Skip to content

[DO NOT MERGE] DAT-20361 GitHub Secrets Migration #356

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

[DO NOT MERGE] DAT-20361 GitHub Secrets Migration #356

wants to merge 2 commits into from

Conversation

jandroav
Copy link
Contributor

This pull request updates multiple GitHub Actions workflows to enhance security and centralize secret management by integrating AWS Secrets Manager. The changes replace hardcoded GitHub secrets with dynamically retrieved secrets from AWS Secrets Manager and add steps to configure AWS credentials for vault access. Below is a summary of the most important changes grouped by theme.

Integration with AWS Secrets Manager:

  • Added steps to configure AWS credentials and retrieve secrets from AWS Secrets Manager across workflows, including build-extension-jar.yml, codeql.yml, ephemeral-cloud-infra.yml, extension-attach-artifact-release.yml, extension-release-prepare.yml, and extension-release-published.yml. These steps ensure secrets are dynamically fetched and securely managed. [1] [2] [3] [4] [5] [6]

Replacement of Hardcoded Secrets:

  • Replaced hardcoded GitHub secrets (e.g., LIQUIBOT_PAT_GPM_ACCESS, GPG_SECRET, GPG_PASSPHRASE) with outputs from the AWS Secrets Manager retrieval step in all workflows. This improves security by avoiding direct exposure of secrets in workflow files. [1] [2] [3] [4] [5]

Permissions Updates:

  • Added id-token: write permissions to workflows (codeql.yml, extension-attach-artifact-release.yml, extension-release-prepare.yml) to support AWS OIDC role assumption for secure access to AWS Secrets Manager. [1] [2] [3]

Environment Variable Updates:

  • Updated environment variables in workflows to use dynamically retrieved secrets, such as SPACELIFT_API_KEY_ENDPOINT, SPACELIFT_API_KEY_ID, and SPACELIFT_API_KEY_SECRET for ephemeral cloud infrastructure management. [1] [2]

Workflow-Specific Enhancements:

  • Modified extension-release-published.yml to replace secrets for Sonatype Nexus staging with AWS Secrets Manager outputs, ensuring consistency in secret management across all workflows.

jandroav added 2 commits June 26, 2025 13:41
@jandroav
Migrate secrets to AWS Secrets Manager in all workflows
72355b2
@jandroav
Refactor GitHub Actions to use aws-secretsmanager-get-secrets
1fef013 
Replace manual AWS Secrets Manager retrieval with the
aws-actions/aws-secretsmanager-get-secrets action. Update all workflows
to reference secrets from vault outputs instead of repository secrets.
This improves maintainability and centralizes secret management.
@jandroav jandroav marked this pull request as draft June 27, 2025 08:23
@jandroav jandroav changed the title DAT-20361 GitHub Secrets Migration [DO NOT MERGE] DAT-20361 GitHub Secrets Migration Jun 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jandroav