ci: add protectjs for CI secrets management

Replace 1Password CLI with @cipherstash/protect (protectjs) for
encrypting and decrypting CI secrets using ZeroKMS.

- Add scripts/ directory with TypeScript encrypt/decrypt tooling
- Add encrypted secrets file (.github/secrets.env.encrypted)
- Update all workflow files to use protectjs decryption
- Add scripts/node_modules/ to .gitignore

Requires GitHub secrets: CS_VAULT_CLIENT_KEY, CS_VAULT_CLIENT_ACCESS_KEY

Author: tobyhede

.github/secrets.env.encrypted

@@ -0,0 +1,170 @@
+{
+  "CS_CLIENT_ACCESS_KEY": {
+    "k": "ct",
+    "c": "mBbLSVoU8`Do{H^4JdEH-DQ=;S0?!jXuj1GO<~nS77f6pGpQlROf9T!OWofsjl^#8A)M`97s6*4d0;YqiP5Q}aMyTySjc4-4673@C8B(NM?d)d7XuPf8JI)0vuk!)IKt`S^%ik$#2^`^r9+Nxb_`1Qo*(n?oS^3v|KZyn5qEtOAqksWikYQ$VQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_CLIENT_ID": {
+    "k": "ct",
+    "c": "mBbLxa?ahrJW29+2tZu4UG$>FHmFEjiG510=YV<ZH5o@@I-JnG?;wSK_~l8m@bq$!_4U}2rXu}Z05wRbS!{&Gs!g$9G<a>qATlXu#AZ-+z)vGg7>@rO#&?Nyn#PyM+c#ggbfg(pF{O54Y;|SC5Hwu<&vtJ>^t3onC{{VkhX",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_CLIENT_KEY": {
+    "k": "ct",
+    "c": "mBbL8G4ax6h3T~Q?tDDf%8k~=0b-Ynl7J`f9<S}gEPQu%m@y2iRJq;o5C?v^cDKPsmHvE-(a9!FZ~HhScEwSUAYfYYu#;C|HfSra)}92@p#YZn*?2G}?R>4zJ0Z;L9{dMuI!X+A>=g&*voOs>;NFtYQ<31*#vAI^rYUd<p%(8aTLpW{wSJ0(yKO?p=$E-M_Job5{!X%iEcGZ}V@DO5y0YD;z(S2n1~SCN!mjvRwhTDCSsziHK-_LwTrwEK<ae%M<IdA?(of}{=<khZN^KqCIXX#eK?mkKF;+wlW_MjPGZ6*YZ%578;C8skTj^6#m10Om(Q+M^>(y>*0hkz{!b}eF^i`h<I#$<<Iv6p^j>bwxLEL_MYql(SEdej(3Y6`O$)10zct`!1(oaD2`A94cnf+8)Z+7SNee62O1DW2PGR<(>^3lWbgXMzq6XlbvZrg@l=cyD~(CNWUo((hawMLjb>x=PE#2{IEcyVS|$jr{D@^!2|R>_;<Vq|m<0N&4oQ%xWy=qIIiVQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_WORKSPACE_CRN": {
+    "k": "ct",
+    "c": "mBbM11wMFh#K#zPwdM~;ju3FfG{A%7YOibQop2IN#?B!h8eK84igixM;ReqD(co=^a(~lA7uWP8T@&Gd64qf-Bn>wluEZeSgL3m3dI-49kfKlVJ2oJ>=6Nj?K<Z&m#1E1h5jT~kc42IFWyBCPT>Z~>Z$R|4I8P{6Im?F",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_DEFAULT_KEYSET_ID": {
+    "k": "ct",
+    "c": "mBbJss<&W}*cPMX<|8MC6Jz1THhfz?pMTD^N5K+iXDom=eL~KfZiZvZ?BX~^Cf)U7IxtS494>ot;NV9~V5`T>A085uF9AWsAR|;F|L`fBbduc_c0%;e8FE}^9C+I-6&+JSH%G}TPNjBXY;|SC5Hwu<&vtJ>^t3onC{{VkhX",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_TENANT_KEYSET_ID_1": {
+    "k": "ct",
+    "c": "mBbLxyC6xC+{EW;;5A`|u`KPxHUzKScK`B&^Jy}8?+{AvGOt<>3Ysz%{Twa+L!gXjsy63HTwS%&1712T=;=KzS_v)L5cf62AYUC~xJMlYv<xX{ZN^r0<9;QYPkWMvl=QLTzHfEYTcvhkY;|SC5Hwu<&vtJ>^t3onC{{VkhX",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_TENANT_KEYSET_ID_2": {
