Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Step 2, Fine-grained permissions - pull requests | |
# This step will retrieve a secret from Vault only if the workflow is triggered from a pull request | |
# This workflow will only succeed when run from a pull request, | |
# but participants should attempt to run it from other triggers, such as manually, to observe the outcome | |
# Reference: https://docs.github.com/en/actions/learn-github-actions/events-that-trigger-workflows | |
on: | |
workflow_dispatch: | |
pull_request: | |
branches: | |
- main | |
# Reference: https://docs.github.com/en/actions/security-guides/automatic-token-authentication | |
permissions: | |
# Need `contents: read` to checkout the repository | |
# Need `id-token: write` to use the GitHub OIDC token | |
# Reference: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers#adding-permissions-settings | |
contents: read | |
id-token: write | |
jobs: | |
oidc_pr: | |
name: Secrets only from pull requests | |
# When using services, the runner must be Linux | |
runs-on: ubuntu-latest | |
# Set up a Vault container to connect to | |
# This allows us to run our exercises without having to set up Vault infrastructure separately | |
# Reference: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idservices | |
services: | |
vault: | |
image: hashicorp/vault:1.15 | |
# Make vault accessible to the runner at localhost:8200 | |
ports: | |
- 8200:8200 | |
# Set up Vault as a dev server with a pre-defined root token. | |
# Reference: https://developer.hashicorp.com/vault/docs/concepts/dev-server | |
env: | |
VAULT_DEV_ROOT_TOKEN_ID: vaultiscool | |
# Grant the non-root user in the container the ability to lock memory to prevent swapping data to disk. | |
# A step that is recommended when using the Vault Docker container. | |
# Reference: https://hub.docker.com/_/vault/ | |
options: >- | |
--cap-add=IPC_LOCK | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
# Initializes Vault with a JWT backend for GitHub OIDC | |
# Creates a `pr-policy` policy granting access to `secret/data/development` | |
- name: Setup Vault | |
env: | |
VAULT_ADDR: http://127.0.0.1:8200 | |
run: ./.github/script/2-setup.sh | |
############################################################### | |
# Assign an appropriate bound_claims for this activity # | |
# See the Step 2 instructions on the README for more details # | |
############################################################### | |
- name: Create an OIDC Role | |
env: | |
VAULT_ADDR: http://127.0.0.1:8200 | |
run: | | |
vault write auth/gha/role/GIVE_ME_A_NAME - << EOF | |
{ | |
"role_type": "jwt", | |
"user_claim": "actor", | |
"bound_claims": { | |
# Fill in missing "sub" claim | |
}, | |
"policies": ["pr-policy"], | |
"ttl": "60s" | |
} | |
EOF | |
- name: Retrieve Secrets | |
uses: hashicorp/vault-action@v2 | |
id: secrets | |
with: | |
# TODO: Don't forget to enter the role name you created above! | |
role: "" | |
# Retrieve a secret from the KV v2 secrets engine at the mount point `secret`. | |
secrets: | | |
secret/data/development access_token | ACCESS_TOKEN ; | |
# Required configuration, do not modify | |
url: http://127.0.0.1:8200 | |
path: gha | |
method: jwt | |
exportEnv: false | |
- name: Use the secret | |
# Dummy example showing the secret is not an empty string | |
run: | | |
echo "::notice::🔐 Logging in to secure system! ${{ steps.secrets.outputs.ACCESS_TOKEN != '' }}" |