Initial version

Author: Menci

.gitignore

@@ -0,0 +1,2 @@
+/dist
+/node_modules

README.md

@@ -0,0 +1,46 @@
+# GitHub Action for Aliyun certificate deployment
+
+Deploy SSL certificate to Aliyun Certificates Service (and use in CDN).
+
+# Usage
+
+> If you need to issue SSL certificates automatically, you can use [my acme.sh action](https://github.com/marketplace/actions/issue-ssl-certificate).
+
+This action will deploy your PEM-formatted SSL certificate to Aliyun Certificates Service. And then set to use this certificate in CDN (optional).
+
+According to Aliyun API, both Access Keys and STS Token are accepted as credentials.
+
+```yaml
+jobs:
+  deploy-to-aliyun:
+    name: Deploy certificate to Aliyun
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out
+        uses: actions/checkout@v2
+        with:
+          # If you just commited and pushed your newly issued certificate to this repo in a previous job,
+          # use `ref` to make sure checking out the newest commit in this job
+          ref: ${{ github.ref }}
+      - uses: Menci/deploy-certificate-to-aliyun@beta-v1
+        with:
+          # Use Access Key
+          access-key-id: ${{ secrets.ALIYUN_ACCESS_KEY_ID }}
+          access-key-secret: ${{ secrets.ALIYUN_ACCESS_KEY_SECRET }}
+          # Or use STS Token
+          # security-token: ${{ secrets.ALIYUN_SECURITY_TOKEN }}
+
+          # Specify PEM fullchain file
+          fullchain-file: ${{ env.FILE_FULLCHAIN }}
+          # Specify PEM private key file
+          key-file: ${{ env.FILE_KEY }}
+
+          # The name in Aliyun Certificates Service
+          # Will replace the old one with the same name
+          certificate-name: My-SSL
+
+          # (Optional) Deploy to CDN
+          cdn-domains: |
+            cdn1.example.com
+            cdn2.example.com
+```

action.yml

@@ -0,0 +1,30 @@
+name: Deploy SSL certificate to Aliyun
+description: Deploy SSL certificate to Aliyun Certificates Service (and use in CDN).
+branding:
+  icon: lock
+  color: green
+inputs:
+  access-key-id:
+    description: The accessKeyId used to authenticate with Aliyun. Please specify `access-key-id` and `access-key-secret` or specify `security-token`.
+    default: ''
+  access-key-secret:
+    description: The accessKeySecret used to authenticate with Aliyun. Please specify `access-key-id` and `access-key-secret` or specify `security-token`.
+    default: ''
+  security-token:
+    description: The securityToken (STS) used to authenticate with Aliyun. Please specify `access-key-id` and `access-key-secret` or specify `security-token`.
+    default: ''
+  fullchain-file:
+    description: The file path of the PEM fullchain certificate.
+    required: true
+  key-file:
+    description: The file path of the PEM private key file.
+    required: true
+  certificate-name:
+    description: Set the name of deployed certificate in Aliyun. Will replace the old certificate with the same name.
+    required: true
+  cdn-domains:
+    description: Enter a list of CDN domains you want to deploy the certificate to.
+    required: true
+runs:
+  using: node12
+  main: bootstrap.js

bootstrap.js

@@ -0,0 +1,4 @@
+const child_process = require("child_process");
+child_process.execSync("yarn", { stdio: "inherit", cwd: __dirname });
+
+require("./index");

