in_auth0 "$UPDATED_CALLBACKS_JSON"
125+ ;;
126+
127+ # Action to remove the URL
128+ closed)
129+ echo "PR action is '$PR_ACTION'. Removing redirect URL: $DYNAMIC_REDIRECT_URL"
130+ CURRENT_CALLBACKS_JSON=$(get_current_callbacks_json)
131+ # Filter out the specific URL to be removed (jq 'map(select(. != $url))')
132+ UPDATED_CALLBACKS_JSON=$(echo "$CURRENT_CALLBACKS_JSON" | jq --arg url "$DYNAMIC_REDIRECT_URL" 'map(select(. != $url)) | unique')
133+ update_callbacks_in_auth0 "$UPDATED_CALLBACKS_JSON"
134+ ;;
135+
136+ *)
137+ echo "Unsupported or unhandled PR action: '$PR_ACTION'. No Auth0 callback action taken."
138+ ;;
139+ esac
140+
141+ name : Verify Auth0 App Config (Optional)
142+ # Always run this step for debugging purposes, even if previous steps failed
143+ if : always()
144+ run : |
145+ echo "Verifying current callbacks in Auth0 after operation..."
146+ # Use the run_auth0_cli helper to show current callbacks securely
147+ AUTH0_DOMAIN="${{ env.AUTH0_DOMAIN }}" \
148+ AUTH0_CLIENT_ID="${{ secrets.AUTH0_MANAGEMENT_CLIENT_ID }}" \
149+ AUTH0_CLIENT_SECRET="${{ secrets.AUTH0_MANAGEMENT_SECRET }}" \
150+ ./auth0 clients show ${{ env.AUTH0_APP_CLIENT_ID }} --json | jq '.callbacks'
0 commit comments