From 41c6f7d42230db75d2217ebc9146d58b3ac6a9ed Mon Sep 17 00:00:00 2001 From: Joe Lombrozo Date: Mon, 23 Mar 2026 11:08:27 -0700 Subject: [PATCH 1/3] improve infisical workflow - use env vars instead of file - use machine identity instead of client id & secret - add deploy environment to github --- .github/actions/deploy-setup/action.yml | 38 +++++----------------- .github/workflows/build-and-upload-job.yml | 4 +-- .github/workflows/deploy-infra.yml | 4 +-- .github/workflows/deploy-job.yml | 4 +-- 4 files changed, 15 insertions(+), 35 deletions(-) diff --git a/.github/actions/deploy-setup/action.yml b/.github/actions/deploy-setup/action.yml index 1982428fae..efa0e6655f 100644 --- a/.github/actions/deploy-setup/action.yml +++ b/.github/actions/deploy-setup/action.yml @@ -4,45 +4,25 @@ inputs: environment: description: "Target environment for deployment, e.g. staging" required: true - infisical_client_id: - description: "Infisical client ID for accessing secrets" - required: true - infisical_client_secret: - description: "Infisical client secret for accessing secrets" - required: true install_gcloud: description: "Whether to install the gcloud CLI (needed for gsutil/docker auth)" required: false default: "false" + infisical_machine_identity_id: + description: "Infisical machine identity ID for accessing secrets" + required: true runs: using: "composite" steps: - - uses: Infisical/secrets-action@v1.0.9 + - name: Load environment variables from Infisical + uses: Infisical/secrets-action@v1.0.15 with: - client-id: ${{ inputs.infisical_client_id }} - client-secret: ${{ inputs.infisical_client_secret }} + method: "oidc" + identity-id: ${{ inputs.infisical_machine_identity_id }} + project-slug: "infra-deployment-env" env-slug: ${{ inputs.environment }} - project-slug: "infra-deployment" - export-type: "file" - file-output-path: "/.env.infisical" - - - name: Load Environment Variables - id: load-env - run: | - echo ${{ inputs.environment }} > .last_used_env - cat .env.infisical | sed "s/='\(.*\)'$/=\1/g" > .env.${{ inputs.environment }} - - # Load environment variables from .env - set -a - . .env.${{ inputs.environment }} - set +a - - echo "GCP_REGION=${GCP_REGION}" >> $GITHUB_ENV - echo "GCP_PROJECT_ID=${GCP_PROJECT_ID}" >> $GITHUB_ENV - echo "TERRAFORM_STATE_BUCKET=${TERRAFORM_STATE_BUCKET}" >> $GITHUB_ENV - echo "GH_WORKLOAD_IDENTITY_PROVIDER=${GH_WORKLOAD_IDENTITY_PROVIDER}" >> $GITHUB_ENV - shell: bash + export-type: "env" - name: Setup Service Account uses: google-github-actions/auth@v2 diff --git a/.github/workflows/build-and-upload-job.yml b/.github/workflows/build-and-upload-job.yml index a2f8894724..dc28dbb379 100644 --- a/.github/workflows/build-and-upload-job.yml +++ b/.github/workflows/build-and-upload-job.yml @@ -31,6 +31,7 @@ jobs: deploy: name: Build and upload job to the ${{ inputs.environment }} environment runs-on: ci-builder + environment: ${{ inputs.environment }} permissions: contents: read id-token: write @@ -45,9 +46,8 @@ jobs: uses: ./.github/actions/deploy-setup with: environment: ${{ inputs.environment }} - infisical_client_id: ${{ secrets.INFISICAL_CLIENT_ID }} - infisical_client_secret: ${{ secrets.INFISICAL_CLIENT_SECRET }} install_gcloud: "true" + infisical_machine_identity_id: ${{ vars.INFISICAL_MACHINE_IDENTITY_ID }} - name: Set up Docker env: diff --git a/.github/workflows/deploy-infra.yml b/.github/workflows/deploy-infra.yml index b54227c9af..3811aa508d 100644 --- a/.github/workflows/deploy-infra.yml +++ b/.github/workflows/deploy-infra.yml @@ -29,6 +29,7 @@ jobs: deploy: name: Deploy Infra to the ${{ inputs.environment }} environment