Use GitHub org secrets directly, drop KMS dependency for CI

hanzo-dev · hanzo-dev · commit a1ccba178f5c · 2026-02-27T09:10:31.000-08:00
KMS database was reset — machine identities gone. Use org-level
GitHub secrets (DOCKERHUB_*, DIGITALOCEAN_ACCESS_TOKEN) directly
instead of fetching through KMS at build time. Simpler and more
reliable.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -19,49 +19,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Fetch CI secrets from Hanzo KMS
-        id: kms
-        env:
-          KMS_CLIENT_ID: ${{ secrets.KMS_CLIENT_ID }}
-          KMS_CLIENT_SECRET: ${{ secrets.KMS_CLIENT_SECRET }}
-        run: |
-          set -euo pipefail
-          KMS_URL="${KMS_URL:-https://kms.hanzo.ai}"
-
-          retry() {
-            local n=0
-            until [ $n -ge 5 ]; do
-              "$@" && return 0
-              n=$((n+1)); echo "::warning::Retry $n/5..." >&2; sleep $((n*5))
-            done
-            return 1
-          }
-
-          kms_login() {
-            curl -fsS -X POST "${KMS_URL}/api/v1/auth/universal-auth/login" \
-              -H "Content-Type: application/json" \
-              -d "$(jq -nc --arg cid "$KMS_CLIENT_ID" --arg cs "$KMS_CLIENT_SECRET" \
-                    '{clientId: $cid, clientSecret: $cs}')" \
-            | jq -re '.accessToken'
-          }
-
-          ACCESS_TOKEN="$(retry kms_login)"
-          [ -n "${ACCESS_TOKEN}" ] && [ "${ACCESS_TOKEN}" != "null" ] || {
-            echo "::error::Failed to authenticate to Hanzo KMS"; exit 1; }
-
-          fetch_secret() {
-            curl -fsS "${KMS_URL}/api/v3/secrets/raw/${1}?workspaceSlug=gitops&environment=prod&secretPath=/ci&viewSecretValue=true&include_imports=true" \
-              -H "Authorization: Bearer ${ACCESS_TOKEN}" \
-            | jq -re '.secret.secretValue'
-          }
-
-          for name in DOCKERHUB_USERNAME DOCKERHUB_TOKEN DIGITALOCEAN_ACCESS_TOKEN; do
-            val="$(retry fetch_secret "$name")"
-            [ -n "$val" ] && [ "$val" != "null" ] || { echo "::error::Missing KMS secret $name"; exit 1; }
-            echo "::add-mask::${val}"
-            echo "${name}=${val}" >> "$GITHUB_OUTPUT"
-          done
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -77,8 +34,8 @@ jobs:
         continue-on-error: true
         with:
           registry: docker.io
-          username: ${{ steps.kms.outputs.DOCKERHUB_USERNAME }}
-          password: ${{ steps.kms.outputs.DOCKERHUB_TOKEN }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Image metadata
         id: meta
@@ -112,51 +69,10 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Fetch secrets from Hanzo KMS
-        id: kms
-        env:
-          KMS_CLIENT_ID: ${{ secrets.KMS_CLIENT_ID }}
-          KMS_CLIENT_SECRET: ${{ secrets.KMS_CLIENT_SECRET }}
-        run: |
-          set -euo pipefail
-          KMS_URL="${KMS_URL:-https://kms.hanzo.ai}"
-
-          retry() {
-            local n=0
-            until [ $n -ge 5 ]; do
-              "$@" && return 0
-              n=$((n+1)); echo "::warning::Retry $n/5..." >&2; sleep $((n*5))
-            done
-            return 1
-          }
-
-          kms_login() {
-            curl -fsS -X POST "${KMS_URL}/api/v1/auth/universal-auth/login" \
-              -H "Content-Type: application/json" \
-              -d "$(jq -nc --arg cid "$KMS_CLIENT_ID" --arg cs "$KMS_CLIENT_SECRET" \
-                    '{clientId: $cid, clientSecret: $cs}')" \
-            | jq -re '.accessToken'
-          }
-
-          ACCESS_TOKEN="$(retry kms_login)"
-          [ -n "${ACCESS_TOKEN}" ] && [ "${ACCESS_TOKEN}" != "null" ] || {
-            echo "::error::Failed to authenticate to Hanzo KMS"; exit 1; }
-
-          fetch_do_token() {
-            curl -fsS "${KMS_URL}/api/v3/secrets/raw/DIGITALOCEAN_ACCESS_TOKEN?workspaceSlug=gitops&environment=prod&secretPath=/ci&viewSecretValue=true&include_imports=true" \
-              -H "Authorization: Bearer ${ACCESS_TOKEN}" \
-            | jq -re '.secret.secretValue'
-          }
-
-          val="$(retry fetch_do_token)"
-          [ -n "$val" ] && [ "$val" != "null" ] || { echo "::error::Missing KMS secret DIGITALOCEAN_ACCESS_TOKEN"; exit 1; }
-          echo "::add-mask::${val}"
-          echo "DIGITALOCEAN_ACCESS_TOKEN=${val}" >> "$GITHUB_OUTPUT"
-
       - name: Install doctl
         uses: digitalocean/action-doctl@v2
         with:
-          token: ${{ steps.kms.outputs.DIGITALOCEAN_ACCESS_TOKEN }}
+          token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
 
       - name: Configure kubectl (hanzo-k8s)
         run: doctl kubernetes cluster kubeconfig save hanzo-k8s
