ci: migrate secrets to 1Password

.github/secrets.env.tpl

@@ -0,0 +1,15 @@
+CS_CLIENT_ACCESS_KEY=op://CI/CipherStash ZeroKMS/CS_CLIENT_ACCESS_KEY
+CS_CLIENT_ID=op://CI/CipherStash ZeroKMS/CS_CLIENT_ID
+CS_CLIENT_KEY=op://CI/CipherStash ZeroKMS/CS_CLIENT_KEY
+CS_WORKSPACE_CRN=op://CI/CipherStash ZeroKMS/CS_WORKSPACE_CRN
+CS_DEFAULT_KEYSET_ID=op://CI/CipherStash ZeroKMS/CS_DEFAULT_KEYSET_ID
+CS_TENANT_KEYSET_ID_1=op://CI/CipherStash ZeroKMS/CS_TENANT_KEYSET_ID_1
+CS_TENANT_KEYSET_ID_2=op://CI/CipherStash ZeroKMS/CS_TENANT_KEYSET_ID_2
+CS_TENANT_KEYSET_ID_3=op://CI/CipherStash ZeroKMS/CS_TENANT_KEYSET_ID_3
+CS_TENANT_KEYSET_NAME_1=op://CI/CipherStash ZeroKMS/CS_TENANT_KEYSET_NAME_1
+CS_TENANT_KEYSET_NAME_2=op://CI/CipherStash ZeroKMS/CS_TENANT_KEYSET_NAME_2
+CS_TENANT_KEYSET_NAME_3=op://CI/CipherStash ZeroKMS/CS_TENANT_KEYSET_NAME_3
+DOCKER_HUB_USERNAME=op://CI/Docker Hub/DOCKER_HUB_USERNAME
+DOCKER_HUB_PASSWORD=op://CI/Docker Hub/DOCKER_HUB_PASSWORD
+SLACK_NOTIFICATION_WEBHOOK_URL=op://CI/Slack/SLACK_NOTIFICATION_WEBHOOK_URL
+MULTITUDES_ACCESS_TOKEN=op://CI/Multitudes/MULTITUDES_ACCESS_TOKEN

.github/workflows/benchmark.yml

@@ -24,24 +24,31 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-test
+
+      - name: Load secrets
+        uses: 1password/load-secrets-action@v3
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          OP_ENV_FILE: .github/secrets.env.tpl
+
       - run: |
           mise run postgres:up --extra-args "--detach --wait"
+
       - name: Run benchmark
         working-directory: tests/benchmark
         env:
-          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
-          CS_DEFAULT_KEYSET_ID: ${{ secrets.CS_DEFAULT_KEYSET_ID }}
-          CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
-          CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
-          CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
           RUST_BACKTRACE: "1"
         run: mise run benchmark:continuous
+
       # Download previous benchmark result from cache (if exists)
       - name: Download previous benchmark data
         uses: actions/cache@v4
         with:
           path: ./cache
           key: ${{ runner.os }}-benchmark
+
       # Run `github-action-benchmark` action
       - name: Store benchmark result
         uses: benchmark-action/github-action-benchmark@v1
@@ -61,5 +68,5 @@ jobs:
       - uses: ./.github/actions/send-slack-notification
         with:
           channel: engineering
-          webhook_url: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK_URL }}
+          webhook_url: ${{ env.SLACK_NOTIFICATION_WEBHOOK_URL }}
 

.github/workflows/release-aws-marketplace.yml

@@ -82,6 +82,14 @@ jobs:
 
       - uses: actions/checkout@v4
 
+      - name: Load secrets
+        uses: 1password/load-secrets-action@v3
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          OP_ENV_FILE: .github/secrets.env.tpl
+
       - uses: jdx/mise-action@v2
         with:
           version: 2025.1.6 # [default: latest] mise version to install
@@ -111,6 +119,6 @@ jobs:
             --fail-with-body \
             --url "https://api.developer.multitudes.co/deployments" \
             --header "Content-Type: application/json" \
-            --header "Authorization: ${{ secrets.MULTITUDES_ACCESS_TOKEN }}" \
+            --header "Authorization: ${{ env.MULTITUDES_ACCESS_TOKEN }}" \
             --data '{"commitSha": "${{ github.sha }}", "environmentName":"marketplace"}'
 

