actions/ovh-dns-update
actions/ovh-dns-update
3
0
Fork 0
Code Issues 3 Pull requests Actions Packages Projects Releases Wiki Activity
Forgejo Action to update a DNS TXT record using the OVH API
9 commits 2 branches 0 tags 71 KiB
Go 100%
Go to file
oliverpool 2ac4f74b36 add logs (#3) 
Co-authored-by: oliverpool <git@olivier.pfad.fr>
Co-committed-by: oliverpool <git@olivier.pfad.fr>
2023-09-20 12:37:11 +00:00
.forgejo/workflows add PR testing (#1) 2023-08-20 06:44:27 +00:00
LICENSES initial commit 2023-08-18 11:40:26 +02:00
action.yml add README 2023-08-20 20:30:48 +02:00
go.mod initial commit 2023-08-18 11:40:26 +02:00
go.sum initial commit 2023-08-18 11:40:26 +02:00
go.sum.license initial commit 2023-08-18 11:40:26 +02:00
main.go add logs (#3) 2023-09-20 12:37:11 +00:00
main_test.go add PR testing (#1) 2023-08-20 06:44:27 +00:00
README.md link back to rvcodns spec 2023-08-21 15:17:56 +02:00

README.md

OVH DNS Update

Description

Update a given DNS record using the OVH API for use in the Release Version Check Over DNS (RVCoDNS).

NOTE: This action is written in Go. Please setup the Go environment (>=1.21) before running this action or use a runner with Go environment installed.

Inputs

parameter description required default
subdomain The subdomain to update (e.g. _release) true
domain The domain (zoneName in the OVH API) true
record-id The ID of the record to update true
value The TXT value to set true
ovh-endpoint The OVH API endpoint false ovh-eu
ovh-app-key The OVH API Application Key true
ovh-app-secret The OVH API Application Secret true
ovh-consumer-key The OVH API Consumer Key true

Security notice

You should create restricted credentials for only the specific record you want to update. See https://api.ovh.com/console/#/domain/zone/%7BzoneName%7D/record~GET to retrieve its record-id and then visit https://www.ovh.com/auth/api/createToken?PUT=/domain/zone/{domain}/record/{record-id} (replacing the placeholders) to create dedicated credentials.

However be aware that the credentials can also update the subdmain! This means that anyone with this credentials can publish a TXT record under any subdomain of the domain (for instance to get a signed certificate by completing the DNS challenge of the ACME protocol).

To mitigate this issue, forgejo.org decided to use a dedicated domain with only TXT records (and CNAME records on the main domain, which points to those TXT records).

Example

on: [tag]
jobs:
  upload-release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: https://code.forgejo.org/actions/setup-go@v4
        with:
          go-version: ">=1.21"
          check-latest: true
      - uses: actions/forgejo-release@v1
        with:
          subdomain: _release
          domain: example.org
          record-id: 12345
          value: v=${{ github.ref_name }}
          ovh-app-key: ${{ secrets.OVH_APP_KEY }}
          ovh-app-secret: ${{ secrets.OVH_APP_SECRET }}
          ovh-consumer-key: ${{ secrets.OVH_CON_KEY }}