From 6d24ff1cedead7aec6873aa41c0551a4eacb00d6 Mon Sep 17 00:00:00 2001
From: Andrew Hsu <xuzuan@gmail.com>
Date: Thu, 27 Jun 2024 15:33:48 -0500
Subject: [PATCH] Merge pull request #1303 from
 redpanda-data/PESDLC-1544-gha-use-aws-sm

gha: retrieve secrets from aws secretsmanager
---
 .github/workflows/backend-lint-test.yml   |  8 +-------
 .github/workflows/bsr-push.yml            | 22 +++++++++++++++------
 .github/workflows/frontend-verify.yml     | 24 +++++++++++------------
 .github/workflows/repository-dispatch.yml | 20 ++++++++++++++-----
 4 files changed, 43 insertions(+), 31 deletions(-)

diff --git a/.github/workflows/backend-lint-test.yml b/.github/workflows/backend-lint-test.yml
index 01c5c33cd..16fdfd1e5 100644
--- a/.github/workflows/backend-lint-test.yml
+++ b/.github/workflows/backend-lint-test.yml
@@ -1,5 +1,5 @@
+---
 name: "Backend verify"
-
 on:
   push:
     tags:
@@ -15,33 +15,27 @@ on:
       - 'backend/**.go'
       - 'backend/go.mod'
       - '.github/workflows/backend-lint-test.yml'
-
 permissions:
   contents: read
-
 jobs:
   verify:
     name: Lint & Test Backend
     runs-on: ubuntu-latest-4
     steps:
       - uses: actions/checkout@v4
-
       - uses: actions/setup-go@v5
         with:
           go-version: 'stable'
-
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v4
         with:
           version: v1.57
           working-directory: backend
           args: --timeout=10m --config=.golangci.yaml
-
       - name: Install Task
         uses: arduino/setup-task@v1
         with:
           version: 3.x
           repo-token: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Unit & Integration Tests
         run: task backend:test-integration
diff --git a/.github/workflows/bsr-push.yml b/.github/workflows/bsr-push.yml
index 5495d69dc..88731ac55 100644
--- a/.github/workflows/bsr-push.yml
+++ b/.github/workflows/bsr-push.yml
@@ -1,5 +1,5 @@
+---
 name: Push to Buf Schema Registry
-
 on:
   push:
     branches:
@@ -7,16 +7,26 @@ on:
     paths:
       - proto/**.proto
   workflow_dispatch:
-  
 permissions:
   contents: read
-
 jobs:
   push-module:
     runs-on: ubuntu-latest
     steps:
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
+          aws-region: us-west-2
+      - name: get secrets from aws sm
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          secret-ids: |
+            ,sdlc/prod/github/buf_token
+          parse-json-secrets: true
       # Run `git checkout`
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
       # Install the `buf` CLI
       - uses: bufbuild/buf-setup-action@v1
         with:
@@ -33,6 +43,6 @@ jobs:
       - uses: bufbuild/buf-push-action@v1
         with:
           input: proto
-          buf_token: ${{ secrets.BUF_TOKEN }}
+          buf_token: ${{ env.BUF_TOKEN }}
           create_visibility: private
-          draft: ${{ github.ref_name != 'master'}}
\ No newline at end of file
+          draft: ${{ github.ref_name != 'master'}}
diff --git a/.github/workflows/frontend-verify.yml b/.github/workflows/frontend-verify.yml
index f41733015..ee8511dd2 100644
--- a/.github/workflows/frontend-verify.yml
+++ b/.github/workflows/frontend-verify.yml
@@ -1,5 +1,5 @@
+---
 name: "Frontend Lint & Compile check"
-
 on:
   push:
     paths:
@@ -7,7 +7,6 @@ on:
   pull_request:
     paths:
       - "frontend/**"
-
 jobs:
   lint-and-compile:
     runs-on: ubuntu-latest
@@ -31,7 +30,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: '18.10.0'
-      - name: Install dependencies 
+      - name: Install dependencies
         working-directory: frontend
         run: npm ci
       - name: Run lint
@@ -41,11 +40,10 @@ jobs:
         working-directory: frontend
         run: |
           REACT_APP_CONSOLE_GIT_SHA=$(echo $GITHUB_SHA | cut -c 1-6)
-          REACT_APP_CONSOLE_GIT_REF=$GITHUB_REF_NAME 
-          REACT_APP_BUILD_TIMESTAMP=$(date +%s) 
+          REACT_APP_CONSOLE_GIT_REF=$GITHUB_REF_NAME
+          REACT_APP_BUILD_TIMESTAMP=$(date +%s)
           REACT_APP_DEV_HINT=true
-          npm run build 
- 
+          npm run build
   e2e-test:
     needs: "lint-and-compile"
     timeout-minutes: 60
@@ -78,7 +76,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: '18'
-      - name: Install frontend dependencies 
+      - name: Install frontend dependencies
         working-directory: frontend
         run: npm ci
       - name: Install Playwright browsers
@@ -91,23 +89,23 @@ jobs:
         working-directory: backend/cmd/api
         run: go build -v ./...