.github/workflows/release.yml

@@ -22,6 +22,15 @@ jobs:
     runs-on: ${{matrix.build.os}}
     steps:
       - uses: actions/checkout@v4
+
+      - name: Load secrets
+        uses: 1password/load-secrets-action@v3
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          OP_ENV_FILE: .github/secrets.env.tpl
+
       - name: Setup Rust cache
         uses: Swatinem/rust-cache@v2
         if: github.event_name == 'pull_request' # only cache in pull requests
@@ -55,8 +64,8 @@ jobs:
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_PERSONAL_ACCESS_TOKEN }}
+          username: ${{ env.DOCKER_HUB_USERNAME }}
+          password: ${{ env.DOCKER_HUB_PASSWORD }}
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -92,6 +101,16 @@ jobs:
     needs:
       - build
     steps:
+      - uses: actions/checkout@v4
+
+      - name: Load secrets
+        uses: 1password/load-secrets-action@v3
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          OP_ENV_FILE: .github/secrets.env.tpl
+
       - name: Download digests
         uses: actions/download-artifact@v4
         with:
@@ -102,8 +121,8 @@ jobs:
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_HUB_USERNAME }}
-          password: ${{ secrets.DOCKER_HUB_PERSONAL_ACCESS_TOKEN }}
+          username: ${{ env.DOCKER_HUB_USERNAME }}
+          password: ${{ env.DOCKER_HUB_PASSWORD }}
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -135,5 +154,5 @@ jobs:
             --fail-with-body \
             --url "https://api.developer.multitudes.co/deployments" \
             --header "Content-Type: application/json" \
-            --header "Authorization: ${{ secrets.MULTITUDES_ACCESS_TOKEN }}" \
+            --header "Authorization: ${{ env.MULTITUDES_ACCESS_TOKEN }}" \
             --data '{"commitSha": "${{ github.sha }}", "environmentName":"dockerhub"}'

.github/workflows/test.yml

@@ -18,28 +18,28 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/setup-test
+
+      - name: Load secrets
+        uses: 1password/load-secrets-action@v3
+        with:
+          export-env: true
+        env:
+          OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+          OP_ENV_FILE: .github/secrets.env.tpl
+
       - run: |
           mise run postgres:up --extra-args "--detach --wait"
-      - env:
+
+      - name: Run tests
+        env:
           # REMEMBER TO ADD ENVIRONMENT VARIABLES TO tests/docker-compose.yml
           # The tests/docker-compose.yml config passes the ENV vars into the container
-          CS_CLIENT_ACCESS_KEY: ${{ secrets.CS_CLIENT_ACCESS_KEY }}
-          CS_DEFAULT_KEYSET_ID: ${{ secrets.CS_DEFAULT_KEYSET_ID }}
-          CS_TENANT_KEYSET_ID_1: ${{ secrets.CS_TENANT_KEYSET_ID_1 }}
-          CS_TENANT_KEYSET_ID_2: ${{ secrets.CS_TENANT_KEYSET_ID_2 }}
-          CS_TENANT_KEYSET_ID_3: ${{ secrets.CS_TENANT_KEYSET_ID_3 }}
-          CS_TENANT_KEYSET_NAME_1: ${{ secrets.CS_TENANT_KEYSET_NAME_1 }}
-          CS_TENANT_KEYSET_NAME_2: ${{ secrets.CS_TENANT_KEYSET_NAME_2 }}
-          CS_TENANT_KEYSET_NAME_3: ${{ secrets.CS_TENANT_KEYSET_NAME_3 }}
-          CS_CLIENT_ID: ${{ secrets.CS_CLIENT_ID }}
-          CS_CLIENT_KEY: ${{ secrets.CS_CLIENT_KEY }}
-          CS_WORKSPACE_CRN: ${{ secrets.CS_WORKSPACE_CRN }}
           RUST_BACKTRACE: "1"
         run: |
           mise run --output prefix test
 
       - uses: ./.github/actions/send-slack-notification
         with:
           channel: engineering
-          webhook_url: ${{ secrets.SLACK_NOTIFICATION_WEBHOOK_URL }}
+          webhook_url: ${{ env.SLACK_NOTIFICATION_WEBHOOK_URL }}