runs-on: ubuntu-22.04 + environment: ${{ inputs.environment }} permissions: contents: read id-token: write @@ -43,9 +44,8 @@ jobs: uses: ./.github/actions/deploy-setup with: environment: ${{ inputs.environment }} - infisical_client_id: ${{ secrets.INFISICAL_CLIENT_ID }} - infisical_client_secret: ${{ secrets.INFISICAL_CLIENT_SECRET }} install_gcloud: "true" + infisical_machine_identity_id: ${{ vars.INFISICAL_MACHINE_IDENTITY_ID }} - name: Run Terraform state migrations if: inputs.plan_only == 'false' diff --git a/.github/workflows/deploy-job.yml b/.github/workflows/deploy-job.yml index e08a9acfac..b5e1ee2e82 100644 --- a/.github/workflows/deploy-job.yml +++ b/.github/workflows/deploy-job.yml @@ -32,6 +32,7 @@ jobs: deploy: name: Deploy job to the ${{ inputs.environment }} environment runs-on: ubuntu-22.04 + environment: ${{ inputs.environment }} permissions: contents: read id-token: write @@ -46,8 +47,7 @@ jobs: uses: ./.github/actions/deploy-setup with: environment: ${{ inputs.environment }} - infisical_client_id: ${{ secrets.INFISICAL_CLIENT_ID }} - infisical_client_secret: ${{ secrets.INFISICAL_CLIENT_SECRET }} + infisical_machine_identity_id: ${{ vars.INFISICAL_MACHINE_IDENTITY_ID }} - name: Run Terraform state migrations if: inputs.plan_only == 'false' From 780de2896541a42e7f22ede75b19fe355f5b621e Mon Sep 17 00:00:00 2001 From: Joe Lombrozo Date: Mon, 23 Mar 2026 14:45:17 -0700 Subject: [PATCH 2/3] Supplement the new env vars with old makefile include --- .github/actions/deploy-setup/action.yml | 27 +++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/.github/actions/deploy-setup/action.yml b/.github/actions/deploy-setup/action.yml index efa0e6655f..7d55add51c 100644 --- a/.github/actions/deploy-setup/action.yml +++ b/.github/actions/deploy-setup/action.yml @@ -15,6 +15,33 @@ inputs: runs: using: "composite" steps: + - name: Pull infisical secrets into temporary file + uses: Infisical/secrets-action@v1.0.9 + with: + method: "oidc" + identity-id: ${{ inputs.infisical_machine_identity_id }} + project-slug: "infra-deployment" + env-slug: ${{ inputs.environment }} + export-type: "file" + file-output-path: "/.env.infisical" + + - name: Transform infisical secrets into make include file, load a few as environment variables + id: load-env + run: | + echo ${{ inputs.environment }} > .last_used_env + cat .env.infisical | sed "s/='\(.*\)'$/=\1/g" > .env.${{ inputs.environment }} + + # Load environment variables from .env + set -a + . .env.${{ inputs.environment }} + set +a + + echo "GCP_REGION=${GCP_REGION}" >> $GITHUB_ENV + echo "GCP_PROJECT_ID=${GCP_PROJECT_ID}" >> $GITHUB_ENV + echo "TERRAFORM_STATE_BUCKET=${TERRAFORM_STATE_BUCKET}" >> $GITHUB_ENV + echo "GH_WORKLOAD_IDENTITY_PROVIDER=${GH_WORKLOAD_IDENTITY_PROVIDER}" >> $GITHUB_ENV + shell: bash + - name: Load environment variables from Infisical uses: Infisical/secrets-action@v1.0.15 with: From c7fb9d6a0d705678d89c0eb83ae36f75249df6b4 Mon Sep 17 00:00:00 2001 From: Joe Lombrozo Date: Mon, 23 Mar 2026 15:08:58 -0700 Subject: [PATCH 3/3] keep the versions consistent --- .github/actions/deploy-setup/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/deploy-setup/action.yml b/.github/actions/deploy-setup/action.yml index 7d55add51c..68ea988f9c 100644 --- a/.github/actions/deploy-setup/action.yml +++ b/.github/actions/deploy-setup/action.yml @@ -16,7 +16,7 @@ runs: using: "composite" steps: - name: Pull infisical secrets into temporary file - uses: Infisical/secrets-action@v1.0.9 + uses: Infisical/secrets-action@v1.0.15 with: method: "oidc" identity-id: ${{ inputs.infisical_machine_identity_id }}