From 2cd932855adacbd873ca2125b5ce8bbb4dc09710 Mon Sep 17 00:00:00 2001
From: Peter Arsenault <parsenau@progress.com>
Date: Wed, 22 Apr 2026 08:08:46 -0400
Subject: [PATCH 1/2] passing hab token with dev packages for automate

Signed-off-by: Peter Arsenault <parsenau@progress.com>
---
 .github/actions/automate-container-scan/README.md  |  8 ++++++++
 .github/actions/automate-container-scan/action.yml |  5 +++++
 .github/actions/automate-container-scan/run.sh     | 11 +++++++++--
 3 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/.github/actions/automate-container-scan/README.md b/.github/actions/automate-container-scan/README.md
index a51f847..23a543f 100644
--- a/.github/actions/automate-container-scan/README.md
+++ b/.github/actions/automate-container-scan/README.md
@@ -20,6 +20,8 @@ This action provides automated vulnerability scanning for Chef Automate's embedd
   uses: chef/common-github-actions/.github/actions/automate-container-scan@main
   with:
     channel: current
+    license_id: ${{ secrets.GA_DOWNLOAD_GRYPE_LICENSE_ID }}
+    hab_auth_token: ${{ secrets.HAB_AUTH_TOKEN }}  # Required for dev channel
     out_dir: out
 ```
 
@@ -48,6 +50,8 @@ jobs:
         uses: ./common-github-actions/.github/actions/automate-container-scan
         with:
           channel: current
+          license_id: ${{ secrets.GA_DOWNLOAD_GRYPE_LICENSE_ID }}
+          hab_auth_token: ${{ secrets.HAB_AUTH_TOKEN }}
           out_dir: out
       
       - name: Upload scan results
@@ -66,8 +70,12 @@ jobs:
 | Input | Description | Required | Default |
 |-------|-------------|----------|---------|
 | `channel` | Release channel for Chef Automate (`stable` or `current`) | No | `current` |
+| `license_id` | Chef download license ID (required for commercial downloads) | Yes | N/A |
+| `hab_auth_token` | Habitat Builder Personal Access Token for protected channels (pass via secrets) | No | `""` |
 | `out_dir` | Output directory for scan results and logs | No | `out` |
 
+**Note on `hab_auth_token`**: This parameter is **required for the `dev` channel** and other protected Habitat channels that contain packages requiring authentication. The `current` and `stable` channels typically have public packages that don't require authentication. If you see `401 Unauthorized` errors during deployment, ensure you've provided a valid HAB_AUTH_TOKEN.
+
 ## Outputs
 
 ### Directory Structure
diff --git a/.github/actions/automate-container-scan/action.yml b/.github/actions/automate-container-scan/action.yml
index ada157a..d791f00 100644
--- a/.github/actions/automate-container-scan/action.yml
+++ b/.github/actions/automate-container-scan/action.yml
@@ -10,6 +10,10 @@ inputs:
   license_id:
     description: "Chef download license ID (required for commercial downloads)"
     required: true
+  hab_auth_token:
+    description: "Habitat Builder Personal Access Token for protected channels (pass via secrets)"
+    required: false
+    default: ""
   out_dir:
     description: "Output directory for scan results and logs"
     required: false
@@ -33,6 +37,7 @@ runs:
         CHANNEL: ${{ inputs.channel }}
         OUT_DIR: ${{ inputs.out_dir }}
         ACTION_DIR: ${{ github.action_path }}
+        HAB_AUTH_TOKEN: ${{ inputs.hab_auth_token }}
 
 branding:
   icon: "shield"
diff --git a/.github/actions/automate-container-scan/run.sh b/.github/actions/automate-container-scan/run.sh
index 563e7cb..7cabd1a 100755
--- a/.github/actions/automate-container-scan/run.sh
+++ b/.github/actions/automate-container-scan/run.sh
@@ -113,13 +113,20 @@ deploy_automate() {
     log "Deploying Automate (this may take 10-15 minutes)..."
