From 8ea56c4d0f4f5e51489eae73b9741c0f0f868a0f Mon Sep 17 00:00:00 2001 From: Antoine Verin Date: Mon, 7 Jul 2025 15:16:57 +0200 Subject: [PATCH] feat(EN-2932): Migrate github secrets to vault --- .github/ci-secrets.yml | 6 ++++++ .github/workflows/release.yml | 15 ++++++++++++--- 2 files changed, 18 insertions(+), 3 deletions(-) create mode 100644 .github/ci-secrets.yml diff --git a/.github/ci-secrets.yml b/.github/ci-secrets.yml new file mode 100644 index 00000000..72c5834d --- /dev/null +++ b/.github/ci-secrets.yml @@ -0,0 +1,6 @@ +secrets: + common: + - path: terraform/github/actions/terraform-provider-postgresql/common + version: 0 + - path: common/github/actions/terraform-provider-postgresql/to_be_classified + version: 1 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e03b546d..cab7fff4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -14,6 +14,11 @@ on: push: tags: - 'v*' + +permissions: + contents: read + id-token: write + jobs: goreleaser: runs-on: ubuntu-latest @@ -21,6 +26,10 @@ jobs: - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + - name: Load Secrets + uses: doctolib/actions/load-secrets@main + with: + prefix_secrets: true - name: Unshallow run: git fetch --prune --unshallow @@ -35,8 +44,8 @@ jobs: uses: crazy-max/ghaction-import-gpg@d6f3f49f3345e29369fe57596a3ca8f94c4d2ca7 # v5 with: # These secrets will need to be configured for the repository: - gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} - passphrase: ${{ secrets.PASSPHRASE }} + gpg_private_key: ${{ env.VAULT_SECRET_GPG_PRIVATE_KEY }} + passphrase: ${{ env.VAULT_SECRET_PASSPHRASE }} - name: Run GoReleaser uses: goreleaser/goreleaser-action@9c156ee8a17a598857849441385a2041ef570552 # v6 @@ -46,4 +55,4 @@ jobs: env: GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }} # GitHub sets this automatically - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ github.token }}