chore: read secrets from Akeyeless

tsvetomir · tsvetomir · commit dcb4a027ca54 · 2023-05-18T18:26:29.000+03:00
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -13,10 +13,28 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    environment: upload
+
+    permissions:
+        id-token: write # Required by Akeyless
+        contents: read
+        packages: read
 
     steps:
+      - name: Import Secrets
+        id: import-secrets
+        uses: LanceMcCarthy/akeyless-action@v3
+        with:
+          access-id: ${{ secrets.GH_AKEYLESS_ACCESS_ID }}
+          static-secrets: |
+            {
+              "/WebComponents/prod/tokens/GH_TOKEN": "GH_TOKEN",
+              "/WebComponents/prod/tokens/PROGRESS_NPM_REGISTRY_TOKEN": "NPM_TOKEN"
+            }
+          export-secrets-to-environment: false
+
       - name: Check out branch
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0 # Fetch all branches
 
@@ -26,5 +44,5 @@ jobs:
       - name: Publish release
         run: ./.github/workflows/release.sh
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          NPM_TOKEN: ${{ steps.import-secrets.outputs.NPM_TOKEN }}
+          GH_TOKEN: ${{ steps.import-secrets.outputs.GH_TOKEN }}
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -12,9 +12,13 @@ jobs:
   build:
     runs-on: ubuntu-latest
 
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
+
     steps:
       - name: Check out repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
 
       - name: Install modules
         run: npm install --no-audit --ignore-scripts
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -10,13 +10,17 @@ jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+        id-token: write # Required by Akeyless
+        contents: read
+        packages: read
+
     steps:
       - name: Check out master
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
         with:
           fetch-depth: 0 # Fetch all branches
-          token: ${{ secrets.GH_TOKEN }}
+          token: ${{ steps.import-secrets.outputs.GH_TOKEN }}
 
       - name: Fast-forward master to develop
         run: ./.github/workflows/ff-master.sh
-
