Merge pull request #1303 from redpanda-data/PESDLC-1544-gha-use-aws-sm

gha: retrieve secrets from aws secretsmanager
redpanda-data · Jul 10, 2024 · 6d24ff1 · 6d24ff1
1 parent 4bb9432
commit 6d24ff1
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 31 deletions.
diff --git a/.github/workflows/backend-lint-test.yml b/.github/workflows/backend-lint-test.yml
@@ -1,5 +1,5 @@
+---
 name: "Backend verify"
-
 on:
  push:
  tags:
@@ -15,33 +15,27 @@ on:
  - 'backend/**.go'
  - 'backend/go.mod'
  - '.github/workflows/backend-lint-test.yml'
-
 permissions:
  contents: read
-
 jobs:
  verify:
  name: Lint & Test Backend
  runs-on: ubuntu-latest-4
  steps:
  - uses: actions/checkout@v4
-
  - uses: actions/setup-go@v5
  with:
  go-version: 'stable'
-
  - name: golangci-lint
  uses: golangci/golangci-lint-action@v4
  with:
  version: v1.57
  working-directory: backend
  args: --timeout=10m --config=.golangci.yaml
-
  - name: Install Task
  uses: arduino/setup-task@v1
  with:
  version: 3.x
  repo-token: ${{ secrets.GITHUB_TOKEN }}
-
  - name: Unit & Integration Tests
  run: task backend:test-integration
diff --git a/.github/workflows/bsr-push.yml b/.github/workflows/bsr-push.yml
@@ -1,22 +1,32 @@
+---
 name: Push to Buf Schema Registry
-
 on:
  push:
  branches:
  - master
  paths:
  - proto/**.proto
  workflow_dispatch:
-
 permissions:
  contents: read
-
 jobs:
  push-module:
  runs-on: ubuntu-latest
  steps:
+ - name: configure aws credentials
+ uses: aws-actions/configure-aws-credentials@v4
+ with:
+ aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
+ aws-region: us-west-2
+ - name: get secrets from aws sm
+ uses: aws-actions/aws-secretsmanager-get-secrets@v2
+ with:
+ secret-ids: |
+ ,sdlc/prod/github/buf_token
+ parse-json-secrets: true
  # Run `git checkout`
- - uses: actions/checkout@v2
+ - uses: actions/checkout@v4
  # Install the `buf` CLI
  - uses: bufbuild/buf-setup-action@v1
  with:
@@ -33,6 +43,6 @@ jobs:
  - uses: bufbuild/buf-push-action@v1
  with:
  input: proto
- buf_token: ${{ secrets.BUF_TOKEN }}
+ buf_token: ${{ env.BUF_TOKEN }}
  create_visibility: private
- draft: ${{ github.ref_name != 'master'}}
+ draft: ${{ github.ref_name != 'master'}}
diff --git a/.github/workflows/frontend-verify.yml b/.github/workflows/frontend-verify.yml
@@ -1,13 +1,12 @@
+---
 name: "Frontend Lint & Compile check"
-
 on:
  push:
  paths:
  - "frontend/**"
  pull_request:
  paths:
  - "frontend/**"
-
 jobs:
  lint-and-compile:
  runs-on: ubuntu-latest
@@ -31,7 +30,7 @@ jobs:
  uses: actions/setup-node@v4
  with:
  node-version: '18.10.0'
- - name: Install dependencies 
+ - name: Install dependencies
  working-directory: frontend
  run: npm ci
  - name: Run lint
@@ -41,11 +40,10 @@ jobs:
  working-directory: frontend
  run: |
  REACT_APP_CONSOLE_GIT_SHA=$(echo $GITHUB_SHA | cut -c 1-6)
- REACT_APP_CONSOLE_GIT_REF=$GITHUB_REF_NAME 
- REACT_APP_BUILD_TIMESTAMP=$(date +%s) 
+ REACT_APP_CONSOLE_GIT_REF=$GITHUB_REF_NAME
+ REACT_APP_BUILD_TIMESTAMP=$(date +%s)
  REACT_APP_DEV_HINT=true
- npm run build 
- 
+ npm run build
  e2e-test:
  needs: "lint-and-compile"
  timeout-minutes: 60
@@ -78,7 +76,7 @@ jobs:
  uses: actions/setup-node@v4
  with:
  node-version: '18'
- - name: Install frontend dependencies 
+ - name: Install frontend dependencies
  working-directory: frontend
  run: npm ci
  - name: Install Playwright browsers
@@ -91,23 +89,23 @@ jobs:
  working-directory: backend/cmd/api
  run: go build -v ./...
  - name: Log networks
- if:  runner.debug == '1'
+ if: runner.debug == '1'
  continue-on-error: true
  run: docker network ls
  - name: Network inspect
- if:  runner.debug == '1'
+ if: runner.debug == '1'
  continue-on-error: true
  run: docker network inspect redpanda-e2e_redpanda_network
  - name: Log redpanda
- if:  runner.debug == '1'
+ if: runner.debug == '1'
  continue-on-error: true
  run: docker logs redpanda
  - name: Log owlshop
- if:  runner.debug == '1'
+ if: runner.debug == '1'
  continue-on-error: true
  run: docker logs owlshop
  - name: Log connect
- if:  runner.debug == '1'
+ if: runner.debug == '1'
  continue-on-error: true
  run: docker logs connect
  - name: Run Playwright tests

diff --git a/.github/workflows/repository-dispatch.yml b/.github/workflows/repository-dispatch.yml
@@ -1,5 +1,5 @@
+---
 name: Repository dispatch on push or release
-
 on:
  push:
  paths:
@@ -9,25 +9,35 @@ on:
  - '*'
  branches:
  - '**'
-
 jobs:
  dispatch:
  runs-on: ubuntu-latest
  steps:
+ - name: configure aws credentials
+ uses: aws-actions/configure-aws-credentials@v4
+ with:
+ aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
+ aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
+ aws-region: us-west-2
+ - name: get secrets from aws sm
+ uses: aws-actions/aws-secretsmanager-get-secrets@v2
+ with:
+ secret-ids: |
+ ,sdlc/prod/github/actions_bot_token
+ parse-json-secrets: true
  - name: Repository Dispatch on Release
  uses: peter-evans/repository-dispatch@caebe2a7c967e9f927ff8780fea8e16e50b5ce40
  if: ${{ startsWith(github.ref, 'refs/tags/v') }}
  with:
- token: ${{ secrets.VBOT_GITHUB_API_TOKEN }}
+ token: ${{ env.ACTIONS_BOT_TOKEN }}
  repository: redpanda-data/console-enterprise
  event-type: release
  client-payload: '{"branch": "master", "commit_sha": "${{ github.sha }}", "tag_name": "${{ github.event.release.tag_name }}"}'
-
  - name: Repository Dispatch on push
  uses: peter-evans/repository-dispatch@caebe2a7c967e9f927ff8780fea8e16e50b5ce40
  if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
  with:
- token: ${{ secrets.VBOT_GITHUB_API_TOKEN }}
+ token: ${{ env.ACTIONS_BOT_TOKEN }}
  repository: redpanda-data/console-enterprise
  event-type: push
  client-payload: '{"branch": "${{ github.ref_name }}", "commit_sha": "${{ github.sha }}"}'