move rotate from checks to deploy

2025-12-10 07:12:20 -05:00 · 2024-08-22 11:00:31 -07:00
parent 6401378715
commit 6d44ffceb8
3 changed files with 27 additions and 25 deletions
--- a/.ds.baseline
+++ b/.ds.baseline
@@ -133,7 +133,7 @@
        "filename": ".github/workflows/checks.yml",
        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
        "is_verified": false,
-        "line_number": 50,
+        "line_number": 28,
        "is_secret": false
      },
      {
@@ -141,7 +141,7 @@
        "filename": ".github/workflows/checks.yml",
        "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
        "is_verified": false,
-        "line_number": 67,
+        "line_number": 45,
        "is_secret": false
      }
    ],
@@ -384,5 +384,5 @@
      }
    ]
  },
-  "generated_at": "2024-08-22T14:22:18Z"
+  "generated_at": "2024-08-22T18:00:24Z"
 }
--- a/.github/workflows/checks.yml
+++ b/.github/workflows/checks.yml
@@ -16,29 +16,7 @@ env:
  AWS_US_TOLL_FREE_NUMBER: "+18556438890"

 jobs:
-  rotate-secret:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3

-      - name: Generate new secret value
-        id: generate-secret
-        run: |
-          # Generate a new random secret value
-          NEW_SECRET=$(openssl rand -base64 32)
-          echo "new-secret=$NEW_SECRET" >> $GITHUB_ENV
-      - name: Update GitHub secret
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NEW_SECRET: ${{ env.new-secret }}
-        run: |
-          # Update the secret in the repository
-          curl -X PUT \
-            -H "Authorization: token $GITHUB_TOKEN" \
-            -H "Accept: application/vnd.github.v3+json" \
-            https://api.github.com/repos/${{ github.repository }}/actions/secrets/DANGEROUS_SALT \
-            -d "{\"encrypted_value\":\"$(echo -n $NEW_SECRET | base64)\",\"key_id\":\"$(curl -H 'Authorization: token $GITHUB_TOKEN' https://api.github.com/repos/${{ github.repository }}/actions/secrets/public-key | jq -r '.key_id')\"}"
  build:
    runs-on: ubuntu-latest

--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -11,6 +11,30 @@ permissions:
  contents: read

 jobs:
+  rotate-secret:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Generate new secret value
+        id: generate-secret
+        run: |
+          # Generate a new random secret value
+          NEW_SECRET=$(openssl rand -base64 32)
+          echo "new-secret=$NEW_SECRET" >> $GITHUB_ENV
+      - name: Update GitHub secret
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NEW_SECRET: ${{ env.new-secret }}
+        run: |
+          # Update the secret in the repository
+          curl -X PUT \
+            -H "Authorization: token $GITHUB_TOKEN" \
+            -H "Accept: application/vnd.github.v3+json" \
+            https://api.github.com/repos/${{ github.repository }}/actions/secrets/DANGEROUS_SALT \
+            -d "{\"encrypted_value\":\"$(echo -n $NEW_SECRET | base64)\",\"key_id\":\"$(curl -H 'Authorization: token $GITHUB_TOKEN' https://api.github.com/repos/${{ github.repository }}/actions/secrets/public-key | jq -r '.key_id')\"}"
+
  deploy:
    runs-on: ubuntu-latest
    if: ${{ github.event.workflow_run.conclusion == 'success' }}