[CI] Update workflows to fetch secrets from GSM

toptal · Nov 15, 2023 · 11627d9 · 11627d9
1 parent c1e1e42
commit 11627d9
Show file tree

Hide file tree

Showing 9 changed files with 418 additions and 72 deletions.
diff --git a/.github/workflows/automerge-release.yaml b/.github/workflows/automerge-release.yaml
@@ -10,16 +10,39 @@ on:
 env:
   PR_NUMBER: ${{ github.event.number }}
   PR_BODY: ${{ github.event.pull_request.body }}
-  DEVBOT_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }}
-
 jobs:
   merge-release-pr:
     if: ${{ github.event.pull_request.head.ref == 'changeset-release/master' }}
     name: Merge release PR
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      actions: write
+      issues: write
+      pull-requests: write
     timeout-minutes: 1
 
     steps:
+      - name: GSM Secrets
+        id: secrets_manager
+        uses: toptal/davinci-github-actions/gsm-secrets@ci-add-gsm-actions-to-public-repos
+        with:
+          workload_identity_provider: ${{ secrets.IDENTITY_POOL }}
+          service_account: ${{ secrets.SA_IDENTITY_POOL }}
+          secrets_name: |-
+            TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN
+                
+      - name: Parse secrets
+        id: parse_secrets
+        uses: toptal/davinci-github-actions/expose-json-outputs@ci-add-gsm-actions-to-public-repos
+        with:
+          json: ${{ steps.secrets_manager.outputs.secrets }}
+
+      - name: Set ENV Variables
+        run: |-
+          echo "DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV
+                  
       - name: Merge pull request if the release is not major
         uses: actions/github-script@v6
         with:

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -17,31 +17,60 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-env:
-  TOPTAL_DEVBOT_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }}
-  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-  HTTP_PROXY: http://${{ secrets.HTTP_PROXY }}
-  HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }}
-  HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }}
-  JENKINS_USER: ${{ secrets.TOPTAL_TRIGGERBOT_USERNAME }}
-  JENKINS_BUILD_TOKEN: ${{ secrets.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}
-  PROXY: http://${{ secrets.HTTP_PROXY }}
-
 jobs:
   build-docker-image:
     if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }}
     name: Build Picasso docker image
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      actions: write
+      issues: write
+      pull-requests: write
     timeout-minutes: 45
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: GSM Secrets
+        id: secrets_manager
+        uses: toptal/davinci-github-actions/gsm-secrets@ci-add-gsm-actions-to-public-repos
+        with:
+          workload_identity_provider: ${{ secrets.IDENTITY_POOL }}
+          service_account: ${{ secrets.SA_IDENTITY_POOL }}
+          secrets_name: |-
+            GCR_ACCOUNT_KEY:toptal-ci/GCR_ACCOUNT_KEY
+            HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY
+            HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET
+            HTTP_PROXY:toptal-ci/HTTP_PROXY
+            NPM_TOKEN:toptal-ci/NPM_TOKEN
+            TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN
+            TOPTAL_TRIGGERBOT_BUILD_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_BUILD_TOKEN
+            TOPTAL_TRIGGERBOT_USERNAME:toptal-ci/TOPTAL_TRIGGERBOT_USERNAME
+                
+      - name: Parse secrets
+        id: parse_secrets
+        uses: toptal/davinci-github-actions/expose-json-outputs@ci-add-gsm-actions-to-public-repos
+        with:
+          json: ${{ steps.secrets_manager.outputs.secrets }}
+
+      - name: Set ENV Variables
+        run: |-
+          echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV
+          echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN }}" >> $GITHUB_ENV
+          echo "HTTP_PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV
+          echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV
+          echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV
+          echo "JENKINS_USER=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }}" >> $GITHUB_ENV
+          echo "JENKINS_BUILD_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}" >> $GITHUB_ENV
+          echo "PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV
+                  
       - uses: toptal/davinci-github-actions/[email protected]
         env:
           GITHUB_TOKEN: ${{ env.TOPTAL_DEVBOT_TOKEN }}
-          GCR_ACCOUNT_KEY: ${{ secrets.GCR_ACCOUNT_KEY }}
+          GCR_ACCOUNT_KEY: ${{ steps.parse_secrets.outputs.GCR_ACCOUNT_KEY }}
         with:
           sha: ${{ github.event.pull_request.head.sha }}
           image-name: picasso
@@ -52,6 +81,9 @@ jobs:
     if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }}
     name: Static checks
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     timeout-minutes: 45
 
