Improve infisical workflow

.github/actions/deploy-setup/action.yml

@@ -4,30 +4,28 @@ inputs:
   environment:
     description: "Target environment for deployment, e.g. staging"
     required: true
-  infisical_client_id:
-    description: "Infisical client ID for accessing secrets"
-    required: true
-  infisical_client_secret:
-    description: "Infisical client secret for accessing secrets"
-    required: true
   install_gcloud:
     description: "Whether to install the gcloud CLI (needed for gsutil/docker auth)"
     required: false
     default: "false"
+  infisical_machine_identity_id:
+    description: "Infisical machine identity ID for accessing secrets"
+    required: true
 
 runs:
   using: "composite"
   steps:
-    - uses: Infisical/secrets-action@v1.0.9
+    - name: Pull infisical secrets into temporary file
+      uses: Infisical/secrets-action@v1.0.9
       with:
-        client-id: ${{ inputs.infisical_client_id }}
-        client-secret: ${{ inputs.infisical_client_secret }}
-        env-slug: ${{ inputs.environment }}
+        method: "oidc"
+        identity-id: ${{ inputs.infisical_machine_identity_id }}
         project-slug: "infra-deployment"
+        env-slug: ${{ inputs.environment }}
         export-type: "file"
         file-output-path: "/.env.infisical"
 
-    - name: Load Environment Variables
+    - name: Transform infisical secrets into make include file, load a few as environment variables
       id: load-env
       run: |
         echo ${{ inputs.environment }} > .last_used_env
@@ -44,6 +42,15 @@ runs:
         echo "GH_WORKLOAD_IDENTITY_PROVIDER=${GH_WORKLOAD_IDENTITY_PROVIDER}" >> $GITHUB_ENV
       shell: bash
 
+    - name: Load environment variables from Infisical
+      uses: Infisical/secrets-action@v1.0.15
+      with:
+        method: "oidc"
+        identity-id: ${{ inputs.infisical_machine_identity_id }}
+        project-slug: "infra-deployment-env"
+        env-slug: ${{ inputs.environment }}
+        export-type: "env"
+
     - name: Setup Service Account
       uses: google-github-actions/auth@v2
       with:

.github/workflows/build-and-upload-job.yml

@@ -31,6 +31,7 @@ jobs:
   deploy:
     name: Build and upload job to the ${{ inputs.environment }} environment
     runs-on: ci-builder
+    environment: ${{ inputs.environment }}
     permissions:
       contents: read
       id-token: write
@@ -45,9 +46,8 @@ jobs:
         uses: ./.github/actions/deploy-setup
         with:
           environment: ${{ inputs.environment }}
-          infisical_client_id: ${{ secrets.INFISICAL_CLIENT_ID }}
-          infisical_client_secret: ${{ secrets.INFISICAL_CLIENT_SECRET }}
           install_gcloud: "true"
+          infisical_machine_identity_id: ${{ vars.INFISICAL_MACHINE_IDENTITY_ID }}
 
       - name: Set up Docker
         env:

.github/workflows/deploy-infra.yml

@@ -29,6 +29,7 @@ jobs:
   deploy:
     name: Deploy Infra to the ${{ inputs.environment }} environment
     runs-on: ubuntu-22.04
+    environment: ${{ inputs.environment }}
     permissions:
       contents: read
       id-token: write
@@ -43,9 +44,8 @@ jobs:
         uses: ./.github/actions/deploy-setup
         with:
           environment: ${{ inputs.environment }}
-          infisical_client_id: ${{ secrets.INFISICAL_CLIENT_ID }}
-          infisical_client_secret: ${{ secrets.INFISICAL_CLIENT_SECRET }}
           install_gcloud: "true"
+          infisical_machine_identity_id: ${{ vars.INFISICAL_MACHINE_IDENTITY_ID }}
 
       - name: Run Terraform state migrations
         if: inputs.plan_only == 'false'

.github/workflows/deploy-job.yml

@@ -32,6 +32,7 @@ jobs:
   deploy:
     name: Deploy job to the ${{ inputs.environment }} environment
     runs-on: ubuntu-22.04
+    environment: ${{ inputs.environment }}
     permissions:
       contents: read
       id-token: write
@@ -46,8 +47,7 @@ jobs:
         uses: ./.github/actions/deploy-setup
         with:
           environment: ${{ inputs.environment }}
-          infisical_client_id: ${{ secrets.INFISICAL_CLIENT_ID }}
-          infisical_client_secret: ${{ secrets.INFISICAL_CLIENT_SECRET }}
+          infisical_machine_identity_id: ${{ vars.INFISICAL_MACHINE_IDENTITY_ID }}
 
       - name: Run Terraform state migrations
         if: inputs.plan_only == 'false'