chore(gha): use Keeper secrets

bonitasoft · Jun 19, 2024 · 204abe6 · 204abe6
1 parent 532fef4
commit 204abe6
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 15 deletions.
diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
@@ -13,6 +13,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+
+      - uses: Keeper-Security/ksm-action@v1
+        if: ${{ env.KSM_CONFIG != '' }}
+        env:
+          KSM_CONFIG: ${{ secrets.KSM_CONFIG }}
+        with:
+          keeper-secret-config: ${{ secrets.KSM_CONFIG }}
+          secrets: |
+            ${{ vars.KEEPER_SONARCLOUD_RECORD_ID }}/field/password > env:SONAR_TOKEN
+
       - name: Setup Java
         uses: actions/setup-java@v3
         with:
@@ -23,13 +33,11 @@ jobs:
       - name: Build with Sonarcloud
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         if: ${{ env.SONAR_TOKEN != '' }}
         run: ./mvnw -B -ntp verify sonar:sonar
 
       - name: Build
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         if: ${{ env.SONAR_TOKEN == '' }}
         run: ./mvnw -B -ntp verify
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -16,6 +16,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+
+      - uses: Keeper-Security/ksm-action@v1
+        with:
+          keeper-secret-config: ${{ secrets.KSM_CONFIG }}
+          secrets: |
+            ${{ vars.KEEPER_SONARCLOUD_RECORD_ID }}/field/password > env:SONAR_TOKEN
+            ${{ vars.KEEPER_OSSRH_RECORD_ID }}/field/login > env:MAVEN_USERNAME
+            ${{ vars.KEEPER_OSSRH_RECORD_ID }}/field/password > env:MAVEN_PASSWORD
+            ${{ vars.KEEPER_GPG_ARTIFACT_SIGNING_RECORD_ID }}/field/login > env:GPG_KEYNAME
+            ${{ vars.KEEPER_GPG_ARTIFACT_SIGNING_RECORD_ID }}/custom_field/gpg-private-key > env:GPG_PRIVATE_KEY
+            ${{ vars.KEEPER_GPG_ARTIFACT_SIGNING_RECORD_ID }}/field/password > env:MAVEN_GPG_PASSPHRASE
+
       - name: Setup Java
         uses: actions/setup-java@v3
         with:
@@ -24,15 +36,11 @@ jobs:
           cache: 'maven'
           server-id: ossrh # Value of the distributionManagement/repository/id field of the pom.xml
           server-username: MAVEN_USERNAME # env variable for username in deploy
-          server-password: MAVEN_CENTRAL_TOKEN # env variable for token in deploy
-          gpg-private-key: ${{ secrets.gpg_private_key }} # Value of the GPG private key to import
+          server-password: MAVEN_PASSWORD # env variable for token in deploy
+          gpg-private-key: ${{ env.GPG_PRIVATE_KEY }} # Value of the GPG private key to import
           gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
 
       - name: Build and deploy
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          MAVEN_USERNAME: ${{ secrets.ossrh_username }}
-          MAVEN_CENTRAL_TOKEN: ${{ secrets.ossrh_password }}
-          MAVEN_GPG_PASSPHRASE: ${{ secrets.gpg_passphrase }}
         run: ./mvnw -B -ntp deploy sonar:sonar
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -18,6 +18,16 @@ jobs:
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.inputs.tag }}
+
+      - uses: Keeper-Security/ksm-action@v1
+        with:
+          keeper-secret-config: ${{ secrets.KSM_CONFIG }}
+          secrets: |
+            ${{ vars.KEEPER_OSSRH_RECORD_ID }}/field/login > env:MAVEN_USERNAME
+            ${{ vars.KEEPER_OSSRH_RECORD_ID }}/field/password > env:MAVEN_PASSWORD
+            ${{ vars.KEEPER_GPG_ARTIFACT_SIGNING_RECORD_ID }}/field/login > env:GPG_KEYNAME
+            ${{ vars.KEEPER_GPG_ARTIFACT_SIGNING_RECORD_ID }}/custom_field/gpg-private-key > env:GPG_PRIVATE_KEY
+            ${{ vars.KEEPER_GPG_ARTIFACT_SIGNING_RECORD_ID }}/field/password > env:MAVEN_GPG_PASSPHRASE
         
       - name: Setup Java
         uses: actions/setup-java@v3
@@ -26,13 +36,9 @@ jobs:
           java-version: 11
           server-id: ossrh # Value of the distributionManagement/repository/id field of the pom.xml
           server-username: MAVEN_USERNAME # env variable for username in deploy
-          server-password: MAVEN_CENTRAL_TOKEN # env variable for token in deploy
-          gpg-private-key: ${{ secrets.gpg_private_key }} # Value of the GPG private key to import
+          server-password: MAVEN_PASSWORD # env variable for token in deploy
+          gpg-private-key: ${{ env.GPG_PRIVATE_KEY }} # Value of the GPG private key to import
           gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
 
-      - name: Publish tag 
-        env:
-          MAVEN_USERNAME: ${{ secrets.ossrh_username }}
-          MAVEN_CENTRAL_TOKEN: ${{ secrets.ossrh_password }}
-          MAVEN_GPG_PASSPHRASE: ${{ secrets.gpg_passphrase }}
+      - name: Publish to Maven Central
         run: ./mvnw -ntp --batch-mode deploy -Prelease