forked from cmancone/akeyless-action
-
Notifications
You must be signed in to change notification settings - Fork 4
149 lines (129 loc) · 5.25 KB
/
dynamic-github.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
name: 'GitHub Dynamic Secrets'
# Docs => https://docs.akeyless.io/docs/github-dynamic-secret
on:
workflow_dispatch:
push:
branches:
- main
paths:
- 'src/**/*'
- 'package.json'
- 'package-lock.json'
- '.github/workflows/dynamic-github.yml'
jobs:
##############################
########## Option 1 ##########
##############################
# - Uses default behavior
# The response from Akeyless is kept in it's original JSON string. It is then your responsibility to correctly parse it.
github_dynamic_secrets:
runs-on: ubuntu-latest
name: GitHub dynamic secrets (default)
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Fetch dynamic secret from Akleyless
id: fetch-secrets
uses: ./
with:
access-id: ${{ secrets.AKEYLESS_ACCESS_ID }}
dynamic-secrets: '{"/DevTools/github-secrets":"github_dynamic_secret"}'
- name: Verify Job Outputs using jq
run: |
echo "Your job output secret is ${{ steps.fetch-secrets.outputs.github_dynamic_secret }}"
echo "Manually parsed ID:"
echo '${{ steps.fetch-secrets.outputs.github_dynamic_secret }}' | jq '.id'
echo "Manually parsed TOKEN:"
echo '${{ steps.fetch-secrets.outputs.github_dynamic_secret }}' | jq '.token'
echo "Manually parsed TTL_IN_MINUTES:"
echo '${{ steps.fetch-secrets.outputs.github_dynamic_secret }}' | jq '.ttl_in_minutes'
- name: Verify Environment Variables using jq
run: |
echo "Your environment secret is ${{ env.github_dynamic_secret }}"
echo "Manually parsed ID:"
echo '${{ env.github_dynamic_secret }}' | jq '.id'
echo "Manually parsed TOKEN:"
echo '${{ env.github_dynamic_secret }}' | jq '.token'
echo "Manually parsed TTL_IN_MINUTES:"
echo '${{ env.github_dynamic_secret }}' | jq '.ttl_in_minutes'
# Extra 1 & 2 Another way to get the secret values is to use jq and export them to custom env vars directly
- name: EXTRA (part 1) - Export Secrets to Environment using jq
run: |
echo '${{ steps.fetch-secrets.outputs.github_dynamic_secret }}' | jq -r 'to_entries|map("AKEYLESS_GITHUB_\(.key|ascii_upcase)=\(.value|tostring)")|.[]' >> $GITHUB_ENV
- name: EXTRA (part 2) - Verify EXTRA 1's Exported Variables
run: |
echo "id: ${{ env.AKEYLESS_GITHUB_ID }}"
echo "token: ${{ env.AKEYLESS_GITHUB_TOKEN }}"
echo "ttl_in_minutes: ${{ env.AKEYLESS_GITHUB_TTL_IN_MINUTES }}"
##############################
########## Option 2 ##########
##############################
# - Uses 'parse-dynamic-secrets: true'
# This will automatically parse the JSON string into individual outputs
github_dynamic_secrets_parsed:
runs-on: ubuntu-latest
name: GitHub dynamic secrets (parsed)
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Fetch dynamic secret from Akleyless
id: fetch-secrets
uses: ./
with:
access-id: ${{ secrets.AKEYLESS_ACCESS_ID }}
dynamic-secrets: '{"/DevTools/github-secrets":""}' #no prefix, all output fields are dynamically parsed from source
parse-dynamic-secrets: true
- name: Verify Job Outputs (to known field names, pre-parsed)
run: |
echo "ID: ${{ steps.fetch-secrets.outputs.id }}"
echo "TOKEN: ${{ steps.fetch-secrets.outputs.token }}"
echo "TTL_IN_MINUTES: ${{ steps.fetch-secrets.outputs.ttl_in_minutes }}"
- name: Verify Environment Variables (to known field names, pre-parsed)
run: |
echo "ID: ${{ env.id }}"
echo "TOKEN: ${{ env.token }}"
echo "TTL_IN_MINUTES: ${{ env.ttl_in_minutes }}"
##############################
########## Option 3 ##########
##############################
# - Uses 'parse-dynamic-secrets: true'
# - Uses 'GH' as a prefix to the output names
# This is the same as Option 2, but with a known prefix to help avoid conflicts with other variable names
github_dynamic_secrets_prefixed:
runs-on: ubuntu-latest
name: GitHub dynamic secrets (parsed with prefix)
permissions:
id-token: write
contents: read
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Fetch dynamic secret from Akleyless
id: fetch-secrets
uses: ./
with:
access-id: ${{ secrets.AKEYLESS_ACCESS_ID }}
dynamic-secrets: '{"/DevTools/github-secrets":"GH"}' #applies "GH_" prefix to dynamically parsed output names
parse-dynamic-secrets: true
- name: Verify Job Outputs (to known field names, pre-parsed with prefix)
run: |
echo "ID: ${{ steps.fetch-secrets.outputs.GH_id }}"
echo "TOKEN: ${{ steps.fetch-secrets.outputs.GH_token }}"
echo "TTL_IN_MINUTES: ${{ steps.fetch-secrets.outputs.GH_ttl_in_minutes }}"
- name: Verify Environment Variables (to known field names, pre-parsed with prefix)
run: |
echo "ID: ${{ env.GH_id }}"
echo "TOKEN: ${{ env.GH_token }}"
echo "TTL_IN_MINUTES: ${{ env.GH_ttl_in_minutes }}"