darkhelm/notifications-api
1
0
Fork 0
mirror of https://github.com/GSA/notifications-api.git synced 2025-12-12 16:22:17 -05:00
Code Issues Packages Projects Releases Wiki Activity

move rotate from checks to deploy

Browse Source
This commit is contained in:
Kenneth Kehl
2024-08-22 11:00:31 -07:00
parent 6401378715
commit 6d44ffceb8
3 changed files with 27 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
.ds.baseline
View File

@@ -133,7 +133,7 @@
"filename": ".github/workflows/checks.yml", "filename": ".github/workflows/checks.yml",
"hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
"is_verified": false, "is_verified": false,
"line_number": 50, "line_number": 28,
"is_secret": false "is_secret": false
}, },
{ {
@@ -141,7 +141,7 @@
"filename": ".github/workflows/checks.yml", "filename": ".github/workflows/checks.yml",
"hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
"is_verified": false, "is_verified": false,
"line_number": 67, "line_number": 45,
"is_secret": false "is_secret": false
} }
], ],
@@ -384,5 +384,5 @@
} }
] ]
}, },
"generated_at": "2024-08-22T14:22:18Z" "generated_at": "2024-08-22T18:00:24Z"
} }

22
.github/workflows/checks.yml vendored
View File

@@ -16,29 +16,7 @@ env:
AWS_US_TOLL_FREE_NUMBER: "+18556438890" AWS_US_TOLL_FREE_NUMBER: "+18556438890"
jobs: jobs:
rotate-secret:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Generate new secret value
id: generate-secret
run: |
# Generate a new random secret value
NEW_SECRET=$(openssl rand -base64 32)
echo "new-secret=$NEW_SECRET" >> $GITHUB_ENV
- name: Update GitHub secret
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NEW_SECRET: ${{ env.new-secret }}
run: |
# Update the secret in the repository
curl -X PUT \
-H "Authorization: token $GITHUB_TOKEN" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/${{ github.repository }}/actions/secrets/DANGEROUS_SALT \
-d "{\"encrypted_value\":\"$(echo -n $NEW_SECRET | base64)\",\"key_id\":\"$(curl -H 'Authorization: token $GITHUB_TOKEN' https://api.github.com/repos/${{ github.repository }}/actions/secrets/public-key | jq -r '.key_id')\"}"
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest

24
.github/workflows/deploy.yml vendored
View File

@@ -11,6 +11,30 @@ permissions:
contents: read contents: read
jobs: jobs:
rotate-secret:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Generate new secret value
id: generate-secret
run: |
# Generate a new random secret value
NEW_SECRET=$(openssl rand -base64 32)
echo "new-secret=$NEW_SECRET" >> $GITHUB_ENV
- name: Update GitHub secret
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NEW_SECRET: ${{ env.new-secret }}
run: |
# Update the secret in the repository
curl -X PUT \
-H "Authorization: token $GITHUB_TOKEN" \
-H "Accept: application/vnd.github.v3+json" \
https://api.github.com/repos/${{ github.repository }}/actions/secrets/DANGEROUS_SALT \
-d "{\"encrypted_value\":\"$(echo -n $NEW_SECRET | base64)\",\"key_id\":\"$(curl -H 'Authorization: token $GITHUB_TOKEN' https://api.github.com/repos/${{ github.repository }}/actions/secrets/public-key | jq -r '.key_id')\"}"
deploy: deploy:
runs-on: ubuntu-latest runs-on: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }} if: ${{ github.event.workflow_run.conclusion == 'success' }}