build: Transition from GH secrets to Vault

Signed-off-by: Paulo Gomes <[email protected]>
rancher · Jul 22, 2024 · b1a5b2a · b1a5b2a
1 parent 169447b
commit b1a5b2a
Showing 1 changed file with 26 additions and 10 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,7 @@ on:
 
 permissions:
   contents: write # Upload artefacts to release.
+  id-token: write # required by read-vault-secrets.
 
 jobs:
   build:
@@ -20,21 +21,36 @@ jobs:
       with:
         go-version: 'stable'
 
+    - name: Load Secrets from Vault
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/testing-private-key/credentials privateKey | TESTING_PRIVATE_KEY ;
+          secret/data/github/repo/${{ github.repository }}/testing-private-key-pass-phrase/credentials token | TESTING_PRIVATE_KEY_PASS_PHRASE ;
+          secret/data/github/repo/${{ github.repository }}/testing-aws-s3-bucket/credentials token | TESTING_AWS_S3_BUCKET ;
+          secret/data/github/repo/${{ github.repository }}/testing-aws-access-key-id/credentials token | TESTING_AWS_ACCESS_KEY_ID ;
+          secret/data/github/repo/${{ github.repository }}/testing-aws-secret-access-key/credentials token | TESTING_AWS_SECRET_ACCESS_KEY ;
+          secret/data/github/repo/${{ github.repository }}/private-key/credentials privateKey | PRIVATE_KEY ;
+          secret/data/github/repo/${{ github.repository }}/private-key-pass-phrase/credentials token | PRIVATE_KEY_PASS_PHRASE ;
+          secret/data/github/repo/${{ github.repository }}/aws-s3-bucket/credentials token | PRODUCTION_AWS_S3_BUCKET ;
+          secret/data/github/repo/${{ github.repository }}/aws-access-key-id/credentials token | PRODUCTION_AWS_ACCESS_KEY_ID ;
+          secret/data/github/repo/${{ github.repository }}/aws-secret-access-key/credentials token | PRODUCTION_AWS_SECRET_ACCESS_KEY
+        
     - run: make build
       env:
-        PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
-        PRIVATE_KEY_PASS_PHRASE: ${{ secrets.PRIVATE_KEY_PASS_PHRASE }}
-        TESTING_PRIVATE_KEY: ${{ secrets.TESTING_PRIVATE_KEY }}
-        TESTING_PRIVATE_KEY_PASS_PHRASE: ${{ secrets.TESTING_PRIVATE_KEY_PASS_PHRASE }}
+        TESTING_PRIVATE_KEY: ${{ env.TESTING_PRIVATE_KEY }}
+        TESTING_PRIVATE_KEY_PASS_PHRASE: ${{ env.TESTING_PRIVATE_KEY_PASS_PHRASE }}
+        PRIVATE_KEY: ${{ env.PRIVATE_KEY }}
+        PRIVATE_KEY_PASS_PHRASE: ${{ env.PRIVATE_KEY_PASS_PHRASE }}
 
     - run: make upload
       env:
-        TESTING_AWS_ACCESS_KEY_ID: ${{ secrets.TESTING_AWS_ACCESS_KEY_ID }}
-        TESTING_AWS_SECRET_ACCESS_KEY: ${{ secrets.TESTING_AWS_SECRET_ACCESS_KEY }}
-        TESTING_AWS_S3_BUCKET: ${{ secrets.TESTING_AWS_S3_BUCKET }}
-        PRODUCTION_AWS_ACCESS_KEY_ID: ${{ secrets.PRODUCTION_AWS_ACCESS_KEY_ID }}
-        PRODUCTION_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRODUCTION_AWS_SECRET_ACCESS_KEY }}
-        PRODUCTION_AWS_S3_BUCKET: ${{ secrets.PRODUCTION_AWS_S3_BUCKET }}
+        TESTING_AWS_ACCESS_KEY_ID: ${{ env.TESTING_AWS_ACCESS_KEY_ID }}
+        TESTING_AWS_SECRET_ACCESS_KEY: ${{ env.TESTING_AWS_SECRET_ACCESS_KEY }}
+        TESTING_AWS_S3_BUCKET: ${{ env.TESTING_AWS_S3_BUCKET }}
+        PRODUCTION_AWS_ACCESS_KEY_ID: ${{ env.PRODUCTION_AWS_ACCESS_KEY_ID }}
+        PRODUCTION_AWS_SECRET_ACCESS_KEY: ${{ env.PRODUCTION_AWS_SECRET_ACCESS_KEY }}
+        PRODUCTION_AWS_S3_BUCKET: ${{ env.PRODUCTION_AWS_S3_BUCKET }}
         AWS_EC2_METADATA_DISABLED: true
 
     - run: make upload-gh