Create Centralized GitHub Action for Managing Secrets

[sukeshreddyg]

User Story

As a Modernisation Platform Engineer
I want to create a centralized GitHub Action in the github-actions repository to manage secrets
So that any updates or changes can be made in one place and easily utilized across multiple repositories.

Value / Purpose

• Reduce the redundancy of defining secrets management workflows in each repository.
• Simplify the process of updating the secrets management logic by centralizing it, thus ensuring all repositories use the latest version.
• Ensure that all repositories have a consistent and secure method of handling secrets.

Useful Contacts

No response

Additional Information

• Existing reusable workflow in the MP repo fetches secrets, encrypts them, declares them as outputs, and an action decrypts these secrets.

Reusable Workflow: https://github.com/ministryofjustice/modernisation-platform/blob/main/.github/workflows/secrets-retrieval.yml

Action to decrypt the secrets: https://github.com/ministryofjustice/modernisation-platform/blob/main/.github/actions/decrypt-secrets/action.yml

Proposal / Unknowns

• Develop a new GitHub Action in the github-actions repository to manage secrets.
• Deprecate the existing reusable workflow and action in the MP repo.
• Update all repositories currently using the MP repo workflow to use the new centralized GitHub Action.

Definition of Done

• The new GitHub Action is created in the github-actions repository. and tested with the scheduled-baseline workflow
• Modify reusable workflow to use the new centralized action, ensuring that secrets are fetched from AWS Secrets Manager and managed in one place.
• Validate that the new centralized action works as expected in modified workflows, including successful fetching, encrypting, declaring, and decrypting of secrets.
• Raise a follow-up ticket to implement the new action on other workflows and across other repositories.

[SimonPPledger]

this ticket is dependent on (#7108)

[github-actions]

This issue is stale because it has been open 90 days with no activity.

[sukeshreddyg]

As we agreed, we applied this feature to a couple of our workflows. We will monitor the modified workflows and gather feedback from the team. If everything is fine, we will implement it in all other workflows across all repositories and delete the GitHub secrets. Once that's done, we will document this feature.

[sukeshreddyg]

A follow-up ticket has been raised to implement the centralized secrets management action in other repositories managed by MP and update the remaining workflows in the MP repository.

[ASTRobinson]

Hey @sukeshreddyg could you tick off the completed tasks in the Definition of Done for example, has the documentation been done? thanks.

[mikereiddigital]

Leaving the review until the DoD is confirmed as completed.

[ASTRobinson]

The ticket has been reviewed according to the updated DoD, tasks have been completed and a follow-up ticket was raised to capture the rollout of the centralized GitHub action for managing secrets. moving to done.