From 5c71491000c47d23eab6fd2e68703efc345e74a7 Mon Sep 17 00:00:00 2001 From: Mattias Holm Date: Thu, 27 Jul 2023 15:07:04 +0200 Subject: [PATCH] Migrated secrets to variables --- .github/workflows/azure-arm.yml | 8 ++++---- .github/workflows/azure-bicep.yml | 8 ++++---- .github/workflows/azure-pulumi.yml | 4 ++-- .github/workflows/azure-terraform.yml | 4 ++-- github/repo.sh | 2 ++ pulumi/github-yaml/Pulumi.yaml | 7 +++++++ terraform/github/main.tf | 6 ++++++ 7 files changed, 27 insertions(+), 12 deletions(-) diff --git a/.github/workflows/azure-arm.yml b/.github/workflows/azure-arm.yml index 770ee53..9603af2 100644 --- a/.github/workflows/azure-arm.yml +++ b/.github/workflows/azure-arm.yml @@ -47,8 +47,8 @@ jobs: - name: Log in to Azure uses: azure/login@v1 with: - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + client-id: ${{ vars.AZURE_CLIENT_ID }} allow-no-subscriptions: true - name: Create resource group @@ -79,8 +79,8 @@ jobs: - name: Log in to Azure uses: azure/login@v1 with: - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + client-id: ${{ vars.AZURE_CLIENT_ID }} allow-no-subscriptions: true - name: Create deployment diff --git a/.github/workflows/azure-bicep.yml b/.github/workflows/azure-bicep.yml index 1a4b212..9b236a4 100644 --- a/.github/workflows/azure-bicep.yml +++ b/.github/workflows/azure-bicep.yml @@ -42,8 +42,8 @@ jobs: - name: Log in to Azure uses: azure/login@v1 with: - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + client-id: ${{ vars.AZURE_CLIENT_ID }} allow-no-subscriptions: true - name: Validate deployment @@ -71,8 +71,8 @@ jobs: - name: Log in to Azure uses: azure/login@v1 with: - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - client-id: ${{ secrets.AZURE_CLIENT_ID }} + tenant-id: ${{ vars.AZURE_TENANT_ID }} + client-id: ${{ vars.AZURE_CLIENT_ID }} allow-no-subscriptions: true - name: Create deployment diff --git a/.github/workflows/azure-pulumi.yml b/.github/workflows/azure-pulumi.yml index 8a56df7..1ea4708 100644 --- a/.github/workflows/azure-pulumi.yml +++ b/.github/workflows/azure-pulumi.yml @@ -26,8 +26,8 @@ on: env: path: pulumi/azure-python stack: dev - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} + ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} ARM_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} diff --git a/.github/workflows/azure-terraform.yml b/.github/workflows/azure-terraform.yml index c0e790c..13b4adb 100644 --- a/.github/workflows/azure-terraform.yml +++ b/.github/workflows/azure-terraform.yml @@ -33,8 +33,8 @@ defaults: env: path: terraform/azure - ARM_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} - ARM_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} + ARM_TENANT_ID: ${{ vars.AZURE_TENANT_ID }} + ARM_CLIENT_ID: ${{ vars.AZURE_CLIENT_ID }} ARM_USE_OIDC: true jobs: diff --git a/github/repo.sh b/github/repo.sh index b2a3a78..2d8f482 100755 --- a/github/repo.sh +++ b/github/repo.sh @@ -26,4 +26,6 @@ fi gh secret set 'SECRET' --body 'secret' --repo "$owner/$repo" +gh variable set 'VARIABLE' --body 'variable' --repo "$owner/$repo" + gh repo view "$owner/$repo" --json url diff --git a/pulumi/github-yaml/Pulumi.yaml b/pulumi/github-yaml/Pulumi.yaml index c779032..258b38d 100644 --- a/pulumi/github-yaml/Pulumi.yaml +++ b/pulumi/github-yaml/Pulumi.yaml @@ -27,5 +27,12 @@ resources: secretName: SECRET plaintextValue: secret + variable: + type: github:ActionsVariable + properties: + repository: ${repo.name} + variableName: VARIABLE + value: variable + outputs: cloneUrl: ${repo.httpCloneUrl} diff --git a/terraform/github/main.tf b/terraform/github/main.tf index 3531c14..8fe1005 100644 --- a/terraform/github/main.tf +++ b/terraform/github/main.tf @@ -16,3 +16,9 @@ resource "github_actions_secret" "secret" { secret_name = "SECRET" plaintext_value = "secret" } + +resource "github_actions_variable" "variable" { + repository = github_repository.repo.name + variable_name = "VARIABLE" + value = "variable" +}