       - name: Log networks
-        if:  runner.debug == '1'
+        if: runner.debug == '1'
         continue-on-error: true
         run: docker network ls
       - name: Network inspect
-        if:  runner.debug == '1'
+        if: runner.debug == '1'
         continue-on-error: true
         run: docker network inspect redpanda-e2e_redpanda_network
       - name: Log redpanda
-        if:  runner.debug == '1'
+        if: runner.debug == '1'
         continue-on-error: true
         run: docker logs redpanda
       - name: Log owlshop
-        if:  runner.debug == '1'
+        if: runner.debug == '1'
         continue-on-error: true
         run: docker logs owlshop
       - name: Log connect
-        if:  runner.debug == '1'
+        if: runner.debug == '1'
         continue-on-error: true
         run: docker logs connect
       - name: Run Playwright tests
diff --git a/.github/workflows/repository-dispatch.yml b/.github/workflows/repository-dispatch.yml
index 74297a783..aaafb1956 100644
--- a/.github/workflows/repository-dispatch.yml
+++ b/.github/workflows/repository-dispatch.yml
@@ -1,5 +1,5 @@
+---
 name: Repository dispatch on push or release
-
 on:
   push:
     paths:
@@ -9,25 +9,35 @@ on:
       - '*'
     branches:
       - '**'
-
 jobs:
   dispatch:
     runs-on: ubuntu-latest
     steps:
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.AWS_SM_READONLY_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.AWS_SM_READONLY_SECRET_ACCESS_KEY }}
+          aws-region: us-west-2
+      - name: get secrets from aws sm
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          secret-ids: |
+            ,sdlc/prod/github/actions_bot_token
+          parse-json-secrets: true
       - name: Repository Dispatch on Release
         uses: peter-evans/repository-dispatch@caebe2a7c967e9f927ff8780fea8e16e50b5ce40
         if: ${{ startsWith(github.ref, 'refs/tags/v') }}
         with:
-          token: ${{ secrets.VBOT_GITHUB_API_TOKEN }}
+          token: ${{ env.ACTIONS_BOT_TOKEN }}
           repository: redpanda-data/console-enterprise
           event-type: release
           client-payload: '{"branch": "master", "commit_sha": "${{ github.sha }}", "tag_name": "${{ github.event.release.tag_name }}"}'
-
       - name: Repository Dispatch on push
         uses: peter-evans/repository-dispatch@caebe2a7c967e9f927ff8780fea8e16e50b5ce40
         if: ${{ !startsWith(github.ref, 'refs/tags/v') }}
         with:
-          token: ${{ secrets.VBOT_GITHUB_API_TOKEN }}
+          token: ${{ env.ACTIONS_BOT_TOKEN }}
           repository: redpanda-data/console-enterprise
           event-type: push
           client-payload: '{"branch": "${{ github.ref_name }}", "commit_sha": "${{ github.sha }}"}'