feat: fetch GitHub App credentials from AWS Secrets Manager via OIDC#119
Draft
derekmisler wants to merge 4 commits intodocker:mainfrom
Draft
feat: fetch GitHub App credentials from AWS Secrets Manager via OIDC#119derekmisler wants to merge 4 commits intodocker:mainfrom
derekmisler wants to merge 4 commits intodocker:mainfrom
Conversation
Replace org-secret lookups with OIDC + Secrets Manager in all reusable
consumer-facing workflows. Each affected job now:
1. Assumes the docker-agent-action IAM role via OIDC (id-token: write)
2. Fetches { app_id, private_key, org_membership_token } from the
docker-agent-action/github-app Secrets Manager secret
3. Passes those values to downstream steps instead of inherited secrets
Affected workflows:
- review-pr.yml (auto-review, manual-review, reply-to-feedback jobs)
- reply-to-feedback.yml (reply job)
- pr-describe.yml (generate-description job)
- security-scan.yml (security-scan job)
- self-review-pr.yml (auto-review, manual-review jobs)
HAS_APP_SECRETS env var changed from dynamic secret check to hardcoded
'true' — credentials are always available via Secrets Manager.
Existing secrets: declarations on workflow_call kept as required: false
for backward compatibility with consumer repos not yet migrated.
TODO_ROLE_ARN must be replaced with the actual IAM role ARN after the
Terraform in docker/infra-terraform is applied.
Assisted-By: docker-agent
refactor: remove HAS_APP_SECRETS — credentials are always available via OIDC
Assisted-By: docker-agent
derekmisler
force-pushed
the
feat/oidc-secrets-manager
branch
from
f45ef15 to
d950f6c
Compare
This comment was marked as outdated.
This comment was marked as outdated.
![docker-agent[bot]](https://avatars.githubusercontent.com/in/2787757?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Assisted-By: docker-agent
Move ANTHROPIC_API_KEY and OPENAI_API_KEY out of GitHub secrets and into AWS Secrets Manager (docker-agent-action/ai-api-keys). Keys are now fetched at runtime via the existing OIDC role, consistent with how GitHub App credentials are already fetched. Affected workflows: review-pr.yml, reply-to-feedback.yml, self-review-pr.yml, security-scan.yml, pr-describe.yml Assisted-By: docker-agent
For ANTHROPIC_API_KEY, OPENAI_API_KEY, and CAGENT_ORG_MEMBERSHIP_TOKEN, apply precedence: consumer-defined GitHub secret wins; Secrets Manager value is used only if the consumer hasn't provided one. Uses GitHub Actions || short-circuit: secrets.X || steps.y.outputs.x Assisted-By: docker-agent
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related Issues
Closes: https://github.com/docker/gordon/issues/330
Depends on: https://github.com/docker/infra-terraform/pull/11303
Summary
Replaces the three org-level GitHub secrets (
CAGENT_REVIEWER_APP_ID,CAGENT_REVIEWER_APP_PRIVATE_KEY,CAGENT_ORG_MEMBERSHIP_TOKEN) with OIDC-based lookups from AWS Secrets Manager across all 5 reusable workflows. Consumer repos no longer need those secrets configured — the only change they need is addingid-token: writeto their job permissions.This eliminates secret sprawl across ~40 consumer repos: credentials now live in one place (
docker-agent-action/github-appin Secrets Manager), so rotations happen once and propagate instantly.Changes
review-pr.yml,reply-to-feedback.yml,pr-describe.yml,security-scan.yml,self-review-pr.yml): addedid-token: writepermission, replaced theHAS_APP_SECRETSenv-var guard pattern with two new steps at the top of each job:docker-agent-action-*IAM role via GitHub OIDC usingaws-actions/configure-aws-credentials@v4docker-agent-action/github-appfrom Secrets Manager, validates all three fields, masks them with::add-mask::, and emits them as step outputs (using a random heredoc delimiter for the multi-line private key)docker-agent-action/ai-api-keys) is fetched similarly;anthropic-api-keyandopenai-api-keyinputs now use${{ secrets.X || steps.ai-api-keys.outputs.x }}so consumer-supplied secrets still take precedencetibdex/github-app-tokensteps:if: env.HAS_APP_SECRETS == 'true'guards removed — token generation now runs unconditionally (stillcontinue-on-error: true)CAGENT_ORG_MEMBERSHIP_TOKENusages in membership-check steps updated to${{ secrets.CAGENT_ORG_MEMBERSHIP_TOKEN || steps.app-credentials.outputs.org-membership-token }}TODO_ROLE_ARNappears in all 5 workflow files and must be replaced with the actual IAM role ARN before this PR is merged. The ARN is produced by the companion Terraform PR: docker/infra-terraform#11303.Do not merge until:
TODO_ROLE_ARNplaceholders are replaced with the real ARNTip
Comment
/reviewto trigger the PR Reviewer agent for automated feedback.Comment
/describeto generate a PR description.