From b6ad26617cc22c2ce54fa978b45e5ac617912cb6 Mon Sep 17 00:00:00 2001 From: "Ch.-David Blot" Date: Thu, 16 Apr 2026 11:20:20 +0200 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=8D=BB=20draft:=20try=20vault=20actio?= =?UTF-8?q?n?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/code-check-identified.yml | 57 ++++++++++++++------- 1 file changed, 38 insertions(+), 19 deletions(-) diff --git a/.github/workflows/code-check-identified.yml b/.github/workflows/code-check-identified.yml index 44776f6..41374a7 100644 --- a/.github/workflows/code-check-identified.yml +++ b/.github/workflows/code-check-identified.yml @@ -7,27 +7,46 @@ on: permissions: contents: read + id-token: write jobs: code-check: - runs-on: ubuntu-24.04 - environment: eu-west-2 + runs-on: [vault] if: "! contains(github.event.pull_request.labels.*.name, 'dependencies')" steps: - - name: 🧹 Frieza - uses: outscale/frieza-github-actions/frieza-clean@68ffd39d7e181f3548369e332242b329b04a3182 # master - with: - access_key: ${{ secrets.OSC_ACCESS_KEY }} - secret_key: ${{ secrets.OSC_SECRET_KEY }} - region: ${{ secrets.OSC_REGION }} - - name: ⬇️ Checkout repository - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - - name: Setup toolchain - uses: ./.github/actions/setup-test - - name: 🧪 Run integration tests - env: - OSC_ACCESS_KEY: ${{ secrets.OSC_ACCESS_KEY }} - OSC_SECRET_KEY: ${{ secrets.OSC_SECRET_KEY }} - OSC_TEST_LOGIN: ${{ secrets.OSC_TEST_LOGIN }} - OSC_TEST_PASSWORD: ${{ secrets.OSC_TEST_PASSWORD }} - run: make test-int + - name: 🔒️ Import Secrets + id: import-secrets + uses: hashicorp/vault-action@v2 + with: + url: http://127.0.0.1:8200/ + method: jwt + path: github-action + exportEnv: false + outputToken: true + role: outscale-osc-sdk-python + secrets: | + osc-oak/root-creds/outscale-osc-sdk-python access_key | OSC_ACCESS_KEY ; + osc-oak/root-creds/outscale-osc-sdk-python secret_key | OSC_SECRET_KEY ; + osc-oak/config region | OSC_REGION ; + + - name: 🧹 Frieza + uses: outscale/frieza-github-actions/frieza-clean@68ffd39d7e181f3548369e332242b329b04a3182 # master + with: + access_key: ${{ steps.import-secrets.outputs.OSC_ACCESS_KEY }} + secret_key: ${{ steps.import-secrets.outputs.OSC_SECRET_KEY }} + region: ${{ steps.import-secrets.outputs.OSC_REGION }} + post_script: | + curl -XPOST -sv \ + -H "X-Vault-Token: ${{ steps.import-secrets.outputs.vault_token }}" \ + http://127.0.0.1:8200/v1/auth/token/revoke-self + + - name: ⬇️ Checkout repository + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - name: Setup toolchain + uses: ./.github/actions/setup-test + - name: 🧪 Run integration tests + env: + OSC_ACCESS_KEY: ${{ steps.import-secrets.outputs.OSC_ACCESS_KEY }} + OSC_SECRET_KEY: ${{ steps.import-secrets.outputs.OSC_SECRET_KEY }} + OSC_REGION: ${{ steps.import-secrets.outputs.OSC_REGION }} + run: make test-int From a6c5286005208899fa127712c28a75bb88d0d206 Mon Sep 17 00:00:00 2001 From: "Ch.-David Blot" Date: Fri, 26 Jun 2026 11:33:26 +0200 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=8D=BB=20draft:=20try=20composit=20ac?= =?UTF-8?q?tion?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .github/workflows/code-check-identified.yml | 39 ++++++--------------- 1 file changed, 11 insertions(+), 28 deletions(-) diff --git a/.github/workflows/code-check-identified.yml b/.github/workflows/code-check-identified.yml index 41374a7..63af017 100644 --- a/.github/workflows/code-check-identified.yml +++ b/.github/workflows/code-check-identified.yml @@ -11,42 +11,25 @@ permissions: jobs: code-check: - runs-on: [vault] + runs-on: [authenticated, Linux] if: "! contains(github.event.pull_request.labels.*.name, 'dependencies')" steps: - - name: 🔒️ Import Secrets - id: import-secrets - uses: hashicorp/vault-action@v2 + - name: 🔒🧹 Setup Vault & Frieza + id: secrets + uses: outscale/.github/vault-frieza-clean@eb7bd1e0360703d0ad355bce46029ae8d49bac04 with: - url: http://127.0.0.1:8200/ - method: jwt - path: github-action - exportEnv: false - outputToken: true - role: outscale-osc-sdk-python - secrets: | - osc-oak/root-creds/outscale-osc-sdk-python access_key | OSC_ACCESS_KEY ; - osc-oak/root-creds/outscale-osc-sdk-python secret_key | OSC_SECRET_KEY ; - osc-oak/config region | OSC_REGION ; - - - name: 🧹 Frieza - uses: outscale/frieza-github-actions/frieza-clean@68ffd39d7e181f3548369e332242b329b04a3182 # master - with: - access_key: ${{ steps.import-secrets.outputs.OSC_ACCESS_KEY }} - secret_key: ${{ steps.import-secrets.outputs.OSC_SECRET_KEY }} - region: ${{ steps.import-secrets.outputs.OSC_REGION }} - post_script: | - curl -XPOST -sv \ - -H "X-Vault-Token: ${{ steps.import-secrets.outputs.vault_token }}" \ - http://127.0.0.1:8200/v1/auth/token/revoke-self + vault_role: outscale-osc-sdk-python + osc_account: elm - name: ⬇️ Checkout repository uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - name: Setup toolchain uses: ./.github/actions/setup-test + - name: 🧪 Run integration tests env: - OSC_ACCESS_KEY: ${{ steps.import-secrets.outputs.OSC_ACCESS_KEY }} - OSC_SECRET_KEY: ${{ steps.import-secrets.outputs.OSC_SECRET_KEY }} - OSC_REGION: ${{ steps.import-secrets.outputs.OSC_REGION }} + OSC_ACCESS_KEY: ${{ steps.secrets.outputs.access_key }} + OSC_SECRET_KEY: ${{ steps.secrets.outputs.secret_key }} + OSC_REGION: ${{ steps.secrets.outputs.region }} run: make test-int