diff --git a/.github/workflows/backport.yml b/.github/workflows/backport.yml index 6aa0fc0e2d4..48ec44eacf6 100644 --- a/.github/workflows/backport.yml +++ b/.github/workflows/backport.yml @@ -13,6 +13,23 @@ jobs: runs-on: ubuntu-latest container: hashicorpdev/backport-assistant:0.2.3 steps: + # retrieve secrets from Vault (ENT-only right now) + - name: Authenticate to Vault + if: endsWith(github.repository, '-enterprise') + id: vault-auth + run: vault-auth + - name: Fetch Secrets + if: endsWith(github.repository, '-enterprise') + id: secrets + uses: hashicorp/vault-action@v2.5.0 + with: + url: ${{ steps.vault-auth.outputs.addr }} + caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }} + token: ${{ steps.vault-auth.outputs.token }} + exportEnv: false + secrets: | + kv/data/github/hashicorp/${{ github.repository }}/gha ELEVATED_GITHUB_TOKEN ; + - name: Backport changes to stable-website run: | backport-assistant backport -merge-method=squash -automerge @@ -21,7 +38,7 @@ jobs: BACKPORT_TARGET_TEMPLATE: "stable-{{.target}}" # Enabling this option increased the number of backport failures. BACKPORT_MERGE_COMMIT: false - GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ endswith(github.repository, '-enterprise') && steps.secrets.outputs.ELEVATED_GITHUB_TOKEN || secrets.ELEVATED_GITHUB_TOKEN }} - name: Backport changes to targeted release branch run: | backport-assistant backport -merge-method=squash -automerge @@ -30,13 +47,30 @@ jobs: BACKPORT_TARGET_TEMPLATE: "release/{{.target}}" # Enabling this option increased the number of backport failures. BACKPORT_MERGE_COMMIT: false - GITHUB_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }} + GITHUB_TOKEN: ${{ endswith(github.repository, '-enterprise') && steps.secrets.outputs.ELEVATED_GITHUB_TOKEN || secrets.ELEVATED_GITHUB_TOKEN }} handle-failure: needs: - backport if: always() && needs.backport.result == 'failure' runs-on: ubuntu-latest steps: + # retrieve secrets from Vault (ENT-only right now) + - name: Authenticate to Vault + if: endsWith(github.repository, '-enterprise') + id: vault-auth + run: vault-auth + - name: Fetch Secrets + if: endsWith(github.repository, '-enterprise') + id: secrets + uses: hashicorp/vault-action@v2.5.0 + with: + url: ${{ steps.vault-auth.outputs.addr }} + caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }} + token: ${{ steps.vault-auth.outputs.token }} + exportEnv: false + secrets: | + kv/data/teams/nomad/slack-webhooks feed-nomad | SLACK_FEED_NOMAD ; + - name: Send slack notification on failure uses: slackapi/slack-github-action@007b2c3c751a190b6f0f040e47ed024deaa72844 # v1.23.0 with: @@ -69,7 +103,7 @@ jobs: ] } env: - SLACK_WEBHOOK_URL: ${{ secrets.BACKPORT_ASSISTANT_FAILURE_SLACK }} + SLACK_WEBHOOK_URL: ${{ endswith(github.repository, '-enterprise') && steps.secrets.outputs.SLACK_FEED_NOMAD || secrets.BACKPORT_ASSISTANT_FAILURE_SLACK }} SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK permissions: contents: read diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 94d8e551060..159219624a4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -33,6 +33,27 @@ jobs: echo "::error::Workflow not allowed to run from ${{ github.ref_name }}" exit 1 + # retrieve secrets from Vault (ENT-only right now) + - name: Authenticate to Vault + if: endsWith(github.repository, '-enterprise') + id: vault-auth + run: vault-auth + - name: Fetch Secrets + if: endsWith(github.repository, '-enterprise') + id: secrets + uses: hashicorp/vault-action@v2.5.0 + with: + url: ${{ steps.vault-auth.outputs.addr }} + caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }} + token: ${{ steps.vault-auth.outputs.token }} + exportEnv: false + secrets: | + kv/data/github/hashicorp/${{ github.repository }}/gha ELEVATED_GITHUB_TOKEN ; + - name: Setup git (ent) + if: endsWith(github.repository, '-enterprise') + run: |- + git config --global url."https://${{ steps.secrets.outputs.ELEVATED_GITHUB_TOKEN }}:@github.com/".insteadOf "https://github.com" + - name: Print release info run: |- echo "::notice::Release v${{ github.event.inputs.version }} from branch ${{ github.ref_name }}" @@ -55,9 +76,6 @@ jobs: - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: Setup Git run: |- - if [ -n "${{ secrets.ELEVATED_GITHUB_TOKEN }}" ]; then - git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN }}:@github.com/".insteadOf "https://github.com" - fi git config --global user.email "github-team-nomad-core@hashicorp.com" git config --global user.name "hc-github-team-nomad-core" @@ -141,7 +159,7 @@ jobs: - name: Invoke build workflow id: invoke-build env: - GH_TOKEN: ${{ secrets.ELEVATED_GITHUB_TOKEN }} + GH_TOKEN: ${{ endswith(github.repository, '-enterprise') && steps.secrets.outputs.ELEVATED_GITHUB_TOKEN || secrets.ELEVATED_GITHUB_TOKEN }} run: | gh workflow run build.yml --field build-ref=${{ steps.commit-change-push.outputs.build-ref }} --field make-prerelease=false diff --git a/.github/workflows/test-ui.yml b/.github/workflows/test-ui.yml index 5bd7db46969..7328940d3d9 100644 --- a/.github/workflows/test-ui.yml +++ b/.github/workflows/test-ui.yml @@ -70,12 +70,29 @@ jobs: partition: [1, 2, 3, 4] split: [4] steps: + # retrieve secrets from Vault (ENT-only right now) + - name: Authenticate to Vault + if: endsWith(github.repository, '-enterprise') + id: vault-auth + run: vault-auth + - name: Fetch Secrets + if: endsWith(github.repository, '-enterprise') + id: secrets + uses: hashicorp/vault-action@v2.5.0 + with: + url: ${{ steps.vault-auth.outputs.addr }} + caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }} + token: ${{ steps.vault-auth.outputs.token }} + exportEnv: false + secrets: | + kv/data/teams/nomad/ui PERCY_TOKEN ; + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: yarn install run: yarn install --frozen-lockfile - name: ember exam env: - PERCY_TOKEN: ${{ secrets.PERCY_TOKEN }} + PERCY_TOKEN: ${{ endswith(github.repository, '-enterprise') && steps.secrets.outputs.PERCY_TOKEN || secrets.PERCY_TOKEN }} PERCY_PARALLEL_NONCE: ${{ needs.pre-test.outputs.nonce }} run: yarn exam:parallel --split=${{ matrix.split }} --partition=${{ matrix.partition }} finalize: @@ -88,12 +105,29 @@ jobs: - pre-test - tests steps: + # retrieve secrets from Vault (ENT-only right now) + - name: Authenticate to Vault + if: endsWith(github.repository, '-enterprise') + id: vault-auth + run: vault-auth + - name: Fetch Secrets + if: endsWith(github.repository, '-enterprise') + id: secrets + uses: hashicorp/vault-action@v2.5.0 + with: + url: ${{ steps.vault-auth.outputs.addr }} + caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }} + token: ${{ steps.vault-auth.outputs.token }} + exportEnv: false + secrets: | + kv/data/teams/nomad/ui PERCY_TOKEN ; + - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 - name: yarn install run: yarn install --frozen-lockfile - name: finalize env: - PERCY_TOKEN: ${{ secrets.PERCY_TOKEN }} + PERCY_TOKEN: ${{ endswith(github.repository, '-enterprise') && steps.secrets.outputs.PERCY_TOKEN || secrets.PERCY_TOKEN }} PERCY_PARALLEL_NONCE: ${{ needs.pre-test.outputs.nonce }} run: yarn percy build:finalize permissions: