wip: pulls secrets from AWS directly

input-output-hk · Feb 2, 2024 · fd0f80b · fd0f80b
1 parent b20e6c9
commit fd0f80b
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 18 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -30,10 +30,6 @@ on:
         required: false
         type: string
         default: ${{ github.event.repository.default_branch }}
-      deployment_images:
-        description: A newline separated list of image names to deploy
-        required: false
-        type: string
       deployment_repo:
         description: The URL of the repository containing deployment code
         required: false
@@ -196,11 +192,15 @@ jobs:
       earthly_runner_address: ${{ secrets.earthly_runner_address }}
       earthly_runner_secret: ${{ secrets.earthly_runner_secret }}
   deploy:
-    uses: input-output-hk/catalyst-ci/.github/workflows/deploy.yml@master
-    if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && inputs.deployment_images != ''
+    uses: input-output-hk/catalyst-ci/.github/workflows/deploy.yml@setup-new-deploy
+    if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
     needs: [publish]
     with:
+      aws_role_arn: ${{ inputs.aws_role_arn }}
+      aws_region: ${{ inputs.aws_region }}
       deployment_repo: ${{ inputs.deployment_repo }}
-      images: ${{ inputs.deployment_images }}
     secrets:
-      token: ${{ secrets.deployment_token }}
+      dockerhub_token: ${{ secrets.dockerhub_token }}
+      dockerhub_username: ${{ secrets.dockerhub_username }}
+      earthly_runner_address: ${{ secrets.earthly_runner_address }}
+      earthly_runner_secret: ${{ secrets.earthly_runner_secret }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -54,13 +54,6 @@ on:
           certificates required to authenticate with it. If omitted, a remote
           Earthly runner will not be configured.
         required: false
-      signing_key:
-        description: The private key to use for signing the deployment commit
-        required: true
-      token:
-        description: A Github token with access to the deployment repository.
-        required: true
-
 
 jobs:
   deploy:
@@ -85,6 +78,12 @@ jobs:
           updater_version: local
       - name: Install CUE
         uses: cue-lang/setup-cue@v1.0.0
+      - name: Fetch deployment secrets
+        uses: aws-actions/aws-secretsmanager-get-secrets@v1
+        with:
+          secret-ids: |
+            global/ci/deploy
+          parse-json-secrets: true
       - name: Discover deployment files
         id: discover
         run: |
@@ -95,7 +94,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           repository: ${{ inputs.deployment_repo }}
-          token: ${{ secrets.token }}
+          token: ${{ env.GLOBAL_CI_DEPLOY_TOKEN }}
       - name: Create deployment branch
         run: |
           git checkout -b "auto-deploy-${{ github.sha }}"
@@ -120,7 +119,7 @@ jobs:
       - name: Sign commit hash
         id: sign
         run: |
-          echo -n "${{ secrets.signing_key }}" | base64 --decode > /tmp/privkey
+          echo -n "${{ env.GLOBAL_CI_DEPLOY_PRIV_KEY }}" | base64 --decode > /tmp/privkey
           COMMIT=$(git rev-parse HEAD)
           SIG=$(updater signing sign -k /tmp/privkey "$COMMIT")
           rm /tmp/privkey
@@ -133,4 +132,4 @@ jobs:
           BODY="BEGIN-AUTO-DEPLOY-SIGNATURE:${{ steps.sign.outputs.signature }}:END-AUTO-DEPLOY-SIGNATURE"
           gh pr create --title "chore: auto-deploy from ${{ github.event.repository.name }}" --body "$BODY"
         env:
-          GITHUB_TOKEN: ${{ secrets.token }}
+          GITHUB_TOKEN: ${{ env.GLOBAL_CI_DEPLOY_TOKEN }}