Lines 132-172javascript
134 for (const { name, port } of proxyServices) {
135 commands.push(`oc get service ${name} -n ${sandboxProject} >/dev/null 2>&1 || ` +
136 `oc create service clusterip ${name} --tcp=${port}:${port} -n ${sandboxProject}`);
138 // Build the image locally and push to the container registry, then import it
139 // into the namespace's imagestream. reference-policy=local mirrors it into the
140 // internal registry so pods pull in-cluster (no per-pod pull secret, no node
141 // egress to the registry). This replaces the in-cluster BuildConfig: no
142 // full-workspace upload, and local layer caching makes iteration fast.
143 commands.push(`npx nx build ${projectName} --configuration production`);
144 commands.push(`podman build --platform=linux/amd64 -f .openshift/${projectName}/Dockerfile -t ${imageRef} .`);
145 // Prereq: the publishing account is logged in with write:packages. gh supplies
146 // the token so no PAT is stored; the same session token backs the pull secret.
147 commands.push(`gh auth token | podman login ${registryHost} -u "$(gh api user -q .login)" --password-stdin`);
148 commands.push(`podman push ${imageRef}`);
149 // Per-deploy pull secret from the gh session (sandbox images are re-imported
150 // every run, so a session token is sufficient — no long-lived PAT needed).
151 commands.push(`oc create secret docker-registry ghcr-pull ` +
152 `--docker-server=${registryHost} --docker-username="$(gh api user -q .login)" --docker-password="$(gh auth token)" ` +
MediumSecret Pattern
Package contains a possible secret pattern.
src/generators/sandbox/sandbox.jsView on unpkg · L152 153 `-n ${sandboxProject} --dry-run=client -o yaml | oc apply -f -`);
154 // oc tag sets/repoints the imagestream tag (import-image refuses to change an
155 // existing tag's source); import --confirm then pulls the manifest.
156 commands.push(`oc tag ${imageRef} ${projectName}:sandbox --reference-policy=local -n ${sandboxProject}`);
157 // oc tag triggers an async imagestream reconcile, so a back-to-back
158 // import-image can 409 ("object has been modified"). Retry until it settles.
159 commands.push(`n=0; until oc import-image ${projectName}:sandbox --confirm -n ${sandboxProject}; do ` +
160 `n=$((n+1)); [ $n -ge 5 ] && exit 1; sleep 3; done`);
161 commands.push(`oc process -f .openshift/${projectName}/${projectName}.yml -p PROJECT=${sandboxProject} | oc apply -f -`);
162 commands.push(`oc rollout restart deployment/${projectName} -n ${sandboxProject}`);
163 commands.push(`oc rollout status deployment/${projectName} -n ${sandboxProject} --timeout=180s`);
164 config.targets = Object.assign(Object.assign({}, config.targets), { sandbox: {
165 executor: 'nx:run-commands',
170 }, 'sandbox-teardown': {
171 executor: 'nx:run-commands',