This repository has been archived by the owner on Mar 13, 2024. It is now read-only.
use self-hosted action runner #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Credit to Ned in the Cloud for the Majority of the demo scaffolding. See his 2022 HashiConf Demo | |
name: OIDC Access Test | |
on: push | |
permissions: | |
id-token: write | |
contents: read | |
jobs: | |
read-secret: | |
runs-on: self-hosted | |
steps: | |
# Checkout the repository to the GitHub Actions runner | |
- name: Checkout | |
uses: actions/checkout@v2 | |
# Shout out to Benjamin Pannell at Sierra Softworks for this | |
# https://sierrasoftworks.com/2021/12/20/vault-github-actions/#policies | |
- name: Troubleshooting | |
run: | | |
curl -sSL -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | \ | |
jq "{ jwt: .value, role: \"$VAULT_ROLE\" }" > ./token.json | |
echo 'GitHub Actions Token Claims' | |
cat ./token.json | jq -r '.jwt | split(".") | .[1] | @base64d' | jq | |
echo 'Vault Login Response' | |
curl -sSLf -X POST -H "Content-Type: application/json" -H "X-Vault-Namespace: admin" --data @token.json $VAULT_URL/v1/auth/$VAULT_AUTH_PATH/login | |
# Remove the token file when we're done (if we don't fail) | |
rm ./token.json | |
env: | |
VAULT_URL: ${{ secrets.VAULT_ADDR }} | |
VAULT_AUTH_PATH: jwt | |
VAULT_ROLE: ${{ secrets.VAULT_ROLE }} | |
# Retrieve a single secret and define a new name: https://github.com/marketplace/actions/vault-secrets#set-output-variable-name | |
- name: Retrieve Secrets | |
id: secretdata | |
uses: hashicorp/vault-action@v2.4.0 | |
with: | |
method: jwt | |
url: ${{ secrets.VAULT_ADDR }} | |
namespace: ${{ secrets.VAULT_NAMESPACE }} | |
role: ${{ secrets.VAULT_ROLE }} | |
secrets: ${{ secrets.VAULT_SECRET_PATH }} ${{ secrets.VAULT_SECRET_KEY }} | MY_SECRET | |
- name: Print Secrets | |
run: | | |
echo '${{ steps.secretdata.outputs.MY_SECRET }}' | |
# Retrieve Multiple secrets https://github.com/marketplace/actions/vault-secrets#multiple-secrets | |
- name: Import Secrets | |
uses: hashicorp/vault-action@v2 | |
with: | |
method: jwt | |
url: ${{ secrets.VAULT_ADDR }} | |
role: ${{ secrets.VAULT_ROLE }} | |
namespace: admin | |
secrets: | | |
kv/data/ci app_secret ; | |
kv/data/ci app_user | |
- name: Login to DockerHub | |
uses: docker/login-action@v2 | |
with: | |
username: ${{env.APP_USER}} | |
password: ${{env.APP_SECRET}} |