WIP: python revoke

andreaso · Mar 29, 2024 · 485db5f · 485db5f
1 parent 0a621be
commit 485db5f
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/action.yaml b/action.yaml
@@ -64,9 +64,11 @@ runs:
 
     - name: Revoke Vault token
       if: success() || steps.generator.conclusion == 'failure'
-      shell: bash
+      shell: python
       run: |
-        curl --fail --silent --show-error --tlsv1.3 --header "X-Vault-Token: ${VAULT_TOKEN}" --data "" "${VAULT_SERVER%/}/v1/auth/token/revoke-self"
+        from vault_oidc_ssh_cert_action import revoke_token
+        revoke_token()
       env:
+        PYTHONPATH: ${{ github.action_path }}
         VAULT_SERVER: ${{ inputs.vault_server }}
         VAULT_TOKEN: ${{ steps.vault_auth.outputs.vault_token }}
diff --git a/vault_oidc_ssh_cert_action.py b/vault_oidc_ssh_cert_action.py
@@ -106,3 +106,14 @@ def generate_and_sign() -> None:
     with open(os.environ["GITHUB_OUTPUT"], mode="a", encoding="utf-8") as ghof:
         ghof.write(f"cert_path={out_cert_path}\n")
         ghof.write(f"key_path={out_key_path}\n")
+
+
+def revoke_token() -> None:
+    vault_server = os.environ["VAULT_SERVER"].strip()
+    vault_token = os.environ["VAULT_TOKEN"].strip()
+
+    revoke_url = f"{vault_server}/v1/auth/token/revoke-self"
+    headers = {"X-Vault-Token": vault_token}
+
+    response = requests.post(revoke_url, headers=headers, timeout=10)
+    response.raise_for_status()