From 1990a8c14402f681c92ee4741f4f3077174fdfb9 Mon Sep 17 00:00:00 2001
From: hc-github-team-secure-vault-core
 <82990506+hc-github-team-secure-vault-core@users.noreply.github.com>
Date: Fri, 16 Jun 2023 13:10:36 -0400
Subject: [PATCH] backport of commit 30aac443d0037852b0a5e4b50d59a9bedc5e4445
 (#21324)

Co-authored-by: miagilepner <mia.epner@hashicorp.com>
---
 .../scripts/generate-test-package-lists.sh    |  1 +
 .github/workflows/test-go.yml                 | 29 +++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/.github/scripts/generate-test-package-lists.sh b/.github/scripts/generate-test-package-lists.sh
index 6f9abff64a1f..64ebd1e585d8 100755
--- a/.github/scripts/generate-test-package-lists.sh
+++ b/.github/scripts/generate-test-package-lists.sh
@@ -277,6 +277,7 @@ test_packages[15]+=" $base/physical/mysql"
 test_packages[15]+=" $base/plugins/database/cassandra"
 if [ "${ENTERPRISE:+x}" == "x" ] ; then
     test_packages[15]+=" $base/vault/external_tests/namespaces"
+    test_packages[15]+=" $base/vault/external_tests/census"
 fi
 test_packages[15]+=" $base/vault/external_tests/sealmigrationext"
 
diff --git a/.github/workflows/test-go.yml b/.github/workflows/test-go.yml
index 3487fbaec7d0..afd28ebb3b15 100644
--- a/.github/workflows/test-go.yml
+++ b/.github/workflows/test-go.yml
@@ -39,14 +39,43 @@ jobs:
   test-generate-test-package-list:
     runs-on: ${{ fromJSON(inputs.runs-on) }}
     name: Verify Test Package Distribution
+    permissions:
+      id-token: write  # Note: this permission is explicitly required for Vault auth
+      contents: read
     steps:
     - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2
     - uses: actions/setup-go@4d34df0c2316fe8122ab82dc22947d607c0c91f9 # v4.0.0
       with:
         go-version-file: ./.go-version
         cache: true
+    - name: Authenticate to Vault
+      id: vault-auth
+      if: github.repository == 'hashicorp/vault-enterprise'
+      run: vault-auth
+    - name: Fetch Secrets
+      id: secrets
+      if: github.repository == 'hashicorp/vault-enterprise'
+      uses: hashicorp/vault-action@130d1f5f4fe645bb6c83e4225c04d64cfb62de6e
+      with:
+        url: ${{ steps.vault-auth.outputs.addr }}
+        caCertificate: ${{ steps.vault-auth.outputs.ca_certificate }}
+        token: ${{ steps.vault-auth.outputs.token }}
+        secrets: |
+          kv/data/github/${{ github.repository }}/github-token username-and-token | github-token;
+    - id: setup-git-private
+      name: Setup Git configuration (private)
+      if: github.repository == 'hashicorp/vault-enterprise'
+      run: |
+        git config --global url."https://${{ steps.secrets.outputs.github-token }}@github.com".insteadOf https://github.com
+    - id: setup-git-public
+      name: Setup Git configuration (public)
+      if: github.repository != 'hashicorp/vault-enterprise'
+      run: |
+        git config --global url."https://${{ secrets.ELEVATED_GITHUB_TOKEN}}@github.com".insteadOf https://github.com
     - id: test
       working-directory: .github/scripts
+      env:
+        GOPRIVATE: github.com/hashicorp/*
       run: |
         ENTERPRISE=${{ inputs.enterprise }} ./test-generate-test-package-lists.sh
   runner-indexes: