Breakout 4: Token Vault workflows

[manishapriya94]

Problem Statement:
Token scanning is important to ensure that secrets/tokens aren't exposed (very important for open source projects and the supply chain that depends on them). A repo contains 100 secrets and an org can contain upto 500

Tasks
*lean on maintainer for admin privileges

• checkout the action for Hashicorp vault
• create a .yml file in workflows
• Set up a Vault instance,
• Authentication with GitHub OIDC Token
• Example usage to reference

[ipc103]

2023-04-26

• The goal of this issue is to be able to read secrets from Vault into an action/workflow
• Vault is a Hashicorp service for storing secrets
• OIDC workflows are used to generate short-lived auth tokens
  • This is preferable to generating a long-lived token with read:org
  • https://developer.hashicorp.com/vault/tutorials/auth-methods/oidc-auth
• We have a Vault account already and can use that to generate a Vault instance
  • @wallace, @ipc103, and @manishapriya94 are admins
• We generated a new cluster called hackpod running on AWS
• Vault is open source, but you can buy a subscription through Hashicorp
• To access the Cluster via the CLI, you need to download Vault Open Source Edition and install it locally to use the CLI.

Next Steps

• Follow the instructions after clicking "Access Vault" to access via the CLI
• Follow the GitHub instructions here to enable OIDC for the Hashicorp Vault