Disambiguate the two scan reusable workflows (#466) #176
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Test Azure Login and Get Key Vault Action | |
| on: | |
| pull_request: | |
| paths: | |
| - "azure-login/**" | |
| - "azure-logout/**" | |
| - "get-keyvault-secrets/**" | |
| - ".github/workflows/test-get-secrets.yml" | |
| push: | |
| branches: | |
| - "main" | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| env: | |
| _TEST_SECRET_VALUE_1: Test Value 1 | |
| _TEST_SECRET_VALUE_2: Test Value 2 | |
| jobs: | |
| test-repo-secrets: | |
| name: Test Get Secrets | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - name: Check out repo | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Log in to Azure | |
| uses: ./azure-login # Use the local action for testing | |
| with: | |
| subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| tenant_id: ${{ secrets.AZURE_TENANT_ID }} | |
| client_id: ${{ secrets.AZURE_CLIENT_ID }} | |
| - name: Verify Azure Login | |
| id: verify-login | |
| run: | | |
| az account show --query name --output tsv | |
| - name: Get KV Secrets | |
| id: get-kv-secrets | |
| uses: bitwarden/gh-actions/get-keyvault-secrets@main # TODO: Use ./get-keyvault-secrets for testing of local action changes | |
| with: | |
| keyvault: gh-gh-actions | |
| secrets: "test-secret-1,test-secret-2" | |
| - name: Log out from Azure | |
| id: azure-logout | |
| uses: ./azure-logout # Use the local action for testing | |
| - name: Verify Logged Out | |
| id: verify-logout | |
| run: | | |
| az account show --query name --output tsv && (echo "Unexpectedly returned account name instead of being logged out" && exit 1) || echo "Successfully logged out of Azure" | |
| - name: Verify test secret value | |
| env: | |
| TEST_SECRET_1: ${{ steps.get-kv-secrets.outputs.test-secret-1 }} | |
| TEST_SECRET_2: ${{ steps.get-kv-secrets.outputs.test-secret-2 }} | |
| run: | | |
| if [[ "$TEST_SECRET_1" != "$_TEST_SECRET_VALUE_1" ]]; then | |
| echo "test-secret-1 value is not as expected" | |
| exit 1 | |
| fi | |
| if [[ "$TEST_SECRET_2" != "$_TEST_SECRET_VALUE_2" ]]; then | |
| echo "test-secret-2 value is not as expected" | |
| exit 1 | |
| fi | |
| echo "Test secret values checks successful!" | |
| - name: Check environment | |
| run: | | |
| exit_code=0 | |
| env | grep -q "test-secret" || exit_code=$? | |
| if [ $exit_code -eq 0 ]; then | |
| echo "Found test secrets in environment" | |
| exit 1 | |
| elif [ $exit_code -eq 1 ]; then | |
| echo "Correctly found no secrets found in environment" | |
| else | |
| exit $exit_code | |
| fi | |
| build-matrix: | |
| # This is needed because the matrix is built before the env variables are created. This is a | |
| # workaround to create the matrix at run-time, which feels only slightly less bad as hard-coding the test secret strings | |
| name: Build Test Matrix | |
| runs-on: ubuntu-24.04 | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - id: set-matrix | |
| name: Set matrix output variable | |
| # Create the matrix from JSON. GitHub requires the JSON to be a single line, so the "jq -c" makes a single-line compact JSON string, just in case | |
| run: | | |
| json=$(cat <<EOF | |
| { | |
| "include": [ | |
| { | |
| "secret_key": "test-secret-1", | |
| "secret_value": "${_TEST_SECRET_VALUE_1}" | |
| }, | |
| { | |
| "secret_key": "test-secret-2", | |
| "secret_value": "${_TEST_SECRET_VALUE_2}" | |
| } | |
| ] | |
| } | |
| EOF | |
| ) | |
| echo "matrix=$(echo "$json" | jq -c .)" >> "$GITHUB_OUTPUT" | |
| test-repo-secrets-matrix: | |
| name: Test Get Secrets - Matrix | |
| needs: build-matrix | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{ fromJSON(needs.build-matrix.outputs.matrix) }} | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - name: Check out repo | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 0 | |
| persist-credentials: false | |
| - name: Log in to Azure | |
| uses: ./azure-login # Use the local action for testing | |
| with: | |
| subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} | |
| tenant_id: ${{ secrets.AZURE_TENANT_ID }} | |
| client_id: ${{ secrets.AZURE_CLIENT_ID }} | |
| - name: Get KV Secrets | |
| id: get-kv-secrets | |
| uses: bitwarden/gh-actions/get-keyvault-secrets@main # TODO: Use ./get-keyvault-secrets for testing of local action changes | |
| with: | |
| keyvault: gh-gh-actions | |
| secrets: "${{ matrix.secret_key }}" | |
| - name: Log out from Azure | |
| id: azure-logout | |
| uses: ./azure-logout # Use the local action for testing | |
| - name: Verify test secret value | |
| env: | |
| KV_SECRET_VALUE: ${{ steps.get-kv-secrets.outputs[matrix.secret_key] }} | |
| MATRIX_SECRET_TEST_VALUE: ${{ matrix.secret_value }} | |
| MATRIX_SECRET_KEY: ${{ matrix.secret_key }} | |
| run: | | |
| if [[ "$KV_SECRET_VALUE" != "$MATRIX_SECRET_TEST_VALUE" ]]; then | |
| echo "$MATRIX_SECRET_KEY value is not as expected" | |
| exit 1 | |
| fi | |
| echo "Test secret values checks successful!" |