Use vault to generate token (#143)

kevinwcyu · web-flow · commit eda3754f9795 · 2025-05-05T11:45:39.000-07:00
diff --git a/.github/workflows/issue_commands.yml b/.github/workflows/issue_commands.yml
@@ -18,12 +18,19 @@ jobs:
           persist-credentials: false
       - name: Install Actions
         run: npm install --production --prefix ./actions
+      - name: Get secrets from vault
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          repo_secrets: |
+            AWS_DS_TOKEN_CREATOR_ID=aws-ds-token-creator:app_id
+            AWS_DS_TOKEN_CREATOR_PEM=aws-ds-token-creator:pem
       - name: 'Generate token'
         id: generate_token
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
         with:
-          app_id: ${{ secrets.AWS_DS_TOKEN_CREATOR_ID }}
-          private_key: ${{ secrets.AWS_DS_TOKEN_CREATOR_PEM }}
+          app_id: ${{ env.AWS_DS_TOKEN_CREATOR_ID }}
+          private_key: ${{ env.AWS_DS_TOKEN_CREATOR_PEM }}
       - name: Run Commands
         uses: ./actions/commands
         with:
diff --git a/.github/workflows/pr-commands.yml b/.github/workflows/pr-commands.yml
@@ -22,12 +22,19 @@ jobs:
           persist-credentials: false
       - name: Install Actions
         run: npm install --production --prefix ./actions
+      - name: Get secrets from vault
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          repo_secrets: |
+            AWS_DS_TOKEN_CREATOR_ID=aws-ds-token-creator:app_id
+            AWS_DS_TOKEN_CREATOR_PEM=aws-ds-token-creator:pem
       - name: 'Generate token'
         id: generate_token
         uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a
         with:
-          app_id: ${{ secrets.AWS_DS_TOKEN_CREATOR_ID }}
-          private_key: ${{ secrets.AWS_DS_TOKEN_CREATOR_PEM }}
+          app_id: ${{ env.AWS_DS_TOKEN_CREATOR_ID }}
+          private_key: ${{ env.AWS_DS_TOKEN_CREATOR_PEM }}
       - name: Run Commands
         uses: ./actions/commands
         with:
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,7 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: any
+        github/*: any
+        grafana/*: any
