Skip to content

Commit

Permalink
[ACC-585] Verify vault secrets workflow (#14)
Browse files Browse the repository at this point in the history 
* First draft of a shared github action to verify vault secrets

* JS-based action to verify vault secrets

* move vault_token dep to secrets

* Fix require

* Debugging

* more debugging

* checking out action repo in parallel

* npm installing

* small fix

* Progress - processing inputs

* add new inputs to action yaml

* Trying to pull PR changes using Octokit

* debugging

* debugging

* trying to use better REST api dep

* Trying to fix auth for github API

* fixes

* fixes

* debugging

* trying to fix regex

* debugging inputs

* debugging

* debugging

* Fix inputs

* Incorporating updated approach to retrieve Vault tokens

* Try a different runner

* syntax fix

* revert change to runner

* trying to fix env var issue

* try a different runner

* debugging

* Trying to fix permissions issue

* debugging

* debugging

* debugging

* Progress, but still debugging

* debugging

* debugging

* debugging

* Use vault github action to retrieve keys

* Fixes

* debugging

* debugging

* fix

* dealing with outputs

* debugging

* debugging

* debugging

* using artifacts to pass keys output

* fix keys pull step

* adjust downloading of keys artifacts

* Download all edge-env keys by wildcard

* Trying to parse keys and feed to JS action

* merging downloaded artifacts

* fix keys path

* Cleaning up - trying to fix output formatting

* Debugging

* Debugging

* Debugging

* debug

* debugging

* Actually fail on missing env vars

* Add logic to ignore specified environment variables

* reformatting

* tweaking

* tweaking

* Fix

* Reworking some JS, tests

* small fix

* add CI script

* set correct working directory for CI

* Try a different approach to identifying environment variables

* Regex update to find fetch_env, fetch_env! and get_env

* change the branch for JS checkout to the master branch

* formatting fix
  • Loading branch information
@Conor-TS
Conor-TS authored May 1, 2024
1 parent 6366458 commit 972e724
Show file tree
Hide file tree
Showing 7 changed files with 4,612 additions and 0 deletions.
30 changes: 30 additions & 0 deletions .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
name: Run Jest Tests

on:
pull_request:
types: [opened, reopened, synchronize]
push:
branches:
- master

jobs:
test:
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./.github/workflows/verify-vault-secrets

steps:
- name: Checkout repository
uses: actions/checkout@v4

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: 18

- name: Install dependencies
run: npm install

- name: Run Jest tests
run: npm test
112 changes: 112 additions & 0 deletions .github/workflows/verify-vault-secrets.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
name: Verify Vault Secrets Elixir

on:
workflow_call:
inputs:
service:
required: true
type: string
edges:
required: true
type: string
path_suffixes:
required: true
type: string
environments:
required: false
type: string
default: "['staging','demo','uat','audit1','ps','production']"
ignored_keys:
required: false
type: string
default: ""
vault_addr_prod:
required: false
type: string
default: "https://vault.prod.thescore.is"
vault_addr_non_prod:
required: false
type: string
default: "https://vault.non-prod.thescore.is"

jobs:
retrieve-vault-secret-keys:
runs-on: non-prod-scorebet-org-runner
permissions:
contents: read
id-token: write
strategy:
matrix:
env: ${{ fromJSON(inputs.environments) }}
edge: ${{ fromJSON(inputs.edges) }}
suffix: ${{ fromJSON(inputs.path_suffixes) }}
steps:
- name: Get Vault Keys
id: vault-keys
uses: hashicorp/vault-action@v3
with:
method: jwt
path: github-actions
url: ${{ matrix.env == 'production' && 'https://vault.prod.thescore.is' || 'https://vault.non-prod.thescore.is' }}
role: identity
exportToken: true
secrets: |
scorebet/subkeys/identity/${{ matrix.env }}/${{ matrix.edge }}/${{ matrix.suffix }} subkeys ;
- name: Set Output
id: vault-keys-output
shell: bash
run: |
echo ${{ toJson(steps.vault-keys.outputs.subkeys) }} >> ./${{ matrix.env }}-${{ matrix.edge }}-${{ matrix.suffix }}-keys.json
- name: Upload output artifact
id: vault-keys-artifact
uses: actions/upload-artifact@v4
with:
name: ${{ matrix.env }}-${{ matrix.edge }}-${{ matrix.suffix }}-keys
path: ./${{ matrix.env }}-${{ matrix.edge }}-${{ matrix.suffix }}-keys.json

verify-vault-secrets:
runs-on: ubuntu-latest
needs: retrieve-vault-secret-keys
strategy:
matrix:
env: ${{ fromJson(inputs.environments) }}
edge: ${{ fromJson(inputs.edges) }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
steps:
- name: Download env-edge keys artifacts
uses: actions/download-artifact@v4
with:
path: keys
pattern: ${{ matrix.env }}-${{ matrix.edge }}-*-keys
merge-multiple: true

- name: Extract keys
id: extract-keys
shell: bash
run: |
keys=$(find ./keys -type f -name "*.json" -exec jq -r 'keys_unsorted[]' {} + | tr '\n' ',')
echo "keys='$keys'" >> $GITHUB_OUTPUT
- uses: actions/checkout@v4
with:
repository: scoremedia/devops-github-workflow
ref: master
path: shared-actions

- uses: actions/setup-node@v4
with:
node-version: 18

- name: npm install
shell: bash
run: |
cd ./shared-actions/.github/workflows/verify-vault-secrets && npm install
- uses: actions/github-script@v7
with:
script: |
const script = require('./shared-actions/.github/workflows/verify-vault-secrets/verifyVaultSecrets.js')
await script({github, context, core})
keys: ${{ fromJSON(steps.extract-keys.outputs.keys) }}
ignored_keys: ${{ inputs.ignored_keys }}
Loading

0 comments on commit 972e724

Please sign in to comment.