+    "k": "ct",
+    "c": "mBbMJ`*UJyfuK2WYIx}JeqCO~Ha*-O?bCvj0H4BWR!I{IP+g&84Z`0c?^?NS3pgN;u~y8WK){H*3!ky3h!n?FzrMcGlAh+oAZuER+rp|(n*Dxg^gF{wpz@sto!>QMQm6+&?wJE6GNpE5Y;|SC5Hwu<&vtJ>^t3onC{{VkhX",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_TENANT_KEYSET_ID_3": {
+    "k": "ct",
+    "c": "mBbLNuQ68uYA@n#p0N1{dBu*zHdE`M%fbp1-_?W4`AEXO*zc-@=O9><vX;ge`1kF3_H-1Sa}nxWT?6ss2+SoEJs(zXt|KhOAn&FMfI7lmP}}X|TUDIMCU<N$U+mgk1RTf2auY!*P^ETZY;|SC5Hwu<&vtJ>^t3onC{{VkhX",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_TENANT_KEYSET_NAME_1": {
+    "k": "ct",
+    "c": "mBbJ+K&~zqj~hA_s_brbV0D|s7Xp~0205UCF^xN;Ns7e=m`RWayps}t#2`?P9j09-zvbqOuavY5bnQx4PA1>4T;p_tY()ytR_vvAVQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_TENANT_KEYSET_NAME_2": {
+    "k": "ct",
+    "c": "mBbL}WAbeTps@Mb2F2-O!$sZ17t=Cd3lu>!8?)(EBu0T<4=Esv8cRfl#2{-@)J9now;&lMqA$iiHUU)}y)=fkK>Ciy^P!vSvNxr6VQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "CS_TENANT_KEYSET_NAME_3": {
+    "k": "ct",
+    "c": "mBbJwjyTKdTw8=TdyJ9#EDfl{7w{Kl<PpWPX_UW3j&Sc3RyQMFYJuSr#2`E~L?Tk=XN`She%njse&wgIpn7u#m7^<}|C5dP9GazeVQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "DOCKER_HUB_USERNAME": {
+    "k": "ct",
+    "c": "mBbJx*gnX#oukxKVee&yAkZtsA>GGfJHd6wn21L&_@lHCm207NnPl&O{i{{7b!RG7K=s5RjVeiDiAPtDArSLa5ZE?t)<`)rh0?Hop1JJl`6(R?rFLO#b!Eg5G+h19c5guRv^Y;FRyoUu",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "DOCKER_HUB_PASSWORD": {
+    "k": "ct",
+    "c": "mBbK*YbGjRbIEUJ;<LEUwmIp<I@ePaks(deqq%0Sf>l7IpaEQl3416=!<r_6Z}W;m#f;jB7XqPHYk|0|nB5PK(~V~iyGbRG>tEKyAXSugKRW6Htia|<mUj7BLgi3V^LwHGp_oxI<S7T2IHh)BY;|SC5Hwu<&vtJ>^t3onC{{VkhX",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  },
+  "MULTITUDES_ACCESS_TOKEN": {
+    "k": "ct",
+    "c": "mBbKHz&;-To())kJ?nL;PvuU<0e1LJPzQ$#7Ug-%n=uXD(aTAjP4{L_z#E(X;IhH9Q<Bom)9my&>C4Ym4b`KXe?Y)HqcJ>qx1<#@>U9Bta5E7qM~<xtb!3l$k1C(t$D>Hl4%fG<K?-2U_Jw9o2%6$)PEVsU<^1wCiFODx+jX@$#C3C4W$=2_=PGn==#0x>FNuIo^b_ng2^0#=te%aZNxV53-uVKMgDk<O@Q0j5RLnV*ZHG2}Vy{!aj+==H2MEOhPZv8PR`5-H4)`5uo^HS}LP&x{;?<hs1|7}(Ew*BE1s1H$j75|yFSp1kSfZN^RcCw+3%b1za}1iUBV?ew8UC1a+kTr&?HXitn?U1fTa+AdGdQ}BZsEww@dQRV?;SKnQn+#iAJ-4Oqku_z<i|Q1DvMV3yxY2#tM4=I7r|fl(z4naE24M&32=z*<^2;%GI86I9zO|*v>;~FQGNZ(=~w=mWqVKzEI57qi`6Q)&Rdk68I(64_I^sI#30&bs!?e8=@s6hiH|SuM<^&qZPXfHPmcrvuaUD*Be11*VQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
+    "ob": null,
+    "bf": null,
+    "hm": null,
+    "i": {
+      "t": "ci_secrets",
+      "c": "value"
+    },
+    "v": 2
+  }
+}

