Merge pull request #3696 from grafana/vldmr/update-help-repo-vault-secrets

Allow update-helm-repo workflow to retrieve app secrets from Vault

Author: narqo

.github/workflows/update-helm-repo.yaml

@@ -30,6 +30,9 @@ on:
       github_app_pem:
         description: GitHub APP pem to authenticate with
         required: false
+      vault_repo_secret_name:
+        description: Vault secret name that holds repository's GitHub App credentials to authenticate with
+        required: false
       helm_repo_token:
         description: GitHub api token to use against the helm-charts repository
         required: false
@@ -96,26 +99,41 @@ jobs:
     needs: [setup]
     runs-on: ubuntu-latest
     permissions:
+      id-token: write # allows GitHub App to generate id-token from Github's OIDC
       contents: write # allows GITHUB_TOKEN to push chart release, create release, and push tags to github
       packages: write # allows GITHUB_TOKEN to push package to ghcr
     env:
-      github_app_id: ${{ secrets.github_app_id }}
+      # APP_ID and PRIVATE_KEY are overwritten by credentials from vault, if configured
+      GITHUB_APP_ID: ${{ secrets.github_app_id }}
+      PRIVATE_KEY: ${{ secrets.github_app_pem }}
+      VAULT_REPO_SECRET_NAME: ${{ secrets.vault_repo_secret_name }}
     if: needs.setup.outputs.changed == 'true'
     steps:
-      - name: Create a GitHub App installation access token
-        if: env.github_app_id != ''
-        uses: tibdex/github-app-token@3beb63f4bd073e61482598c45c71c1019b59b73a # v2.1.0
+      - name: Retrieve GitHub App credentials from Vault
+        if: env.VAULT_REPO_SECRET_NAME != ''
+        id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@28361cdb22223e5f1e34358c86c20908e7248760 # v1.1.0
+        with:
+          repo_secrets: |
+            GITHUB_APP_ID=${{ env.VAULT_REPO_SECRET_NAME }}:app-id
+            PRIVATE_KEY=${{ env.VAULT_REPO_SECRET_NAME }}:private-key
+
+      - name: Generate GitHub App Token
+        if: env.GITHUB_APP_ID != ''
         id: app-token
+        uses: actions/create-github-app-token@v1
         with:
-          app_id: ${{ env.github_app_id }}
-          private_key: ${{ secrets.github_app_pem }}
+          # Variables generated by the previous step get-secrets
+          app-id: ${{ env.GITHUB_APP_ID }}
+          private-key: ${{ env.PRIVATE_KEY }}
+          owner: ${{ github.repository_owner }}
 
       - name: Set the correct token (Github App or PAT)
         env:
           HELM_REPO_TOKEN: ${{ secrets.helm_repo_token }}
           APP_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
-          if [[ "${github_app_id}" == '' ]]; then
+          if [[ "${GITHUB_APP_ID}" == '' ]]; then
             echo "AUTHTOKEN=${HELM_REPO_TOKEN}" >> $GITHUB_ENV
           else
             echo "AUTHTOKEN=${APP_TOKEN}" >> $GITHUB_ENV