From f82bf1fef89442fc3cc5b09ab3c2fbc2316f66e5 Mon Sep 17 00:00:00 2001
From: Romain Bioteau <romain.bioteau@bonitasoft.com>
Date: Wed, 19 Jun 2024 17:24:04 +0200
Subject: [PATCH] chore(gha): use Keeper action

---
 .github/workflows/build.yml | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 59dc9aa..9092079 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,29 +11,36 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
       with:
        fetch-depth: 0
-       
+
+    - uses: Keeper-Security/ksm-action@v1
+      with:
+        keeper-secret-config: ${{ secrets.KSM_CONFIG }}
+        secrets: |
+          ${{ vars.KEEPER_SONARCLOUD_RECORD_ID }}/field/password > env:SONAR_TOKEN
+          ${{ vars.KEEPER_OSSRH_RECORD_ID }}/field/login > env:MAVEN_USERNAME
+          ${{ vars.KEEPER_OSSRH_RECORD_ID }}/field/password > env:MAVEN_PASSWORD
+          ${{ vars.KEEPER_GPG_ARTIFACT_SIGNING_RECORD_ID }}/field/login > env:GPG_KEYNAME
+          ${{ vars.KEEPER_GPG_ARTIFACT_SIGNING_RECORD_ID }}/custom_field/gpg-private-key > env:GPG_PRIVATE_KEY
+          ${{ vars.KEEPER_GPG_ARTIFACT_SIGNING_RECORD_ID }}/field/password > env:MAVEN_GPG_PASSPHRASE
+          
     - name: Setup Java
-      uses: actions/setup-java@v3
+      uses: actions/setup-java@v4
       with:
-        java-version: 11
+        java-version: 17
         distribution: temurin
         cache: maven
         server-id: ossrh # Value of the distributionManagement/repository/id field of the pom.xml
         server-username: MAVEN_USERNAME # env variable for username in deploy
-        server-password: MAVEN_CENTRAL_TOKEN # env variable for token in deploy
-        gpg-private-key: ${{ secrets.gpg_private_key }} # Value of the GPG private key to import
+        server-password: MAVEN_PASSWORD # env variable for token in deploy
+        gpg-private-key: ${{ env.GPG_PRIVATE_KEY }} # Value of the GPG private key to import
         gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase
      
     - name: Build and deploy
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information, if any
-        SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-        MAVEN_USERNAME: ${{ secrets.ossrh_username }}
-        MAVEN_CENTRAL_TOKEN: ${{ secrets.ossrh_password }}
-        MAVEN_GPG_PASSPHRASE: ${{ secrets.gpg_passphrase }}
       run: ./mvnw -B -ntp clean deploy
     
     - run: mkdir staging && cp target/*.zip staging