Merge pull request #344 from cipherstash/feat/protectgh-ci

ci: use protectgh action for encrypted secrets

Author: tobyhede

.github/secrets.env.encrypted

@@ -0,0 +1,12 @@
+{
+  "k": "ct",
+  "c": "mBbKV<xz1b;lL$qXaZ1eEazgy12v{5BvnND87}b_mbG58wOs>0G4)-8UdG=fVK^Mgf0{+={6c)WxWPnZ(Cp1Iq=%3}nK4a)CGBx1bjZ=qv8EHV9gp30vQ`13OJxFK&vBuwpyEt$JE{*iks{9CMl@IGpcvQ8gA7RNsgU>j6~vXw+Ir0WKXxrDu|PrlDk@Z@tYC<k#21dU5I!B7JhCdj#Oah$5;B@;`J!gjCaT!(>11HTq*7Ufq{V_GxAc=rh+gkkDsiM%LjPyK-fvut?5Fwf*i8>YcD<c1kk(FP_6PM@GEq&lP0STP$!tjzkO6$$`4{%3v{sgVk+M~*j#Iic)1CkbkbIYoay}^IRAz!t<tG2uEdpeU*9F(1a9p3RcFU*5pxM?C&6}LH0u<=<>-HELZe^)cc$8aXF;l#4*srYmmdO$ydq-KxbwECzD%{l$#IQh90%*!8$=`lK`!aea=QOICK(5JGRkL1<_eHdY9z1_J8<51L=N29rCD=uup}QKsFs2>$S)|D9?w4r;l>ovY*rGAxmlR14{QFjmRFQP!4d#Q6k6p=#uO(tNpb(^yl7XC+h4xCXFq(gy*@DmrEK>}gF7fQx{^)m{aV4gA&KH|wO)rikb|jF_K@5|f+NpJ*%)`>xuKl=uSaMF4p!PA;EzE4?hdtPnd+5Y4Dk|UC7@wAs%G|M~f`LP3K*__-N~wag5|>u|aHGqB{mnyWcVLsKU&RUA*PLl#znp61^`!uKxq8~0fpsZi%tn;yFzj>-vHH*Zndd0d(|vjSN7XFO6f$aN3~2jD)GOi}6EHaE^o(dM0T6=5c!rBY7_9zJzpt74(wmd&;*o}70+0^HUc9)3GP7-s0il063@(-@;mcA;%pp%{`q+J}@ZQ>Y7i|Que0zv2o~nuk#%2pe^E0UN;J&qv)igfU!(!JHBVN`&s8VknlfK+YI`d6Ex(qIR)))}{j{8ZssNpWrUUpL%CGhk)6bjn`YMP@j&!4b)o5EHb&x(EwT5Re@jO4IK&ZSSQ50Gn`=uvGmBQ_N|c=l+SXHc{Mwe^hT_DK)zCcCW;$(YGqnzo9>AZz%W3Dp9wW9mjKd*NrGw;>G4_yU_>0^X1Ol6KHcL#1|MY;|SC5Hwu<&vtJ>^t3onC{{VkhX",
+  "ob": null,
+  "bf": null,
+  "hm": null,
+  "i": {
+    "t": "ci_secrets",
+    "c": "value"
+  },
+  "v": 2
+}

.github/workflows/benchmark.yml

@@ -24,24 +24,33 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-test
+
+      - name: Decrypt secrets
+        uses: cipherstash/protectgh@main
+        with:
+          secrets-file: .github/secrets.env.encrypted
+        env:
+          CS_CLIENT_ID: ${{ secrets.CS_VAULT_CLIENT_ID }}
+          CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
+          CS_WORKSPACE_CRN: ${{ secrets.CS_VAULT_WORKSPACE_CRN }}
+
       - run: |
           mise run postgres:up --extra-args "--detach --wait"
+
       - name: Run benchmark
         working-directory: tests/benchmark
         env:
-          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
-          CS_DEFAULT_KEYSET_ID: ${{ secrets.CS_DEFAULT_KEYSET_ID }}
-          CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
-          CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
-          CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
           RUST_BACKTRACE: "1"
         run: mise run benchmark:continuous
+
       # Download previous benchmark result from cache (if exists)
       - name: Download previous benchmark data
         uses: actions/cache@v4
         with:
           path: ./cache
           key: ${{ runner.os }}-benchmark
+
       # Run `github-action-benchmark` action
       - name: Store benchmark result
         uses: benchmark-action/github-action-benchmark@v1
@@ -62,4 +71,3 @@ jobs:
         with:
           channel: engineering
           webhook_url: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK_URL }}
-

.github/workflows/release-aws-marketplace.yml

@@ -35,7 +35,7 @@ env:
 
 jobs:
   build:
-    name: 🏗️ Build binaries + Docker images
+    name: Build binaries + Docker images
     permissions:
         contents: read
         packages: write
@@ -82,6 +82,16 @@ jobs:
 
       - uses: actions/checkout@v4
 
+      - name: Decrypt secrets
+        uses: cipherstash/protectgh@main
+        with:
+          secrets-file: .github/secrets.env.encrypted
+        env:
+          CS_CLIENT_ID: ${{ secrets.CS_VAULT_CLIENT_ID }}
+          CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
+          CS_WORKSPACE_CRN: ${{ secrets.CS_VAULT_WORKSPACE_CRN }}
+
       - uses: jdx/mise-action@v2
         with:
           version: 2025.1.6 # [default: latest] mise version to install
@@ -111,6 +121,5 @@ jobs:
             --fail-with-body \
             --url "https://api.developer.multitudes.co/deployments" \
             --header "Content-Type: application/json" \
-            --header "Authorization: ${{ secrets.MULTITUDES_ACCESS_TOKEN }}" \
+            --header "Authorization: ${{ env.MULTITUDES_ACCESS_TOKEN }}" \
             --data '{"commitSha": "${{ github.sha }}", "environmentName":"marketplace"}'
-

