diff --git a/.github/secrets.env.tpl b/.github/secrets.env.tpl new file mode 100644 index 00000000..f0ca83c6 --- /dev/null +++ b/.github/secrets.env.tpl @@ -0,0 +1,15 @@ +CS_CLIENT_ACCESS_KEY=op://CI/CipherStash ZeroKMS/CS_CLIENT_ACCESS_KEY +CS_CLIENT_ID=op://CI/CipherStash ZeroKMS/CS_CLIENT_ID +CS_CLIENT_KEY=op://CI/CipherStash ZeroKMS/CS_CLIENT_KEY +CS_WORKSPACE_CRN=op://CI/CipherStash ZeroKMS/CS_WORKSPACE_CRN +CS_DEFAULT_KEYSET_ID=op://CI/CipherStash ZeroKMS/CS_DEFAULT_KEYSET_ID +CS_TENANT_KEYSET_ID_1=op://CI/CipherStash ZeroKMS/CS_TENANT_KEYSET_ID_1 +CS_TENANT_KEYSET_ID_2=op://CI/CipherStash ZeroKMS/CS_TENANT_KEYSET_ID_2 +CS_TENANT_KEYSET_ID_3=op://CI/CipherStash ZeroKMS/CS_TENANT_KEYSET_ID_3 +CS_TENANT_KEYSET_NAME_1=op://CI/CipherStash ZeroKMS/CS_TENANT_KEYSET_NAME_1 +CS_TENANT_KEYSET_NAME_2=op://CI/CipherStash ZeroKMS/CS_TENANT_KEYSET_NAME_2 +CS_TENANT_KEYSET_NAME_3=op://CI/CipherStash ZeroKMS/CS_TENANT_KEYSET_NAME_3 +DOCKER_HUB_USERNAME=op://CI/Docker Hub/DOCKER_HUB_USERNAME +DOCKER_HUB_PASSWORD=op://CI/Docker Hub/DOCKER_HUB_PASSWORD +SLACK_NOTIFICATION_WEBHOOK_URL=op://CI/Slack/SLACK_NOTIFICATION_WEBHOOK_URL +MULTITUDES_ACCESS_TOKEN=op://CI/Multitudes/MULTITUDES_ACCESS_TOKEN diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml index 14f995fe..374bcc7d 100644 --- a/.github/workflows/benchmark.yml +++ b/.github/workflows/benchmark.yml @@ -24,24 +24,31 @@ jobs: steps: - uses: actions/checkout@v4 - uses: ./.github/actions/setup-test + + - name: Load secrets + uses: 1password/load-secrets-action@v3 + with: + export-env: true + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + OP_ENV_FILE: .github/secrets.env.tpl + - run: | mise run postgres:up --extra-args "--detach --wait" + - name: Run benchmark working-directory: tests/benchmark env: - CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }} - CS_DEFAULT_KEYSET_ID: ${{ secrets.CS_DEFAULT_KEYSET_ID }} - CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }} - CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }} - CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }} RUST_BACKTRACE: "1" run: mise run benchmark:continuous + # Download previous benchmark result from cache (if exists) - name: Download previous benchmark data uses: actions/cache@v4 with: path: ./cache key: ${{ runner.os }}-benchmark + # Run `github-action-benchmark` action - name: Store benchmark result uses: benchmark-action/github-action-benchmark@v1 @@ -61,5 +68,5 @@ jobs: - uses: ./.github/actions/send-slack-notification with: channel: engineering - webhook_url: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK_URL }} + webhook_url: ${{ env.SLACK_NOTIFICATION_WEBHOOK_URL }} diff --git a/.github/workflows/release-aws-marketplace.yml b/.github/workflows/release-aws-marketplace.yml index 396e99e5..54aa8b2b 100644 --- a/.github/workflows/release-aws-marketplace.yml +++ b/.github/workflows/release-aws-marketplace.yml @@ -82,6 +82,14 @@ jobs: - uses: actions/checkout@v4 + - name: Load secrets + uses: 1password/load-secrets-action@v3 + with: + export-env: true + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + OP_ENV_FILE: .github/secrets.env.tpl + - uses: jdx/mise-action@v2 with: version: 2025.1.6 # [default: latest] mise version to install @@ -111,6 +119,6 @@ jobs: --fail-with-body \ --url "https://api.developer.multitudes.co/deployments" \ --header "Content-Type: application/json" \ - --header "Authorization: ${{ secrets.MULTITUDES_ACCESS_TOKEN }}" \ + --header "Authorization: ${{ env.MULTITUDES_ACCESS_TOKEN }}" \ --data '{"commitSha": "${{ github.sha }}", "environmentName":"marketplace"}' diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 60bf72ca..fc585e95 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -22,6 +22,15 @@ jobs: runs-on: ${{matrix.build.os}} steps: - uses: actions/checkout@v4 + + - name: Load secrets + uses: 1password/load-secrets-action@v3 + with: + export-env: true + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + OP_ENV_FILE: .github/secrets.env.tpl + - name: Setup Rust cache uses: Swatinem/rust-cache@v2 if: github.event_name == 'pull_request' # only cache in pull requests @@ -55,8 +64,8 @@ jobs: - name: Login to Docker Hub uses: docker/login-action@v3 with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_PERSONAL_ACCESS_TOKEN }} + username: ${{ env.DOCKER_HUB_USERNAME }} + password: ${{ env.DOCKER_HUB_PASSWORD }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -92,6 +101,16 @@ jobs: needs: - build steps: + - uses: actions/checkout@v4 + + - name: Load secrets + uses: 1password/load-secrets-action@v3 + with: + export-env: true + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + OP_ENV_FILE: .github/secrets.env.tpl + - name: Download digests uses: actions/download-artifact@v4 with: @@ -102,8 +121,8 @@ jobs: - name: Login to Docker Hub uses: docker/login-action@v3 with: - username: ${{ secrets.DOCKER_HUB_USERNAME }} - password: ${{ secrets.DOCKER_HUB_PERSONAL_ACCESS_TOKEN }} + username: ${{ env.DOCKER_HUB_USERNAME }} + password: ${{ env.DOCKER_HUB_PASSWORD }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -135,5 +154,5 @@ jobs: --fail-with-body \ --url "https://api.developer.multitudes.co/deployments" \ --header "Content-Type: application/json" \ - --header "Authorization: ${{ secrets.MULTITUDES_ACCESS_TOKEN }}" \ + --header "Authorization: ${{ env.MULTITUDES_ACCESS_TOKEN }}" \ --data '{"commitSha": "${{ github.sha }}", "environmentName":"dockerhub"}' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f714b57e..4fb0e148 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,22 +18,22 @@ jobs: steps: - uses: actions/checkout@v4 - uses: ./.github/actions/setup-test + + - name: Load secrets + uses: 1password/load-secrets-action@v3 + with: + export-env: true + env: + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + OP_ENV_FILE: .github/secrets.env.tpl + - run: | mise run postgres:up --extra-args "--detach --wait" - - env: + + - name: Run tests + env: # REMEMBER TO ADD ENVIRONMENT VARIABLES TO tests/docker-compose.yml # The tests/docker-compose.yml config passes the ENV vars into the container - CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }} - CS_DEFAULT_KEYSET_ID: ${{ secrets.CS_DEFAULT_KEYSET_ID }} - CS_TENANT_KEYSET_ID_1: ${{ secrets.CS_TENANT_KEYSET_ID_1 }} - CS_TENANT_KEYSET_ID_2: ${{ secrets.CS_TENANT_KEYSET_ID_2 }} - CS_TENANT_KEYSET_ID_3: ${{ secrets.CS_TENANT_KEYSET_ID_3 }} - CS_TENANT_KEYSET_NAME_1: ${{ secrets.CS_TENANT_KEYSET_NAME_1 }} - CS_TENANT_KEYSET_NAME_2: ${{ secrets.CS_TENANT_KEYSET_NAME_2 }} - CS_TENANT_KEYSET_NAME_3: ${{ secrets.CS_TENANT_KEYSET_NAME_3 }} - CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }} - CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }} - CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }} RUST_BACKTRACE: "1" run: | mise run --output prefix test @@ -41,5 +41,5 @@ jobs: - uses: ./.github/actions/send-slack-notification with: channel: engineering - webhook_url: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK_URL }} + webhook_url: ${{ env.SLACK_NOTIFICATION_WEBHOOK_URL }}