     steps:
@@ -60,6 +92,38 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: GSM Secrets
+        id: secrets_manager
+        uses: toptal/davinci-github-actions/gsm-secrets@ci-add-gsm-actions-to-public-repos
+        with:
+          workload_identity_provider: ${{ secrets.IDENTITY_POOL }}
+          service_account: ${{ secrets.SA_IDENTITY_POOL }}
+          secrets_name: |-
+            HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY
+            HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET
+            HTTP_PROXY:toptal-ci/HTTP_PROXY
+            NPM_TOKEN:toptal-ci/NPM_TOKEN
+            TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN
+            TOPTAL_TRIGGERBOT_BUILD_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_BUILD_TOKEN
+            TOPTAL_TRIGGERBOT_USERNAME:toptal-ci/TOPTAL_TRIGGERBOT_USERNAME
+                
+      - name: Parse secrets
+        id: parse_secrets
+        uses: toptal/davinci-github-actions/expose-json-outputs@ci-add-gsm-actions-to-public-repos
+        with:
+          json: ${{ steps.secrets_manager.outputs.secrets }}
+
+      - name: Set ENV Variables
+        run: |-
+          echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV
+          echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN }}" >> $GITHUB_ENV
+          echo "HTTP_PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV
+          echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV
+          echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV
+          echo "JENKINS_USER=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }}" >> $GITHUB_ENV
+          echo "JENKINS_BUILD_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}" >> $GITHUB_ENV
+          echo "PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV
+                  
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
@@ -104,12 +168,47 @@ jobs:
     if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }}
     name: Storybook Visual Tests
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     needs: [static-checks]
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: GSM Secrets
+        id: secrets_manager
+        uses: toptal/davinci-github-actions/gsm-secrets@ci-add-gsm-actions-to-public-repos
+        with:
+          workload_identity_provider: ${{ secrets.IDENTITY_POOL }}
+          service_account: ${{ secrets.SA_IDENTITY_POOL }}
+          secrets_name: |-
+            HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY
+            HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET
+            HTTP_PROXY:toptal-ci/HTTP_PROXY
+            NPM_TOKEN:toptal-ci/NPM_TOKEN
+            TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN
+            TOPTAL_TRIGGERBOT_BUILD_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_BUILD_TOKEN
+            TOPTAL_TRIGGERBOT_USERNAME:toptal-ci/TOPTAL_TRIGGERBOT_USERNAME
+                
+      - name: Parse secrets
+        id: parse_secrets
+        uses: toptal/davinci-github-actions/expose-json-outputs@ci-add-gsm-actions-to-public-repos
+        with:
+          json: ${{ steps.secrets_manager.outputs.secrets }}
+
+      - name: Set ENV Variables
+        run: |-
+          echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV
+          echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN }}" >> $GITHUB_ENV
+          echo "HTTP_PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV
+          echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV
+          echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV
+          echo "JENKINS_USER=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }}" >> $GITHUB_ENV
+          echo "JENKINS_BUILD_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}" >> $GITHUB_ENV
+          echo "PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV
+                  
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
@@ -128,28 +227,58 @@ jobs:
   integration-tests:
     name: Integration Tests
     uses: ./.github/workflows/davinci-integration-tests.yml
-    secrets:
-      TOPTAL_DEVBOT_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }}
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-      HAPPO_API_KEY: ${{ secrets.HAPPO_API_KEY }}
-      HAPPO_API_SECRET: ${{ secrets.HAPPO_API_SECRET }}
 
   deploy-docs:
     if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }}
     name: Deploy Picasso docs
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     needs: [build-docker-image]
 
     steps:
+      - name: GSM Secrets
+        id: secrets_manager
+        uses: toptal/davinci-github-actions/gsm-secrets@ci-add-gsm-actions-to-public-repos
+        with:
+          workload_identity_provider: ${{ secrets.IDENTITY_POOL }}
+          service_account: ${{ secrets.SA_IDENTITY_POOL }}
+          secrets_name: |-
+            HAPPO_API_KEY:toptal-ci/PICASSO_HAPPO_API_KEY
+            HAPPO_API_SECRET:toptal-ci/PICASSO_HAPPO_API_SECRET
+            HTTP_PROXY:toptal-ci/HTTP_PROXY
+            NPM_TOKEN:toptal-ci/NPM_TOKEN
+            TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN
+            TOPTAL_TRIGGERBOT_BUILD_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_BUILD_TOKEN
+            TOPTAL_TRIGGERBOT_USERNAME:toptal-ci/TOPTAL_TRIGGERBOT_USERNAME
+                
+      - name: Parse secrets
+        id: parse_secrets
+        uses: toptal/davinci-github-actions/expose-json-outputs@ci-add-gsm-actions-to-public-repos
+        with:
+          json: ${{ steps.secrets_manager.outputs.secrets }}
+
+      - name: Set ENV Variables
+        run: |-
+          echo "TOPTAL_DEVBOT_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV
+          echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN }}" >> $GITHUB_ENV
+          echo "HTTP_PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV
+          echo "HAPPO_API_KEY=${{ steps.parse_secrets.outputs.HAPPO_API_KEY }}" >> $GITHUB_ENV
+          echo "HAPPO_API_SECRET=${{ steps.parse_secrets.outputs.HAPPO_API_SECRET }}" >> $GITHUB_ENV
+          echo "JENKINS_USER=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }}" >> $GITHUB_ENV
+          echo "JENKINS_BUILD_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}" >> $GITHUB_ENV
+          echo "PROXY=${{ steps.parse_secrets.outputs.HTTP_PROXY }}" >> $GITHUB_ENV
+                  
       - name: Trigger doc deployment job
         uses: toptal/[email protected]
         env:
           BRANCH: ${{ github.event.pull_request.head.ref }}
           PR_ID: ${{ github.event.pull_request.number }}
         with:
           jenkins_url: https://jenkins-build.toptal.net/
-          jenkins_user: ${{ secrets.TOPTAL_TRIGGERBOT_USERNAME }}
-          jenkins_token: ${{ secrets.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}
+          jenkins_user: ${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }}
+          jenkins_token: ${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}
           proxy: ${{ env.HTTP_PROXY }}
           job_name: picasso-docs
           job_params: |

