Preparing ymls to keeper integration #TASK-6187

opencb · Jun 11, 2024 · c11240b · c11240b
1 parent b980814
commit c11240b
Show file tree

Hide file tree

Showing 5 changed files with 57 additions and 13 deletions.
diff --git a/.github/workflows/delete-docker-hub-workflow.yml b/.github/workflows/delete-docker-hub-workflow.yml
@@ -17,9 +17,17 @@ jobs:
     name: Delete Docker Hub image
     runs-on: ubuntu-22.04
     steps:
+      - name: Retrieve secrets from Keeper
+        id: ksecrets
+        uses: Keeper-Security/ksm-action@master
+        with:
+          keeper-secret-config: ${{ secrets.KEEPER_SM_GH_OPENCB }}
+          secrets: |
+            ID_DOCKER_HUB_USER/custom_field/DOCKER_HUB_PASSWORD > env:DOCKER_HUB_USER
+            ID_DOCKER_HUB_PASSWORD/custom_field/DOCKER_HUB_PASSWORD > env:DOCKER_HUB_PASSWORD
       - uses: docker/login-action@v2
         with:
-          username: ${{ secrets.DOCKER_HUB_USER }}
-          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+          username: ${{ env.DOCKER_HUB_USER }}
+          password: ${{ env.DOCKER_HUB_PASSWORD }}
       - name: Delete in Docker Hub
         run: ${{ inputs.cli }}
diff --git a/.github/workflows/deploy-docker-hub-workflow.yml b/.github/workflows/deploy-docker-hub-workflow.yml
@@ -27,12 +27,21 @@ jobs:
     name: Push Docker image
     runs-on: ubuntu-22.04
     steps:
+      - name: Retrieve secrets from Keeper
+        id: ksecrets
+        uses: Keeper-Security/ksm-action@master
+        with:
+          keeper-secret-config: ${{ secrets.KEEPER_SM_GH_OPENCB }}
+          secrets: |
+            ID_DOCKER_HUB_USER/custom_field/DOCKER_HUB_PASSWORD > env:DOCKER_HUB_USER
+            ID_DOCKER_HUB_PASSWORD/custom_field/DOCKER_HUB_PASSWORD > env:DOCKER_HUB_PASSWORD
       - name: "Checkout optional repo"
         uses: actions/checkout@v4
         if: inputs.repository != '' && inputs.branch != ''
         with:
           repository: ${{ inputs.repository }}
           ref: ${{ inputs.branch }}
+
       - uses: actions/download-artifact@v4
         with:
           name: ${{ inputs.build_folder }}
@@ -41,7 +50,7 @@ jobs:
         run: "find build -regex '.*sh' | while read file ; do chmod u+x $file ; done"
       - uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_HUB_USER }}
-          password: ${{ secrets.DOCKER_HUB_PASSWORD }}
+          username: ${{ env.DOCKER_HUB_USER }}
+          password: ${{ env.DOCKER_HUB_PASSWORD }}
       - name: Deploy in Docker Hub
         run: ${{ inputs.cli }}
diff --git a/.github/workflows/deploy-maven-repository-workflow.yml b/.github/workflows/deploy-maven-repository-workflow.yml
@@ -21,6 +21,17 @@ jobs:
     name: Deploy to Maven and GitHub Packages
     runs-on: ubuntu-22.04
     steps:
+      - name: Retrieve secrets from Keeper
+        id: ksecrets
+        uses: Keeper-Security/ksm-action@master
+        with:
+          keeper-secret-config: ${{ secrets.KEEPER_SM_GH_OPENCB }}
+          secrets: |
+            ID_MAVEN_GPG_PRIVATE_KEY/custom_field/MAVEN_GPG_PRIVATE_KEY > env:MAVEN_GPG_PRIVATE_KEY
+            ID_MAVEN_NEXUS_USER/custom_field/MAVEN_NEXUS_USER > env:MAVEN_NEXUS_USER
+            ID_MAVEN_NEXUS_PASSWORD/custom_field/MAVEN_NEXUS_PASSWORD > env:MAVEN_NEXUS_PASSWORD
+            ID_MAVEN_GPG_PASSPHRASE/custom_field/MAVEN_GPG_PASSPHRASE > env:MAVEN_GPG_PASSPHRASE
+            ID_GITHUB_TOKEN/custom_field/GITHUB_TOKEN > env:GITHUB_TOKEN
       - uses: actions/checkout@v4
         with:
           fetch-depth: '10'
@@ -34,14 +45,14 @@ jobs:
           server-id: ossrh                                        # Value of the distributionManagement/repository/id field of the pom.xml