.github/workflows/benchmark.yml

@@ -24,24 +24,39 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-test
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: scripts/package-lock.json
+
+      - name: Install decrypt dependencies
+        working-directory: scripts
+        run: npm ci
+
+      - name: Decrypt secrets
+        env:
+          CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
+        run: cd scripts && npm run decrypt
+
       - run: |
           mise run postgres:up --extra-args "--detach --wait"
+
       - name: Run benchmark
         working-directory: tests/benchmark
         env:
-          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
-          CS_DEFAULT_KEYSET_ID: ${{ secrets.CS_DEFAULT_KEYSET_ID }}
-          CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
-          CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
-          CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
           RUST_BACKTRACE: "1"
         run: mise run benchmark:continuous
+
       # Download previous benchmark result from cache (if exists)
       - name: Download previous benchmark data
         uses: actions/cache@v4
         with:
           path: ./cache
           key: ${{ runner.os }}-benchmark
+
       # Run `github-action-benchmark` action
       - name: Store benchmark result
         uses: benchmark-action/github-action-benchmark@v1
@@ -56,10 +71,4 @@ jobs:
           comment-on-alert: true
           summary-always: true
           auto-push: true
-          benchmark-data-dir-path: docs
-
-      - uses: ./.github/actions/send-slack-notification
-        with:
-          channel: engineering
-          webhook_url: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK_URL }}
-
+          benchmark-data-dir-path: docs

.github/workflows/release-aws-marketplace.yml

@@ -82,6 +82,22 @@ jobs:
 
       - uses: actions/checkout@v4
 
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: scripts/package-lock.json
+
+      - name: Install decrypt dependencies
+        working-directory: scripts
+        run: npm ci
+
+      - name: Decrypt secrets
+        env:
+          CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
+        run: cd scripts && npm run decrypt
+
       - uses: jdx/mise-action@v2
         with:
           version: 2025.1.6 # [default: latest] mise version to install
@@ -111,6 +127,6 @@ jobs:
             --fail-with-body \
             --url "https://api.developer.multitudes.co/deployments" \
             --header "Content-Type: application/json" \
-            --header "Authorization: ${{ secrets.MULTITUDES_ACCESS_TOKEN }}" \
+            --header "Authorization: ${{ env.MULTITUDES_ACCESS_TOKEN }}" \
             --data '{"commitSha": "${{ github.sha }}", "environmentName":"marketplace"}'
 