     log "Progress will be logged to ${LOGS_DIR}/deploy.log"
     
+    # Build docker exec command with optional HAB_AUTH_TOKEN
+    local docker_exec_cmd="docker exec -w /root"
+    if [[ -n "${HAB_AUTH_TOKEN:-}" ]]; then
+        log "HAB_AUTH_TOKEN provided - enabling Habitat authentication"
+        docker_exec_cmd="${docker_exec_cmd} -e HAB_AUTH_TOKEN=${HAB_AUTH_TOKEN}"
+    fi
+    docker_exec_cmd="${docker_exec_cmd} ${CONTAINER_ID} timeout 1800 chef-automate deploy --channel ${CHANNEL} --skip-preflight config.toml --accept-terms-and-mlsa"
+    
     # Run deploy with timeout and capture output
     # tee streams output to Actions log in real-time while also writing to file
     # --skip-preflight: the CLI is always downloaded from the 'current' channel (no 'dev' download URL
     # exists), so when deploying --channel dev the preflight CLI version check will always fail because
     # dev has a newer build than current. The skip is safe: the CLI is still fully capable of deploying.
-    if docker exec -w /root "${CONTAINER_ID}" timeout 1800 chef-automate deploy --channel ${CHANNEL} --skip-preflight config.toml --accept-terms-and-mlsa \
-        2>&1 | tee "${LOGS_DIR}/deploy.log"; then
+    if eval "${docker_exec_cmd}" 2>&1 | tee "${LOGS_DIR}/deploy.log"; then
         log "Automate deployment completed successfully"
     else
         log "ERROR: Automate deployment failed or timed out"

From c5274dbd7dc7079a9d9256f2837d5ee3f1561e73 Mon Sep 17 00:00:00 2001
From: Peter Arsenault <parsenau@progress.com>
Date: Wed, 22 Apr 2026 08:29:10 -0400
Subject: [PATCH 2/2] Fix HAB_AUTH_TOKEN for systemd-spawned Habitat processes

Configure token in /hab/etc/cli.toml so it persists for all Habitat
processes including those spawned by systemd during chef-automate deploy.
Previously the token was only passed as an environment variable to the
docker exec command, but systemd services don't inherit these variables.

Signed-off-by: Peter Arsenault <parsenau@progress.com>
---
 .../actions/automate-container-scan/run.sh    | 23 +++++++++++++------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/.github/actions/automate-container-scan/run.sh b/.github/actions/automate-container-scan/run.sh
index 7cabd1a..d22cdb9 100755
--- a/.github/actions/automate-container-scan/run.sh
+++ b/.github/actions/automate-container-scan/run.sh
@@ -109,17 +109,26 @@ deploy_automate() {
         fail "sysctl configuration failed"
     fi
     
+    # Configure Habitat authentication if token provided
+    if [[ -n "${HAB_AUTH_TOKEN:-}" ]]; then
+        log "HAB_AUTH_TOKEN provided - configuring Habitat authentication"
+        # Create Habitat CLI config directory and config file with auth token
+        # This ensures the token is available to all hab processes, including those spawned by systemd
+        docker exec -w /root "${CONTAINER_ID}" bash -c "mkdir -p /hab/etc && cat > /hab/etc/cli.toml <<EOF
+auth_token = \"${HAB_AUTH_TOKEN}\"
+EOF" > "${LOGS_DIR}/hab-config.log" 2>&1 || log "WARNING: Failed to configure Habitat auth (may not be critical)"
+        
+        # Also set as environment variable for immediate processes
+        docker exec -w /root "${CONTAINER_ID}" bash -c "echo 'export HAB_AUTH_TOKEN=${HAB_AUTH_TOKEN}' >> /root/.bashrc" \
+            >> "${LOGS_DIR}/hab-config.log" 2>&1 || true
+    fi
+    
     # Deploy Automate (this takes 10-15 minutes)
     log "Deploying Automate (this may take 10-15 minutes)..."
     log "Progress will be logged to ${LOGS_DIR}/deploy.log"
     
-    # Build docker exec command with optional HAB_AUTH_TOKEN
-    local docker_exec_cmd="docker exec -w /root"
-    if [[ -n "${HAB_AUTH_TOKEN:-}" ]]; then
-        log "HAB_AUTH_TOKEN provided - enabling Habitat authentication"
-        docker_exec_cmd="${docker_exec_cmd} -e HAB_AUTH_TOKEN=${HAB_AUTH_TOKEN}"
-    fi
-    docker_exec_cmd="${docker_exec_cmd} ${CONTAINER_ID} timeout 1800 chef-automate deploy --channel ${CHANNEL} --skip-preflight config.toml --accept-terms-and-mlsa"
+    # Run deploy command
+    local docker_exec_cmd="docker exec -w /root ${CONTAINER_ID} timeout 1800 chef-automate deploy --channel ${CHANNEL} --skip-preflight config.toml --accept-terms-and-mlsa"
     
     # Run deploy with timeout and capture output
     # tee streams output to Actions log in real-time while also writing to file