chore: read tokens from Akeyeless

2023-05-12 12:09:12 +03:00 · 2023-05-12 12:09:12 +03:00 · 184255e725
--- a/.github/workflows/merge_develop.yml
+++ b/.github/workflows/merge_develop.yml
@ -11,18 +11,28 @@ on:
  workflow_dispatch:

 jobs:
-
  merge:
-
    runs-on: ubuntu-latest

+    permissions:
+        id-token: write # Required by Akeyless
+        contents: read
+        packages: read
+
    steps:
+      - name: Import Secrets
+        id: import-secrets
+        uses: LanceMcCarthy/akeyless-action@v3
+        with:
+          access-id: ${{ secrets.GH_AKEYLESS_ACCESS_ID }}
+          static-secrets: '{ "/WebComponents/prod/tokens/GH_TOKEN": "GH_TOKEN" }'
+          export-secrets-to-environment: false

      - name: Checkout
        uses: actions/checkout@v2
        with:
          ref: master
-          token: ${{ secrets.GH_TOKEN }}
+          token: ${{ steps.import-secrets.outputs.GH_TOKEN }}

      - name: Merge develop to master
        run: |
--- a/.github/workflows/release_nightly.yml
+++ b/.github/workflows/release_nightly.yml
@ -13,18 +13,32 @@ on:
  workflow_dispatch:

 jobs:
-
  release-nightly:
-
    runs-on: ubuntu-latest

+    permissions:
+        id-token: write # Required by Akeyless
+        contents: read
+        packages: read
+
    steps:
+      - name: Import Secrets
+        id: import-secrets
+        uses: LanceMcCarthy/akeyless-action@v3
+        with:
+          access-id: ${{ secrets.GH_AKEYLESS_ACCESS_ID }}
+          static-secrets: |
+            {
+              "/WebComponents/prod/tokens/GH_TOKEN": "GH_TOKEN",
+              "/WebComponents/prod/tokens/PROGRESS_NPM_REGISTRY_TOKEN": "NPM_TOKEN"
+            }
+          export-secrets-to-environment: false

      - name: Checkout branch
        uses: actions/checkout@v2
        with:
          ref: develop
-          token: ${{ secrets.GH_TOKEN }}
+          token: ${{ steps.import-secrets.outputs.GH_TOKEN }}

      - name: Setup git
        run: |
@ -48,5 +62,5 @@ jobs:
      - name: Publish
        run: npx semantic-release --nightly
        env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.import-secrets.outputs.GH_TOKEN }}
+          NPM_TOKEN: ${{ steps.import-secrets.outputs.NPM_TOKEN }}
--- a/.github/workflows/release_stable.yml
+++ b/.github/workflows/release_stable.yml
@ -9,16 +9,31 @@ on: [workflow_dispatch]
 jobs:

  release-stable:
-
    runs-on: ubuntu-latest

+    permissions:
+        id-token: write # Required by Akeyless
+        contents: read
+        packages: read
+
    steps:
+      - name: Import Secrets
+        id: import-secrets
+        uses: LanceMcCarthy/akeyless-action@v3
+        with:
+          access-id: ${{ secrets.GH_AKEYLESS_ACCESS_ID }}
+          static-secrets: |
+            {
+              "/WebComponents/prod/tokens/GH_TOKEN": "GH_TOKEN",
+              "/WebComponents/prod/tokens/PROGRESS_NPM_REGISTRY_TOKEN": "NPM_TOKEN"
+            }
+          export-secrets-to-environment: false

      - name: Checkout branch
        uses: actions/checkout@v2
        with:
          ref: master
-          token: ${{ secrets.GH_TOKEN }}
+          token: ${{ steps.import-secrets.outputs.GH_TOKEN }}

      - name: Setup git
        run: |
@ -48,11 +63,11 @@ jobs:
      - name: Publish
        run: npx semantic-release
        env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.import-secrets.outputs.GH_TOKEN }}
+          NPM_TOKEN: ${{ steps.import-secrets.outputs.NPM_TOKEN }}

      - name: Update develop
        run: |
          git push origin master:develop --quiet > /dev/null 2>&1
        env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.import-secrets.outputs.GH_TOKEN }}