.github/workflows/release.yml

@@ -22,6 +22,23 @@ jobs:
     runs-on: ${{matrix.build.os}}
     steps:
       - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: scripts/package-lock.json
+
+      - name: Install decrypt dependencies
+        working-directory: scripts
+        run: npm ci
+
+      - name: Decrypt secrets
+        env:
+          CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
+        run: cd scripts && npm run decrypt
+
       - name: Setup Rust cache
         uses: Swatinem/rust-cache@v2
         if: github.event_name == 'pull_request' # only cache in pull requests
@@ -55,8 +72,8 @@ jobs:
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_PERSONAL_ACCESS_TOKEN }}
+          username: ${{ env.DOCKER_HUB_USERNAME }}
+          password: ${{ env.DOCKER_HUB_PASSWORD }}
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -92,6 +109,24 @@ jobs:
     needs:
       - build
     steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: scripts/package-lock.json
+
+      - name: Install decrypt dependencies
+        working-directory: scripts
+        run: npm ci
+
+      - name: Decrypt secrets
+        env:
+          CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
+        run: cd scripts && npm run decrypt
+
       - name: Download digests
         uses: actions/download-artifact@v4
         with:
@@ -102,8 +137,8 @@ jobs:
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_PERSONAL_ACCESS_TOKEN }}
+          username: ${{ env.DOCKER_HUB_USERNAME }}
+          password: ${{ env.DOCKER_HUB_PASSWORD }}
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -135,5 +170,5 @@ jobs:
             --fail-with-body \
             --url "https://api.developer.multitudes.co/deployments" \
             --header "Content-Type: application/json" \
-            --header "Authorization: ${{ secrets.MULTITUDES_ACCESS_TOKEN }}" \
+            --header "Authorization: ${{ env.MULTITUDES_ACCESS_TOKEN }}" \
             --data '{"commitSha": "${{ github.sha }}", "environmentName":"dockerhub"}'

.github/workflows/test.yml

@@ -18,28 +18,31 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-test
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: 'npm'
+          cache-dependency-path: scripts/package-lock.json
+
+      - name: Install decrypt dependencies
+        working-directory: scripts
+        run: npm ci
+
+      - name: Decrypt secrets
+        env:
+          CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
+        run: cd scripts && npm run decrypt
+
       - run: |
           mise run postgres:up --extra-args "--detach --wait"
-      - env:
+
+      - name: Run tests
+        env:
           # REMEMBER TO ADD ENVIRONMENT VARIABLES TO tests/docker-compose.yml
           # The tests/docker-compose.yml config passes the ENV vars into the container
-          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
-          CS_DEFAULT_KEYSET_ID: ${{ secrets.CS_DEFAULT_KEYSET_ID }}
-          CS_TENANT_KEYSET_ID_1: ${{ secrets.CS_TENANT_KEYSET_ID_1 }}
-          CS_TENANT_KEYSET_ID_2: ${{ secrets.CS_TENANT_KEYSET_ID_2 }}
-          CS_TENANT_KEYSET_ID_3: ${{ secrets.CS_TENANT_KEYSET_ID_3 }}
-          CS_TENANT_KEYSET_NAME_1: ${{ secrets.CS_TENANT_KEYSET_NAME_1 }}
-          CS_TENANT_KEYSET_NAME_2: ${{ secrets.CS_TENANT_KEYSET_NAME_2 }}
-          CS_TENANT_KEYSET_NAME_3: ${{ secrets.CS_TENANT_KEYSET_NAME_3 }}
-          CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
-          CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
-          CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
           RUST_BACKTRACE: "1"
         run: |
           mise run --output prefix test
 
-      - uses: ./.github/actions/send-slack-notification
-        with:
-          channel: engineering
-          webhook_url: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK_URL }}
-

.gitignore

@@ -18,6 +18,12 @@ rust-toolchain.toml
 # credentials for local dev
 .env.proxy.docker
 
+# CI secrets plaintext (never commit actual values)
+.github/secrets.env.plaintext
+
+# Node modules (scripts directory)
+scripts/node_modules/
+
 ## benchmark result data
 tests/benchmark/results/*.csv
 tests/benchmark/benchmark-*.png