From 922311da1ae4dd054143a9f171a6750e12732973 Mon Sep 17 00:00:00 2001 From: AlexDavidoiu Date: Fri, 1 Dec 2023 15:40:30 +0200 Subject: [PATCH] [DEVX-3180] Use GSM Secrets from actions repo --- .github/workflows/handle-contribution.yml | 2 +- .github/workflows/release.yml | 2 +- gsm-secrets/README.md | 8 ----- gsm-secrets/action.yml | 43 ----------------------- 4 files changed, 2 insertions(+), 53 deletions(-) delete mode 100644 gsm-secrets/README.md delete mode 100644 gsm-secrets/action.yml diff --git a/.github/workflows/handle-contribution.yml b/.github/workflows/handle-contribution.yml index 786915c..e7648ab 100644 --- a/.github/workflows/handle-contribution.yml +++ b/.github/workflows/handle-contribution.yml @@ -20,7 +20,7 @@ jobs: steps: - name: GSM Secrets id: secrets_manager - uses: toptal/davinci-github-actions/gsm-secrets@master + uses: toptal/actions/gsm-secrets@master with: workload_identity_provider: ${{ secrets.IDENTITY_POOL }} service_account: ${{ secrets.SA_IDENTITY_POOL }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fa47ebf..8198f28 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,7 +28,7 @@ jobs: - name: GSM Secrets id: secrets_manager - uses: toptal/davinci-github-actions/gsm-secrets@master + uses: toptal/actions/gsm-secrets@master with: workload_identity_provider: ${{ secrets.IDENTITY_POOL }} service_account: ${{ secrets.SA_IDENTITY_POOL }} diff --git a/gsm-secrets/README.md b/gsm-secrets/README.md deleted file mode 100644 index 5c94064..0000000 --- a/gsm-secrets/README.md +++ /dev/null @@ -1,8 +0,0 @@ -Action to get Google Secret Manager secrets. This action is based on google-github-actions/auth and google-github-actions/get-secretmanager-secrets, practically combining them and performing a cleanup afterwards. - -Unfortunately, due to the specifics of GHA implementation for composite actions, it is not possible to expose arbitrary outputs, so this action goes hand by hand with a [parser](../expose-json-outputs/README.md) that exposes a JSON string as outputs of a JS action, which is able to expose arbitrary outputs. - -> To prevent accidentally committing credentials please add these lines to .gitignore file: - - # Ignore generated credentials from google-github-actions/auth - gha-creds-*.json diff --git a/gsm-secrets/action.yml b/gsm-secrets/action.yml deleted file mode 100644 index 4f0d479..0000000 --- a/gsm-secrets/action.yml +++ /dev/null @@ -1,43 +0,0 @@ -name: 'Access Secrets from GSM' -description: 'Access secrets from Google Secret Manager using WIF to authenticate to Google Cloud' -inputs: - # The name of the project where the secret is stored - workload_identity_provider: - description: 'The name of the project where the secret is stored' - required: true - # The name of the service account to use to access the secret - service_account: - description: 'The name of the service account to use to access the secret' - required: true - # The name of the secret to retrieve - secrets_name: - description: 'The name of the secrets to retrieve' - required: true -outputs: - secrets: - description: 'The secrets retrieved from GSM in JSON format' - value: ${{ toJson(steps.get-secrets.outputs) }} -runs: - using: 'composite' - steps: - - name: Authenticate to Google Cloud using WIF - uses: google-github-actions/auth@v1 - with: - workload_identity_provider: ${{ inputs.workload_identity_provider }} - service_account: ${{ inputs.service_account }} - - - name: Get the secrets from GSM - id: get-secrets - uses: google-github-actions/get-secretmanager-secrets@v1 - with: - secrets: ${{ inputs.secrets_name }} - - - name: Remove gha-cred file content - shell: bash - run: |- - echo -n "" > "${GOOGLE_GHA_CREDS_PATH}" - - - name: unset GOOGLE_APPLICATION_CREDENTIALS - shell: bash - run: |- - echo "GOOGLE_APPLICATION_CREDENTIALS=" >> $GITHUB_ENV