index.js

@@ -0,0 +1,145 @@
+const fs = require("fs");
+
+const core = require("@actions/core");
+
+const AliyunClient = require('@alicloud/pop-core');
+
+const input = {
+  accessKeyId: core.getInput("access-key-id"),
+  accessKeySecret: core.getInput("access-key-secret"),
+  securityToken: core.getInput("security-token"),
+  fullchainFile: core.getInput("fullchain-file"),
+  keyFile: core.getInput("key-file"),
+  certificateName: core.getInput("certificate-name"),
+  cdnDomains: core.getInput("cdn-domains")
+};
+
+/**
+ * @param {string} endpoint
+ * @param {string} apiVersion
+ * @param {string} action
+ * @param {Record<string, unknown>} params
+ */
+function callAliyunApi(endpoint, apiVersion, action, params) {
+  return new AliyunClient({
+    ...input.accessKeyId && input.accessKeySecret ? {
+      accessKeyId: input.accessKeyId,
+      accessKeySecret: input.accessKeySecret
+    } : {},
+    ...input.securityToken ? {
+      securityToken: input.securityToken
+    } : {},
+    endpoint,
+    apiVersion
+  }).request(action, params, { method: "POST" });
+}
+
+async function deletePreviouslyDeployedCertificate() {
+  /**
+   * @typedef CertificateListItem
+   * @prop {number} id
+   * @prop {string} name
+   * 
+   * @typedef DescribeUserCertificateListResponse
+   * @prop {number} TotalCount
+   * @prop {CertificateListItem[]} CertificateList
+   */
+
+  /**
+   * @param {(item: CertificateListItem) => Promise<void>} callback
+   */
+  async function listCertificates(callback) {
+    let currentItems = 0;
+
+    for (let i = 1; ; i++) {
+      /**
+       * @type {DescribeUserCertificateListResponse}
+       */
+      const response = await callAliyunApi(
+        "https://cas.aliyuncs.com", "2018-07-13",
+        "DescribeUserCertificateList",
+        {
+          ShowSize: 50,
+          CurrentPage: i
+        }
+      );
+
+      for (const item of response.CertificateList)
+        await callback(item);
+
+      currentItems += response.CertificateList.length;
+      if (currentItems === response.TotalCount) break;
+    }
+  }
+
+  let foundId = 0;
+  await listCertificates(async item => {
+    if (item.name === input.certificateName) {
+      foundId = item.id;
+    }
+  });
+
+  if (foundId === 0) {
+    console.log("Previously deployed certificate not found. Skipping delete.");
+    return;
+  }
+
+  console.log(`Found previously deployed certificate ${foundId}. Deleting.`);
+
+  await callAliyunApi(
+    "https://cas.aliyuncs.com", "2018-07-13",
+    "DeleteUserCertificate",
+    {
+      CertId: foundId
+    }
+  );
+}
+
+async function deployCertificate() {
+  const fullchain = fs.readFileSync(input.fullchainFile, "utf-8");
+  const key = fs.readFileSync(input.keyFile, "utf-8");
+
+  await deletePreviouslyDeployedCertificate();
+
+  await callAliyunApi(
+    "https://cas.aliyuncs.com", "2018-07-13",
+    "CreateUserCertificate",
+    {
+      Cert: fullchain,
+      Key: key,
+      Name: input.certificateName
+    }
+  );
+}
+
+async function deployCertificateToCdn() {
+  const domains = Array.from(new Set(input.cdnDomains.split(/\s+/).filter(x => x)));
+  
+  for (const domain of domains) {
+    console.log(`Deploying certificate to CDN domain ${domain}.`);
+
+    await callAliyunApi(
+      "https://cdn.aliyuncs.com", "2018-05-10",
+      "SetDomainServerCertificate",
+      {
+        DomainName: domain,
+        CertName: input.certificateName,
+        CertType: "cas",
+        ServerCertificateStatus: "on",
+        ForceSet: "1"
+      }
+    );
+  }
+}
+
+async function main() {
+  await deployCertificate();
+
+  if (input.cdnDomains) await deployCertificateToCdn();
+}
+
+main().catch(error => {
+  console.log(error.stack);
+  core.setFailed(error);
+  process.exit(1);
+});

package.json

@@ -0,0 +1,16 @@
+{
+  "name": "deploy-certificate-to-aliyun",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "@actions/core": "^1.6.0",
+    "@alicloud/pop-core": "^1.7.10"
+  }
+}

