From 5636bd7dbd397aedc1266a1484ab260dfd858c88 Mon Sep 17 00:00:00 2001
From: Anthony Brown <121869075+anthony-nhs@users.noreply.github.com>
Date: Tue, 6 Aug 2024 11:57:43 +0000
Subject: [PATCH] store secrets in file

---
 .github/scripts/deploy_api.sh            |  4 ++++
 .github/workflows/release_psu_to_ref.yml | 15 +++------------
 2 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/.github/scripts/deploy_api.sh b/.github/scripts/deploy_api.sh
index cd1acff..165d0a2 100755
--- a/.github/scripts/deploy_api.sh
+++ b/.github/scripts/deploy_api.sh
@@ -13,6 +13,10 @@ echo "Proxygen KID: ${PROXYGEN_KID}"
 echo "Deploy Check Prescription Status Update: ${DEPLOY_CHECK_PRESCRIPTION_STATUS_UPDATE}"
 echo "Dry run: ${DRY_RUN}"
 
+
+client_private_key=$(cat ~/.proxygen/tmp/client_private_key)
+client_cert=$(cat ~/.proxygen/tmp/client_cert)
+
 if [ -z "${client_private_key}" ]; then
     echo "client_private_key is unset or set to the empty string"
     exit 1
diff --git a/.github/workflows/release_psu_to_ref.yml b/.github/workflows/release_psu_to_ref.yml
index 770b511..d4c7ae7 100644
--- a/.github/workflows/release_psu_to_ref.yml
+++ b/.github/workflows/release_psu_to_ref.yml
@@ -99,20 +99,11 @@ jobs:
       - name: get mtls secrets
         shell: bash
         run: |
+          mkdir -p ~/.proxygen/tmp
           client_private_key_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:PsuClientKeySecret'].Value" --output text)
           client_cert_arn=$(aws cloudformation list-exports --query "Exports[?Name=='account-resources:PsuClientCertSecret'].Value" --output text)
-          client_private_key=$(aws secretsmanager get-secret-value --secret-id "${client_private_key_arn}" --query SecretString --output text)
-          client_cert=$(aws secretsmanager get-secret-value --secret-id "${client_cert_arn}" --query SecretString --output text)
-          {
-            echo 'client_private_key<<EOF'
-            echo ${client_private_key}
-            echo EOF
-          } >> "$GITHUB_ENV"
-          {
-            echo 'client_cert<<EOF'
-            echo ${client_cert}
-            echo EOF
-          } >> "$GITHUB_ENV"
+          aws secretsmanager get-secret-value --secret-id "${client_private_key_arn}" --query SecretString --output text > ~/.proxygen/tmp/client_private_key
+          aws secretsmanager get-secret-value --secret-id "${client_cert_arn}" --query SecretString --output text > ~/.proxygen/tmp/client_cert
 
       - name: Configure AWS Credentials for api release
         uses: aws-actions/configure-aws-credentials@v4