chore(gha): use Keeper secrets

bonitasoft · Jun 19, 2024 · 29fd09c · 29fd09c
1 parent 1c807e7
commit 29fd09c
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 17 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -19,20 +19,26 @@ jobs:
         with:
           ref: ${{ github.event.inputs.tag }}
 
+      - uses: Keeper-Security/ksm-action@v1
+        with:
+          keeper-secret-config: ${{ secrets.KSM_CONFIG }}
+          secrets: |
+            ${{ vars.KEEPER_OSSRH_RECORD_ID }}/field/login > env:MAVEN_USERNAME
+            ${{ vars.KEEPER_OSSRH_RECORD_ID }}/field/password > env:MAVEN_PASSWORD
+            ${{ vars.KEEPER_GPG_ARTIFACT_SIGNING_RECORD_ID }}/field/login > env:GPG_KEYNAME
+            ${{ vars.KEEPER_GPG_ARTIFACT_SIGNING_RECORD_ID }}/custom_field/gpg-private-key > env:GPG_PRIVATE_KEY
+            ${{ vars.KEEPER_GPG_ARTIFACT_SIGNING_RECORD_ID }}/field/password > env:MAVEN_GPG_PASSPHRASE
+
       - name: Setup Java
         uses: actions/setup-java@v4
         with:
           distribution: "temurin"
           java-version: 17
           server-id: ossrh # Value of the distributionManagement/repository/id field of the pom.xml
           server-username: MAVEN_USERNAME # env variable for username in deploy
-          server-password: MAVEN_CENTRAL_TOKEN # env variable for token in deploy
-          gpg-private-key: ${{ secrets.gpg_private_key }} # Value of the GPG private key to import
+          server-password: MAVEN_PASSWORD # env variable for token in deploy
+          gpg-private-key: ${{ env.GPG_PRIVATE_KEY }} # Value of the GPG private key to import
           gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
 
       - name: Publish tag
-        env:
-          MAVEN_USERNAME: ${{ secrets.ossrh_username }}
-          MAVEN_CENTRAL_TOKEN: ${{ secrets.ossrh_password }}
-          MAVEN_GPG_PASSPHRASE: ${{ secrets.gpg_passphrase }}
         run: ./mvnw -ntp --batch-mode deploy -Prelease
diff --git a/.github/workflows/workflow-PR.yml b/.github/workflows/workflow-PR.yml
@@ -32,22 +32,29 @@ jobs:
           java-version: 17
           cache: "maven"
 
+      - uses: Keeper-Security/ksm-action@v1
+        env:
+          KSM_CONFIG: ${{ secrets.KSM_CONFIG }}
+        if: ${{ env.KSM_CONFIG != '' }}
+        with:
+          keeper-secret-config: ${{ secrets.KSM_CONFIG }}
+          secrets: |
+            ${{ vars.KEEPER_SONARCLOUD_RECORD_ID }}/field/login > env:SONAR_TOKEN
+
       - name: Build with Sonarcloud
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         if: ${{ env.SONAR_TOKEN != '' }}
-        run: ./mvnw -B -ntp clean verify sonar:sonar -Dsonar.login=${{ secrets.SONAR_TOKEN }}
+        run: ./mvnw -B -ntp clean verify sonar:sonar
 
       - name: Build
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
         if: ${{ env.SONAR_TOKEN == '' }}
         run: ./mvnw -B -ntp clean verify
 
       - name: Publish Test Report
         uses: mikepenz/action-junit-report@v4
-        if: success() || failure() # always run even if the previous step fails
+        if: always() # always run even if the previous step fails
         with:
           report_paths: "**/target/*-reports/TEST-*.xml"
diff --git a/.github/workflows/workflow-build.yml b/.github/workflows/workflow-build.yml
@@ -21,6 +21,17 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - uses: Keeper-Security/ksm-action@v1
+        with:
+          keeper-secret-config: ${{ secrets.KSM_CONFIG }}
+          secrets: |
+            ${{ vars.KEEPER_SONARCLOUD_RECORD_ID }}/field/login > env:SONAR_TOKEN
+            ${{ vars.KEEPER_OSSRH_RECORD_ID }}/field/login > env:MAVEN_USERNAME
+            ${{ vars.KEEPER_OSSRH_RECORD_ID }}/field/password > env:MAVEN_PASSWORD
+            ${{ vars.KEEPER_GPG_ARTIFACT_SIGNING_RECORD_ID }}/field/login > env:GPG_KEYNAME
+            ${{ vars.KEEPER_GPG_ARTIFACT_SIGNING_RECORD_ID }}/custom_field/gpg-private-key > env:GPG_PRIVATE_KEY
+            ${{ vars.KEEPER_GPG_ARTIFACT_SIGNING_RECORD_ID }}/field/password > env:MAVEN_GPG_PASSPHRASE
+
       - name: Setup Java
         uses: actions/setup-java@v4
         with:
@@ -29,15 +40,11 @@ jobs:
           cache: "maven"
           server-id: ossrh # Value of the distributionManagement/repository/id field of the pom.xml
           server-username: MAVEN_USERNAME # env variable for username in deploy
-          server-password: MAVEN_CENTRAL_TOKEN # env variable for token in deploy
-          gpg-private-key: ${{ secrets.gpg_private_key }} # Value of the GPG private key to import
+          server-password: MAVEN_PASSWORD # env variable for token in deploy
+          gpg-private-key: ${{ env.GPG_PRIVATE_KEY }} # Value of the GPG private key to import
           gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
 
       - name: Build and deploy
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-          MAVEN_USERNAME: ${{ secrets.ossrh_username }}
-          MAVEN_CENTRAL_TOKEN: ${{ secrets.ossrh_password }}
-          MAVEN_GPG_PASSPHRASE: ${{ secrets.gpg_passphrase }}
-        run: ./mvnw -B -ntp clean deploy sonar:sonar -Dsonar.login=${{ secrets.SONAR_TOKEN }}
+        run: ./mvnw -B -ntp clean deploy sonar:sonar