yarn.lock

@@ -0,0 +1,105 @@
+# THIS IS AN AUTOGENERATED FILE. DO NOT EDIT THIS FILE DIRECTLY.
+# yarn lockfile v1
+
+
+"@actions/core@^1.6.0":
+  version "1.6.0"
+  resolved "https://registry.yarnpkg.com/@actions/core/-/core-1.6.0.tgz#0568e47039bfb6a9170393a73f3b7eb3b22462cb"
+  integrity sha512-NB1UAZomZlCV/LmJqkLhNTqtKfFXJZAUPcfl/zqG7EfsQdeUJtaWO98SGbuQ3pydJ3fHl2CvI/51OKYlCYYcaw==
+  dependencies:
+    "@actions/http-client" "^1.0.11"
+
+"@actions/http-client@^1.0.11":
+  version "1.0.11"
+  resolved "https://registry.yarnpkg.com/@actions/http-client/-/http-client-1.0.11.tgz#c58b12e9aa8b159ee39e7dd6cbd0e91d905633c0"
+  integrity sha512-VRYHGQV1rqnROJqdMvGUbY/Kn8vriQe/F9HR2AlYHzmKuM/p3kjNuXhmdBfcVgsvRWTz5C5XW5xvndZrVBuAYg==
+  dependencies:
+    tunnel "0.0.6"
+
+"@alicloud/pop-core@^1.7.10":
+  version "1.7.10"
+  resolved "https://registry.yarnpkg.com/@alicloud/pop-core/-/pop-core-1.7.10.tgz#d0e221036dbb0ccde453dd09b1cfabd8341b7a69"
+  integrity sha512-9/aLWgmgaAdB1ERNTpdOvF7wueLY5CDTRxKZr93x542iuYRA1NDpcKslFqLOy5CUOa0CbopET3JGaHSAz5qv9g==
+  dependencies:
+    debug "^3.1.0"
+    httpx "^2.1.2"
+    json-bigint "^1.0.0"
+    kitx "^1.2.1"
+    xml2js "^0.4.17"
+
+"@types/node@^14":
+  version "14.17.27"
+  resolved "https://registry.yarnpkg.com/@types/node/-/node-14.17.27.tgz#5054610d37bb5f6e21342d0e6d24c494231f3b85"
+  integrity sha512-94+Ahf9IcaDuJTle/2b+wzvjmutxXAEXU6O81JHblYXUg2BDG+dnBy7VxIPHKAyEEDHzCMQydTJuWvrE+Aanzw==
+
+bignumber.js@^9.0.0:
+  version "9.0.1"
+  resolved "https://registry.yarnpkg.com/bignumber.js/-/bignumber.js-9.0.1.tgz#8d7ba124c882bfd8e43260c67475518d0689e4e5"
+  integrity sha512-IdZR9mh6ahOBv/hYGiXyVuyCetmGJhtYkqLBpTStdhEGjegpPlUawydyaF3pbIOFynJTpllEs+NP+CS9jKFLjA==
+
+debug@^3.1.0:
+  version "3.2.7"
+  resolved "https://registry.yarnpkg.com/debug/-/debug-3.2.7.tgz#72580b7e9145fb39b6676f9c5e5fb100b934179a"
+  integrity sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==
+  dependencies:
+    ms "^2.1.1"
+
+debug@^4.1.1:
+  version "4.3.2"
+  resolved "https://registry.yarnpkg.com/debug/-/debug-4.3.2.tgz#f0a49c18ac8779e31d4a0c6029dfb76873c7428b"
+  integrity sha512-mOp8wKcvj7XxC78zLgw/ZA+6TSgkoE2C/ienthhRD298T7UNwAg9diBpLRxC0mOezLl4B0xV7M0cCO6P/O0Xhw==
+  dependencies:
+    ms "2.1.2"
+
+httpx@^2.1.2:
+  version "2.2.7"
