feat: add GSM secret manager to workflows

Author: DerTiedemann

.github/workflows/_add-issue-ci.yaml

@@ -1,17 +1,30 @@
 name: Add opened issues to specific project board
-
 on:
-  issues:
-    types:
-      - opened
-
+    issues:
+        types:
+        - opened
 jobs:
-  add-issue-to-project:
-    name: Add issue to project board
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Add the issue to the project
-        uses: actions/add-to-project@v0.5.0
-        with:
-          project-url: https://github.com/orgs/bakdata/projects/7
-          github-token: ${{ secrets.GH_TOKEN }}
+    add-issue-to-project:
+        name: Add issue to project board
+        runs-on: ubuntu-22.04
+        steps:
+        -   name: Authenticate with GCloud
+            uses: google-github-actions/auth@v2
+            id: auth
+            with:
+                workload_identity_provider: ${{ secrets.GOOGLE_WORKLOAD_IDENTITY_PROVIDER }}
+                service_account: ${{ secrets.GOOGLE_SERVICE_ACCOUNT }}
+        -   name: Fetch secrets from GSM
+            id: fetch-secrets
+            uses: google-github-actions/get-secretmanager-secrets@v2
+            with:
+                secrets: GH_TOKEN:${{ secrets.GOOGLE_PROJECT_ID }}/GH_TOKEN
+                export_to_environment: 'true'
+        -   name: Add the issue to the project
+            uses: actions/add-to-project@v0.5.0
+            with:
+                project-url: https://github.com/orgs/bakdata/projects/7
+                github-token: ${{ env.GH_TOKEN }}
+permissions:
+    contents: read
+    id-token: write

.github/workflows/_release.yaml

@@ -1,25 +1,25 @@
 name: Release
-
 on:
-  workflow_dispatch:
-    inputs:
-      release-type:
-        description: "Scope of the release."
-        type: choice
-        required: true
-        default: patch
-        options:
-          - patch
-          - minor
-          - major
-
+    workflow_dispatch:
+        inputs:
+            release-type:
+                description: Scope of the release.
+                type: choice
+                required: true
+                default: patch
+                options:
+                - patch
+                - minor
+                - major
 jobs:
-  release:
-    name: Release
-    uses: bakdata/ci-templates/.github/workflows/bump-version-release.yaml@1.35.1
-    with:
-      release-type: "${{ github.event.inputs.release-type }}"
-    secrets:
-      github-username: "${{ secrets.GH_USERNAME }}"
-      github-email: "${{ secrets.GH_EMAIL }}"
-      github-token: "${{ secrets.GH_TOKEN }}"
+    release:
+        name: Release
+        uses: bakdata/ci-templates/.github/workflows/bump-version-release.yaml@tiedemann/use-gsm-secerts-in-workflow-calls
+        with:
+            release-type: ${{ github.event.inputs.release-type }}
+        secrets:
+            GOOGLE_WORKLOAD_IDENTITY_PROVIDER: ${{ secrets.GOOGLE_WORKLOAD_IDENTITY_PROVIDER }}
+            GOOGLE_SERVICE_ACCOUNT: ${{ secrets.GOOGLE_SERVICE_ACCOUNT }}
+permissions:
+    contents: read
+    id-token: write

