store secrets in file

NHSDigital · Aug 6, 2024 · 5636bd7 · 5636bd7
1 parent 5eb415c
commit 5636bd7
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 12 deletions.
diff --git a/.github/scripts/deploy_api.sh b/.github/scripts/deploy_api.sh
@@ -13,6 +13,10 @@ echo "Proxygen KID: ${PROXYGEN_KID}"
 echo "Deploy Check Prescription Status Update: ${DEPLOY_CHECK_PRESCRIPTION_STATUS_UPDATE}"
 echo "Dry run: ${DRY_RUN}"
 
+
+client_private_key=$(cat ~/.proxygen/tmp/client_private_key)
+client_cert=$(cat ~/.proxygen/tmp/client_cert)
+
 if [ -z "${client_private_key}" ]; then
     echo "client_private_key is unset or set to the empty string"
     exit 1

diff --git a/.github/workflows/release_psu_to_ref.yml b/.github/workflows/release_psu_to_ref.yml
@@ -99,20 +99,11 @@ jobs:
       - name: get mtls secrets
         shell: bash
         run: |
+          mkdir -p ~/.proxygen/tmp
           client_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:PsuClientKeySecret'].Value" --output text)
           client_cert_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:PsuClientCertSecret'].Value" --output text)
-          client_private_key=$(aws secretsmanager get-secret-value --secret-id "${client_private_key_arn}" --query SecretString --output text)
-          client_cert=$(aws secretsmanager get-secret-value --secret-id "${client_cert_arn}" --query SecretString --output text)
-          {
-            echo 'client_private_key<<EOF'
-            echo ${client_private_key}
-            echo EOF
-          } >> "$GITHUB_ENV"
-          {
-            echo 'client_cert<<EOF'
-            echo ${client_cert}
-            echo EOF
-          } >> "$GITHUB_ENV"
+          aws secretsmanager get-secret-value --secret-id "${client_private_key_arn}" --query SecretString --output text > ~/.proxygen/tmp/client_private_key
+          aws secretsmanager get-secret-value --secret-id "${client_cert_arn}" --query SecretString --output text > ~/.proxygen/tmp/client_cert
 
       - name: Configure AWS Credentials for api release
         uses: aws-actions/configure-aws-credentials@v4