diff --git a/.github/workflows/danger.yaml b/.github/workflows/danger.yaml
@@ -13,13 +13,36 @@ jobs:
   danger:
     name: Check
     runs-on: ubuntu-latest
-    env:
-      GITHUB_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }}
+    permissions:
+      contents: write
+      id-token: write
+      actions: write
+      issues: write
+      pull-requests: write
     if: ${{ github.event.pull_request.head.ref != 'changeset-release/master' }}
     steps:
       - name: Checkout project
         uses: actions/checkout@v4
 
+      - name: GSM Secrets
+        id: secrets_manager
+        uses: toptal/davinci-github-actions/gsm-secrets@ci-add-gsm-actions-to-public-repos
+        with:
+          workload_identity_provider: ${{ secrets.IDENTITY_POOL }}
+          service_account: ${{ secrets.SA_IDENTITY_POOL }}
+          secrets_name: |-
+            TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN
+                
+      - name: Parse secrets
+        id: parse_secrets
+        uses: toptal/davinci-github-actions/expose-json-outputs@ci-add-gsm-actions-to-public-repos
+        with:
+          json: ${{ steps.secrets_manager.outputs.secrets }}
+
+      - name: Set ENV Variables
+        run: |-
+          echo "GITHUB_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV
+                  
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:

diff --git a/.github/workflows/davinci-alpha-package.yml b/.github/workflows/davinci-alpha-package.yml
@@ -2,7 +2,7 @@ name: Release Alpha Package
 
 on:
   issue_comment:
-    types: [ created ]
+    types: [created]
 
 jobs:
   triggerPrWorkflow:
@@ -11,12 +11,40 @@ jobs:
       github.event.issue.pull_request &&
       github.event.comment.body == '@toptal-bot run package:alpha-release'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
+      actions: write
+      issues: write
+      pull-requests: write
     env:
-      GITHUB_TOKEN: ${{ secrets.TOPTAL_DEVBOT_TOKEN }}
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLISH }}
       STATUS_CHECK_NAME: Publish Alpha Package
       STATUS_TARGET_URL: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}
     steps:
+      - name: GSM Secrets
+        id: secrets_manager
+        uses: toptal/davinci-github-actions/gsm-secrets@ci-add-gsm-actions-to-public-repos
+        with:
+          workload_identity_provider: ${{ secrets.IDENTITY_POOL }}
+          service_account: ${{ secrets.SA_IDENTITY_POOL }}
+          secrets_name: |-
+            HTTP_PROXY:toptal-ci/HTTP_PROXY
+            NPM_TOKEN_PUBLISH:toptal-ci/NPM_TOKEN_PUBLISH
+            TOPTAL_DEVBOT_TOKEN:toptal-ci/TOPTAL_DEVBOT_TOKEN
+            TOPTAL_TRIGGERBOT_BUILD_TOKEN:toptal-ci/TOPTAL_TRIGGERBOT_BUILD_TOKEN
+            TOPTAL_TRIGGERBOT_USERNAME:toptal-ci/TOPTAL_TRIGGERBOT_USERNAME
+                
+      - name: Parse secrets
+        id: parse_secrets
+        uses: toptal/davinci-github-actions/expose-json-outputs@ci-add-gsm-actions-to-public-repos
+        with:
+          json: ${{ steps.secrets_manager.outputs.secrets }}
+
+      - name: Set ENV Variables
+        run: |-
+          echo "GITHUB_TOKEN=${{ steps.parse_secrets.outputs.TOPTAL_DEVBOT_TOKEN }}" >> $GITHUB_ENV
+          echo "NPM_TOKEN=${{ steps.parse_secrets.outputs.NPM_TOKEN_PUBLISH }}" >> $GITHUB_ENV
+                  
       - name: Feedback on action started
         uses: actions/github-script@v6
         with:
@@ -107,9 +135,9 @@ jobs:
       - uses: toptal/davinci-github-actions/[email protected]
         name: Create Jira deployment
         env:
-          JENKINS_USER: ${{ secrets.TOPTAL_TRIGGERBOT_USERNAME }}
-          JENKINS_BUILD_TOKEN: ${{ secrets.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}
-          PROXY: http://${{ secrets.HTTP_PROXY }}
+          JENKINS_USER: ${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_USERNAME }}
+          JENKINS_BUILD_TOKEN: ${{ steps.parse_secrets.outputs.TOPTAL_TRIGGERBOT_BUILD_TOKEN }}
+          PROXY: http://${{ steps.parse_secrets.outputs.HTTP_PROXY }}
         with:
           token: ${{ env.GITHUB_TOKEN }}
           environment: development