.github/workflows/bump-version-release.yaml

@@ -1,101 +1,104 @@
 name: Bump Version Release
-# Reusable workflow for creating release tags using bumpversion
-
 on:
-  workflow_call:
-    inputs:
-      release-type:
-        description: "Scope of the release (major, minor or patch)."
-        required: true
-        type: string
-      changelog:
-        description: "Create changelog for release."
-        required: false
-        default: true
-        type: boolean
-      changelog-file:
-        description: Path to the changelog file in the GitHub repository
-        required: false
-        default: "CHANGELOG.md"
-        type: string
-      changelog-config:
-        description: "Changelog config path."
-        required: false
-        default: ""
-        type: string
-      working-directory:
-        description: "Working directory containing `.bumpversion.cfg`. (Default is .)"
-        required: false
-        default: "."
-        type: string
-
-    secrets:
-      github-username:
-        description: "The GitHub username for committing the changes."
-        required: true
-      github-email:
-        description: "The GitHub email for committing the changes."
-        required: true
-      github-token:
-        description: "The GitHub token for committing the changes."
-        required: true
-
-    # Map the workflow outputs to job outputs
-    outputs:
-      release-version:
-        description: "The bumped version."
-        value: ${{ jobs.release.outputs.release-version }}
-      old-version:
-        description: "The old version in your `.bumpversion.cfg` file."
-        value: ${{ jobs.release.outputs.old-version }}
-
+    workflow_call:
+        inputs:
+            release-type:
+                description: Scope of the release (major, minor or patch).
+                required: true
+                type: string
+            changelog:
+                description: Create changelog for release.
+                required: false
+                default: true
+                type: boolean
+            changelog-file:
+                description: Path to the changelog file in the GitHub repository
+                required: false
+                default: CHANGELOG.md
+                type: string
+            changelog-config:
+                description: Changelog config path.
+                required: false
+                default: ''
+                type: string
+            working-directory:
+                description: Working directory containing `.bumpversion.cfg`. (Default is .)
+                required: false
+                default: .
+                type: string
+        secrets:
+            GOOGLE_WORKLOAD_IDENTITY_PROVIDER:
+                description: The workload identity provider to use for fetching secrets
+                required: true
+            GOOGLE_SERVICE_ACCOUNT:
+                description: The service account to use to fetch the secrets
+                required: true
+        outputs:
+            release-version:
+                description: The bumped version.
+                value: ${{ jobs.release.outputs.release-version }}
+            old-version:
+                description: The old version in your `.bumpversion.cfg` file.
+                value: ${{ jobs.release.outputs.old-version }}
 jobs:
-  release:
-    runs-on: ubuntu-22.04
-    # Map the job outputs to step outputs
-    outputs:
-      release-version: ${{ steps.bump-version.outputs.release-version }}
-      old-version: ${{ steps.bump-version.outputs.old-version }}
-
-    steps:
-      - name: Check out repository
-        uses: bakdata/ci-templates/actions/checkout@1.49.0
-        with:
-          ref: ${{ github.event.repository.default_branch }}
-          persist-credentials: false # required for pushing to protected branch later
-          fetch-depth: 0 # required for changelog generation
-
-      - name: Bump version
-        id: bump-version
-        uses: bakdata/ci-templates/actions/bump-version@v1.21.2
-        with:
-          release-type: ${{ inputs.release-type }}
-          working-directory: ${{ inputs.working-directory }}
-
-      - name: Create changelog
-        id: build-changelog
-        uses: bakdata/ci-templates/actions/changelog-generate@1.52.1
-        if: ${{ inputs.changelog }}
-        with:
-          github-token: ${{ secrets.github-token }}
-          tag: ${{ steps.bump-version.outputs.release-version }}
-          changelog-file: ${{ inputs.changelog-file }}
-
-      - name: Commit and push changes including .bumpversion.cfg file
-        uses: bakdata/ci-templates/actions/commit-and-push@v1.6.0
-        with:
-          ref: ${{ github.event.repository.default_branch }}
-          commit-message: "Bump version ${{ steps.bump-version.outputs.old-version }} → ${{ steps.bump-version.outputs.release-version }}"
-          github-username: ${{ secrets.github-username }}
-          github-email: ${{ secrets.github-email }}
-          github-token: ${{ secrets.github-token }}
-
-      - name: Tag and release
-        uses: bakdata/ci-templates/actions/tag-and-release@v1.22.0
-        with:
-          tag: "${{ steps.bump-version.outputs.release-version }}"
-          github-username: ${{ secrets.github-username }}
-          github-email: ${{ secrets.github-email }}
-          github-token: ${{ secrets.github-token }}
-          release-title: "${{ steps.bump-version.outputs.release-version }}"
-          release-body: "${{ steps.build-changelog.outputs.single-changelog }}"
+    release:
+        runs-on: ubuntu-22.04
+        outputs:
+            release-version: ${{ steps.bump-version.outputs.release-version }}
+            old-version: ${{ steps.bump-version.outputs.old-version }}
+        steps:
+        -   name: Authenticate with GCloud
+            uses: google-github-actions/auth@v2
+            id: auth
+            with:
+                workload_identity_provider: ${{ secrets.GOOGLE_WORKLOAD_IDENTITY_PROVIDER }}
+                service_account: ${{ secrets.GOOGLE_SERVICE_ACCOUNT }}
+        -   name: Fetch secrets from GSM
+            id: fetch-secrets
+            uses: google-github-actions/get-secretmanager-secrets@v2
+            with:
+                secrets: |-
+                    github-email:${{ secrets.GOOGLE_PROJECT_ID }}/GH_EMAIL
+                    github-token:${{ secrets.GOOGLE_PROJECT_ID }}/GH_TOKEN
+                    github-username:${{ secrets.GOOGLE_PROJECT_ID }}/GH_USERNAME
+                export_to_environment: 'true'
+        -   name: Check out repository
+            uses: bakdata/ci-templates/actions/checkout@1.49.0
+            with:
+                ref: ${{ github.event.repository.default_branch }}
+                persist-credentials: false
+                fetch-depth: 0
+        -   name: Bump version
+            id: bump-version
+            uses: bakdata/ci-templates/actions/bump-version@v1.21.2
+            with:
+                release-type: ${{ inputs.release-type }}
+                working-directory: ${{ inputs.working-directory }}
+        -   name: Create changelog
+            id: build-changelog
+            uses: bakdata/ci-templates/actions/changelog-generate@1.52.1
+            if: ${{ inputs.changelog }}
+            with:
+                github-token: ${{ env.github-token }}
+                tag: ${{ steps.bump-version.outputs.release-version }}
+                changelog-file: ${{ inputs.changelog-file }}
+        -   name: Commit and push changes including .bumpversion.cfg file
+            uses: bakdata/ci-templates/actions/commit-and-push@v1.6.0
+            with:
+                ref: ${{ github.event.repository.default_branch }}
+                commit-message: "Bump version ${{ steps.bump-version.outputs.old-version }} \u2192 ${{ steps.bump-version.outputs.release-version }}"
+                github-username: ${{ env.github-username }}
+                github-email: ${{ env.github-email }}
+                github-token: ${{ env.github-token }}
+        -   name: Tag and release
+            uses: bakdata/ci-templates/actions/tag-and-release@v1.22.0
+            with:
+                tag: ${{ steps.bump-version.outputs.release-version }}
+                github-username: ${{ env.github-username }}
+                github-email: ${{ env.github-email }}
+                github-token: ${{ env.github-token }}
+                release-title: ${{ steps.bump-version.outputs.release-version }}
+                release-body: ${{ steps.build-changelog.outputs.single-changelog }}
+permissions:
+    contents: read
+    id-token: write