From b1a5b2a374cb550a68790d059bd17b554561d7c1 Mon Sep 17 00:00:00 2001
From: Paulo Gomes <pjbgf@linux.com>
Date: Mon, 22 Jul 2024 14:51:06 +0100
Subject: [PATCH] build: Transition from GH secrets to Vault

Signed-off-by: Paulo Gomes <pjbgf@linux.com>
---
 .github/workflows/release.yml | 36 +++++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c3f8994..f64c56c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,6 +7,7 @@ on:
 
 permissions:
   contents: write # Upload artefacts to release.
+  id-token: write # required by read-vault-secrets.
 
 jobs:
   build:
@@ -20,21 +21,36 @@ jobs:
       with:
         go-version: 'stable'
 
+    - name: Load Secrets from Vault
+      uses: rancher-eio/read-vault-secrets@main
+      with:
+        secrets: |
+          secret/data/github/repo/${{ github.repository }}/testing-private-key/credentials privateKey | TESTING_PRIVATE_KEY ;
+          secret/data/github/repo/${{ github.repository }}/testing-private-key-pass-phrase/credentials token | TESTING_PRIVATE_KEY_PASS_PHRASE ;
+          secret/data/github/repo/${{ github.repository }}/testing-aws-s3-bucket/credentials token | TESTING_AWS_S3_BUCKET ;
+          secret/data/github/repo/${{ github.repository }}/testing-aws-access-key-id/credentials token | TESTING_AWS_ACCESS_KEY_ID ;
+          secret/data/github/repo/${{ github.repository }}/testing-aws-secret-access-key/credentials token | TESTING_AWS_SECRET_ACCESS_KEY ;
+          secret/data/github/repo/${{ github.repository }}/private-key/credentials privateKey | PRIVATE_KEY ;
+          secret/data/github/repo/${{ github.repository }}/private-key-pass-phrase/credentials token | PRIVATE_KEY_PASS_PHRASE ;
+          secret/data/github/repo/${{ github.repository }}/aws-s3-bucket/credentials token | PRODUCTION_AWS_S3_BUCKET ;
+          secret/data/github/repo/${{ github.repository }}/aws-access-key-id/credentials token | PRODUCTION_AWS_ACCESS_KEY_ID ;
+          secret/data/github/repo/${{ github.repository }}/aws-secret-access-key/credentials token | PRODUCTION_AWS_SECRET_ACCESS_KEY
+        
     - run: make build
       env:
-        PRIVATE_KEY: ${{ secrets.PRIVATE_KEY }}
-        PRIVATE_KEY_PASS_PHRASE: ${{ secrets.PRIVATE_KEY_PASS_PHRASE }}
-        TESTING_PRIVATE_KEY: ${{ secrets.TESTING_PRIVATE_KEY }}
-        TESTING_PRIVATE_KEY_PASS_PHRASE: ${{ secrets.TESTING_PRIVATE_KEY_PASS_PHRASE }}
+        TESTING_PRIVATE_KEY: ${{ env.TESTING_PRIVATE_KEY }}
+        TESTING_PRIVATE_KEY_PASS_PHRASE: ${{ env.TESTING_PRIVATE_KEY_PASS_PHRASE }}
+        PRIVATE_KEY: ${{ env.PRIVATE_KEY }}
+        PRIVATE_KEY_PASS_PHRASE: ${{ env.PRIVATE_KEY_PASS_PHRASE }}
 
     - run: make upload
       env:
-        TESTING_AWS_ACCESS_KEY_ID: ${{ secrets.TESTING_AWS_ACCESS_KEY_ID }}
-        TESTING_AWS_SECRET_ACCESS_KEY: ${{ secrets.TESTING_AWS_SECRET_ACCESS_KEY }}
-        TESTING_AWS_S3_BUCKET: ${{ secrets.TESTING_AWS_S3_BUCKET }}
-        PRODUCTION_AWS_ACCESS_KEY_ID: ${{ secrets.PRODUCTION_AWS_ACCESS_KEY_ID }}
-        PRODUCTION_AWS_SECRET_ACCESS_KEY: ${{ secrets.PRODUCTION_AWS_SECRET_ACCESS_KEY }}
-        PRODUCTION_AWS_S3_BUCKET: ${{ secrets.PRODUCTION_AWS_S3_BUCKET }}
+        TESTING_AWS_ACCESS_KEY_ID: ${{ env.TESTING_AWS_ACCESS_KEY_ID }}
+        TESTING_AWS_SECRET_ACCESS_KEY: ${{ env.TESTING_AWS_SECRET_ACCESS_KEY }}
+        TESTING_AWS_S3_BUCKET: ${{ env.TESTING_AWS_S3_BUCKET }}
+        PRODUCTION_AWS_ACCESS_KEY_ID: ${{ env.PRODUCTION_AWS_ACCESS_KEY_ID }}
+        PRODUCTION_AWS_SECRET_ACCESS_KEY: ${{ env.PRODUCTION_AWS_SECRET_ACCESS_KEY }}
+        PRODUCTION_AWS_S3_BUCKET: ${{ env.PRODUCTION_AWS_S3_BUCKET }}
         AWS_EC2_METADATA_DISABLED: true
 
     - run: make upload-gh