+  resolved "https://registry.yarnpkg.com/httpx/-/httpx-2.2.7.tgz#1e34198146e32ca3305a66c11209559e1cbeba09"
+  integrity sha512-Wjh2JOAah0pdczfqL8NC5378G7jMt0Zcpn8U+yyxAiejjlagzSTQgJHuVvka2VNPQlKfoGehYRc79WKq9E4gDw==
+  dependencies:
+    "@types/node" "^14"
+    debug "^4.1.1"
+
+json-bigint@^1.0.0:
+  version "1.0.0"
+  resolved "https://registry.yarnpkg.com/json-bigint/-/json-bigint-1.0.0.tgz#ae547823ac0cad8398667f8cd9ef4730f5b01ff1"
+  integrity sha512-SiPv/8VpZuWbvLSMtTDU8hEfrZWg/mH/nV/b4o0CYbSxu1UIQPLdwKOCIyLQX+VIPO5vrLX3i8qtqFyhdPSUSQ==
+  dependencies:
+    bignumber.js "^9.0.0"
+
+kitx@^1.2.1:
+  version "1.3.0"
+  resolved "https://registry.yarnpkg.com/kitx/-/kitx-1.3.0.tgz#ab3ee7c598d2b1d629fd55568f868c4440c200ea"
+  integrity sha512-fhBqFlXd0GkKTB+8ayLfpzPUw+LHxZlPAukPNBD1Om7JMeInT+/PxCAf1yLagvD+VKoyWhXtJR68xQkX/a0wOQ==
+
+[email protected]:
+  version "2.1.2"
+  resolved "https://registry.yarnpkg.com/ms/-/ms-2.1.2.tgz#d09d1f357b443f493382a8eb3ccd183872ae6009"
+  integrity sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==
+
+ms@^2.1.1:
+  version "2.1.3"
+  resolved "https://registry.yarnpkg.com/ms/-/ms-2.1.3.tgz#574c8138ce1d2b5861f0b44579dbadd60c6615b2"
+  integrity sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==
+
+sax@>=0.6.0:
+  version "1.2.4"
+  resolved "https://registry.yarnpkg.com/sax/-/sax-1.2.4.tgz#2816234e2378bddc4e5354fab5caa895df7100d9"
+  integrity sha512-NqVDv9TpANUjFm0N8uM5GxL36UgKi9/atZw+x7YFnQ8ckwFGKrl4xX4yWtrey3UJm5nP1kUbnYgLopqWNSRhWw==
+
+[email protected]:
+  version "0.0.6"
+  resolved "https://registry.yarnpkg.com/tunnel/-/tunnel-0.0.6.tgz#72f1314b34a5b192db012324df2cc587ca47f92c"
+  integrity sha512-1h/Lnq9yajKY2PEbBadPXj3VxsDDu844OnaAo52UVmIzIvwwtBPIuNvkjuzBlTWpfJyUbG3ez0KSBibQkj4ojg==
+
+xml2js@^0.4.17:
+  version "0.4.23"
+  resolved "https://registry.yarnpkg.com/xml2js/-/xml2js-0.4.23.tgz#a0c69516752421eb2ac758ee4d4ccf58843eac66"
+  integrity sha512-ySPiMjM0+pLDftHgXY4By0uswI3SPKLDw/i3UXbnO8M/p28zqexCUoPmQFrYD+/1BzhGJSs2i1ERWKJAtiLrug==
+  dependencies:
+    sax ">=0.6.0"
+    xmlbuilder "~11.0.0"
+
+xmlbuilder@~11.0.0:
+  version "11.0.1"
+  resolved "https://registry.yarnpkg.com/xmlbuilder/-/xmlbuilder-11.0.1.tgz#be9bae1c8a046e76b31127726347d0ad7002beb3"
+  integrity sha512-fDlsI/kFEx7gLvbecc0/ohLG50fugQp8ryHzMTuW9vSa1GJ0XYWKnhsUx7oie3G98+r56aTQIUB4kht42R3JvA==