           server-username: MAVEN_NEXUS_USER                       # env variable for username in deploy
           server-password: MAVEN_NEXUS_PASSWORD                   # env variable for token in deploy
-          gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }}   # Value of the GPG private key to import
+          gpg-private-key: ${{ env.MAVEN_GPG_PRIVATE_KEY }}   # Value of the GPG private key to import
           gpg-passphrase: MAVEN_GPG_PASSPHRASE                    # env variable for GPG private key passphrase
       - name: Deploy to Maven Central repository
         run: mvn clean deploy -DskipTests -P deploy-maven ${{ inputs.maven_opts }}
         env:
-          MAVEN_NEXUS_USER: ${{ secrets.MAVEN_NEXUS_USER }}
-          MAVEN_NEXUS_PASSWORD: ${{ secrets.MAVEN_NEXUS_PASSWORD }}
-          MAVEN_GPG_PASSPHRASE: ${{ secrets.MAVEN_GPG_PASSPHRASE }}
+          MAVEN_NEXUS_USER: ${{ env.MAVEN_NEXUS_USER }}
+          MAVEN_NEXUS_PASSWORD: ${{ env.MAVEN_NEXUS_PASSWORD }}
+          MAVEN_GPG_PASSPHRASE: ${{ env.MAVEN_GPG_PASSPHRASE }}
       - name: Set up Java for publishing to GitHub Packages
         uses: actions/setup-java@v4
         with:
@@ -50,4 +61,4 @@ jobs:
       - name: Deploy to GitHub Packages repository
         run: mvn clean deploy -DskipTests -P deploy-github ${{ inputs.maven_opts }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }}
diff --git a/.github/workflows/deploy-python-workflow.yml b/.github/workflows/deploy-python-workflow.yml
@@ -20,6 +20,14 @@ jobs:
     name: Deploy Python package in PyPI
     runs-on: ubuntu-22.04
     steps:
+      - name: Retrieve secrets from Keeper
+        id: ksecrets
+        uses: Keeper-Security/ksm-action@master
+        with:
+          keeper-secret-config: ${{ secrets.KEEPER_SM_GH_OPENCB }}
+          secrets: |
+            ID_PYPI_TWINE_USER/custom_field/PYPI_TWINE_USER > env:PYPI_TWINE_USER
+            ID_PYPI_TWINE_PASSWORD/custom_field/PYPI_TWINE_PASSWORD > env:PYPI_TWINE_PASSWORD
       - uses: actions/download-artifact@v4
         if: ${{ inputs.artifact }}
         with:
@@ -28,6 +36,6 @@ jobs:
         run: chmod +x ./clients/python/*sh
       - name: Build Python package for PyPI
         env:
-          TWINE_USERNAME: ${{ secrets.PYPI_TWINE_USER }}
-          TWINE_PASSWORD: ${{ secrets.PYPI_TWINE_PASSWORD }}
+          TWINE_USERNAME: ${{ env.PYPI_TWINE_USER }}
+          TWINE_PASSWORD: ${{ env.PYPI_TWINE_PASSWORD }}
         run: ${{ inputs.cli }}
diff --git a/.github/workflows/test-analysis.yml b/.github/workflows/test-analysis.yml
@@ -11,6 +11,14 @@ jobs:
     name: Test and push Sonar analysis
     runs-on: ubuntu-22.04
     steps:
+      - name: Retrieve secrets from Keeper
+        id: ksecrets
+        uses: Keeper-Security/ksm-action@master
+        with:
+          keeper-secret-config: ${{ secrets.KEEPER_SM_GH_OPENCB }}
+          secrets: |
+            ID_GITHUB_TOKEN/custom_field/GITHUB_TOKEN > env:GITHUB_TOKEN
+            ID_SONAR_TOKEN/custom_field/SONAR_TOKEN > env:SONAR_TOKEN
       - uses: actions/checkout@v4
         with:
           fetch-depth: '0'
@@ -27,8 +35,8 @@ jobs:
           mongodb-replica-set: rs-test
       - name: Test and Analyze
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          GITHUB_TOKEN: ${{ env.GITHUB_TOKEN }} # Needed to get PR information, if any
+          SONAR_TOKEN: ${{ env.SONAR_TOKEN }}
         run: mvn -B verify surefire-report:report --fail-never org.sonarsource.scanner.maven:sonar-maven-plugin:sonar -Dsonar.projectKey=opencb_java-common-libs
       - name: Publish Test Report
         uses: scacap/action-surefire-report@v1