.github/workflows/release.yml

@@ -12,7 +12,7 @@ env:
 
 jobs:
   build:
-    name: 🏗️ Build binaries + Docker images
+    name: Build binaries + Docker images
     strategy:
       fail-fast: false
       matrix:
@@ -22,6 +22,17 @@ jobs:
     runs-on: ${{matrix.build.os}}
     steps:
       - uses: actions/checkout@v4
+
+      - name: Decrypt secrets
+        uses: cipherstash/protectgh@main
+        with:
+          secrets-file: .github/secrets.env.encrypted
+        env:
+          CS_CLIENT_ID: ${{ secrets.CS_VAULT_CLIENT_ID }}
+          CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
+          CS_WORKSPACE_CRN: ${{ secrets.CS_VAULT_WORKSPACE_CRN }}
+
       - name: Setup Rust cache
         uses: Swatinem/rust-cache@v2
         if: github.event_name == 'pull_request' # only cache in pull requests
@@ -55,8 +66,8 @@ jobs:
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_PERSONAL_ACCESS_TOKEN }}
+          username: ${{ env.DOCKER_HUB_USERNAME }}
+          password: ${{ env.DOCKER_HUB_PASSWORD }}
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -92,6 +103,18 @@ jobs:
     needs:
       - build
     steps:
+      - uses: actions/checkout@v4
+
+      - name: Decrypt secrets
+        uses: cipherstash/protectgh@main
+        with:
+          secrets-file: .github/secrets.env.encrypted
+        env:
+          CS_CLIENT_ID: ${{ secrets.CS_VAULT_CLIENT_ID }}
+          CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
+          CS_WORKSPACE_CRN: ${{ secrets.CS_VAULT_WORKSPACE_CRN }}
+
       - name: Download digests
         uses: actions/download-artifact@v4
         with:
@@ -102,8 +125,8 @@ jobs:
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_PERSONAL_ACCESS_TOKEN }}
+          username: ${{ env.DOCKER_HUB_USERNAME }}
+          password: ${{ env.DOCKER_HUB_PASSWORD }}
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -135,5 +158,5 @@ jobs:
             --fail-with-body \
             --url "https://api.developer.multitudes.co/deployments" \
             --header "Content-Type: application/json" \
-            --header "Authorization: ${{ secrets.MULTITUDES_ACCESS_TOKEN }}" \
+            --header "Authorization: ${{ env.MULTITUDES_ACCESS_TOKEN }}" \
             --data '{"commitSha": "${{ github.sha }}", "environmentName":"dockerhub"}'

.github/workflows/test.yml

@@ -24,22 +24,22 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-test
+
+      - name: Decrypt secrets
+        uses: cipherstash/protectgh@main
+        with:
+          secrets-file: .github/secrets.env.encrypted
+        env:
+          CS_CLIENT_ID: ${{ secrets.CS_VAULT_CLIENT_ID }}
+          CS_CLIENT_KEY: ${{ secrets.CS_VAULT_CLIENT_KEY }}
+          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_VAULT_CLIENT_ACCESS_KEY }}
+          CS_WORKSPACE_CRN: ${{ secrets.CS_VAULT_WORKSPACE_CRN }}
+
       - run: |
           mise run postgres:up --extra-args "--detach --wait"
-      - env:
-          # REMEMBER TO ADD ENVIRONMENT VARIABLES TO tests/docker-compose.yml
-          # The tests/docker-compose.yml config passes the ENV vars into the container
-          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
-          CS_DEFAULT_KEYSET_ID: ${{ secrets.CS_DEFAULT_KEYSET_ID }}
-          CS_TENANT_KEYSET_ID_1: ${{ secrets.CS_TENANT_KEYSET_ID_1 }}
-          CS_TENANT_KEYSET_ID_2: ${{ secrets.CS_TENANT_KEYSET_ID_2 }}
-          CS_TENANT_KEYSET_ID_3: ${{ secrets.CS_TENANT_KEYSET_ID_3 }}
-          CS_TENANT_KEYSET_NAME_1: ${{ secrets.CS_TENANT_KEYSET_NAME_1 }}
-          CS_TENANT_KEYSET_NAME_2: ${{ secrets.CS_TENANT_KEYSET_NAME_2 }}
-          CS_TENANT_KEYSET_NAME_3: ${{ secrets.CS_TENANT_KEYSET_NAME_3 }}
-          CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
-          CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
-          CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
+
+      - name: Run tests
+        env:
           RUST_BACKTRACE: "1"
         run: |
           mise run --output prefix test
@@ -48,4 +48,3 @@ jobs:
         with:
           channel: engineering
           webhook_url: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK_URL }}
-

.gitignore

@@ -18,6 +18,9 @@ rust-toolchain.toml
 # credentials for local dev
 .env.proxy.docker
 
+# decrypted CI secrets (encrypted file is .github/secrets.env.encrypted)
+.github/secrets.env
+
 ## benchmark result data
 tests/benchmark/results/*.csv
 tests/benchmark/benchmark-*.png