Sync secret scanning data (#53666) #48
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: docs-internal Moda CI | ||
# More info on CI actions setup can be found here: | ||
# https://github.com/github/ops/blob/master/docs/playbooks/build-systems/moving-moda-apps-from-bp-to-actions.md | ||
on: | ||
workflow_dispatch: | ||
push: | ||
branches-ignore: | ||
- 'gh-readonly-queue/**' | ||
merge_group: | ||
types: [checks_requested] | ||
jobs: | ||
########################## | ||
# Generate Vault keys | ||
########################## | ||
set-vault-keys: | ||
runs-on: ubuntu-latest | ||
outputs: | ||
modified_vault_keys: ${{ steps.modify_vault_keys.outputs.modified }} | ||
steps: | ||
- name: Set vault-keys output | ||
id: modify_vault_keys | ||
run: | | ||
if [ -z "${{ vars.VAULT_KEYS }}" ]; then | ||
# We want to add the DOCS_BOT_PAT_READPUBLICKEY to the list of keys | ||
# so that builds fetch the secret from the docs-internal vault | ||
# where --environment is "ci" | ||
echo "modified=DOCS_BOT_PAT_READPUBLICKEY" >> $GITHUB_OUTPUT | ||
else | ||
echo "modified=${{ vars.VAULT_KEYS }},DOCS_BOT_PAT_READPUBLICKEY" >> $GITHUB_OUTPUT | ||
fi | ||
############# | ||
# Moda jobs | ||
############# | ||
moda-config-bundle: | ||
if: ${{ github.repository == 'github/docs-internal' }} | ||
name: ${{ matrix.ci_job.job }} | ||
needs: set-vault-keys | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
ci_job: [{ 'job': 'docs-internal-moda-config-bundle' }] | ||
uses: github/internal-actions/.github/workflows/moda.yml@main | ||
Check failure on line 46 in .github/workflows/moda-ci.yaml GitHub Actions / .github/workflows/moda-ci.yamlInvalid workflow file
|
||
with: | ||
ci-formatted-job-name: ${{ matrix.ci_job.job }} | ||
vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }} | ||
secrets: | ||
dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }} | ||
datadog-api-key: ${{ secrets.DATADOG_API_KEY }} | ||
############# | ||
# Docker Image jobs | ||
############# | ||
docker-image: | ||
if: ${{ github.repository == 'github/docs-internal' }} | ||
name: ${{ matrix.ci_job.job }} | ||
needs: set-vault-keys | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
ci_job: [{ 'job': 'docs-internal-docker-image' }] | ||
uses: github/internal-actions/.github/workflows/kube.yml@main | ||
with: | ||
ci-formatted-job-name: ${{ matrix.ci_job.job }} | ||
vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }} | ||
# Passes 'DOCS_BOT_PAT_READPUBLICKEY' secret from Vault to docker as --secret id=DOCS_BOT_PAT_READPUBLICKEY,src=<PAT value> | ||
docker-build-env-secrets: 'DOCS_BOT_PAT_READPUBLICKEY' | ||
secrets: | ||
dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }} | ||
datadog-api-key: ${{ secrets.DATADOG_API_KEY }} | ||
############# | ||
# Docker Security jobs | ||
############# | ||
docker-security: | ||
if: ${{ github.repository == 'github/docs-internal' }} | ||
name: ${{ matrix.ci_job.job }} | ||
needs: set-vault-keys | ||
strategy: | ||
fail-fast: false | ||
matrix: | ||
ci_job: [{ 'job': 'docs-internal-docker-security' }] | ||
uses: github/internal-actions/.github/workflows/docker_security.yml@main | ||
with: | ||
ci-formatted-job-name: ${{ matrix.ci_job.job }} | ||
vault-keys: ${{ needs.set-vault-keys.outputs.modified_vault_keys }} | ||
# Passes 'DOCS_BOT_PAT_READPUBLICKEY' secret from Vault to docker as --secret id=DOCS_BOT_PAT_READPUBLICKEY,src=<PAT value> | ||
docker-build-env-secrets: 'DOCS_BOT_PAT_READPUBLICKEY' | ||
secrets: | ||
dx-bot-token: ${{ secrets.INTERNAL_ACTIONS_DX_BOT_ACCOUNT_TOKEN }} | ||
datadog-api-key: ${{ secrets.DATADOG_API_KEY }} | ||
permissions: | ||
actions: read | ||
checks: read | ||
contents: read | ||
statuses: read | ||
id-token: write |