-
Notifications
You must be signed in to change notification settings - Fork 1
106 lines (94 loc) · 3.81 KB
/
reuse-one-password.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
---
# SPDX-License-Identifier: Apache-2.0
# SPDX-FileCopyrightText: 2024 The Linux Foundation
# Validates 1Password vault access given a service account
name: "🔑 [R] 1Password"
on:
workflow_call:
inputs:
# Required inputs
VAULT_ITEM:
description: "Element to load from 1Password using service account"
required: false
type: string
# Optional inputs
ACCESS_TYPE:
description: "Descriptive label for vault access, e.g. [ development|production|none ]"
required: false
type: string
default: "none"
EXPORT:
description: "Export vault element to environment/subsequent steps"
required: false
default: false
type: boolean
# Service account credentials
secrets:
ONE_PASSWORD_DEVELOPMENT:
description: "1Password service account [ Development ]"
required: false
ONE_PASSWORD_PRODUCTION:
description: "1Password service account [ Production ]"
required: false
permissions: {}
jobs:
one-password:
name: "Vault access"
runs-on: "ubuntu-24.04"
# Does not need to interact with GitHub not the repository at all
permissions: {}
steps:
- name: "Validate 1Password workflow inputs"
# This is necessary, as most inputs are NOT mandatory
# However, we do NOT want this workflow to fail/block others
shell: bash
run: |
# Validate 1Password workflow inputs
if [ -z "${{ inputs.vault_item }}" ] && [ "${{ inputs.access_type }}" != 'none' ]; then
echo "Error: vault item is required unless access_type set to none"
exit 1
fi
- name: "Use Service Account [ Development ]"
uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2.0.0
if: inputs.ACCESS_TYPE == 'development'
with:
# Export loaded secrets as environment variables
export-env: ${{ inputs.export }}
env:
VAULT_ITEM: ${{ inputs.vault_item }}
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.one_password_development }}
- name: "Use Service Account [ Production ]"
uses: 1password/load-secrets-action@581a835fb51b8e7ec56b71cf2ffddd7e68bb25e0 # v2.0.0
if: inputs.ACCESS_TYPE == 'production'
with:
# Export loaded secrets as environment variables
export-env: ${{ inputs.export }}
env:
VAULT_ITEM: ${{ inputs.vault_item }}
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.one_password_production }}
# Prints masked secret value: ***
- name: "Test masked output value"
if: inputs.ACCESS_TYPE == 'development'
run: |
# Test masked output value
echo "Element loaded as variable: $VAULT_ITEM"
echo "export-env was set to: ${{ inputs.export }}"
- name: "Print summary to job output"
run: |
# Print summary to job output
# shellcheck disable=SC2129
echo "# 🔑 1Password Service" >> "$GITHUB_STEP_SUMMARY"
echo "Availability of credentials and service accounts to this workflow run" \
>> "$GITHUB_STEP_SUMMARY"
echo "| Status | Account Type |" >> "$GITHUB_STEP_SUMMARY"
echo "| ------ | ---------------------|" >> "$GITHUB_STEP_SUMMARY"
if [ -z "${{ secrets.one_password_development }}" ]; then
echo "| ❌ | Development Service Account |" >> "$GITHUB_STEP_SUMMARY"
else
echo "| ✅ | Development Service Account |" >> "$GITHUB_STEP_SUMMARY"
fi
if [ -z "${{ secrets.one_password_production }}" ]; then
echo "| ❌ | Production Service Account |" >> "$GITHUB_STEP_SUMMARY"
else
echo "| ✅ | Production Service Account |" >> "$GITHUB_STEP_SUMMARY"
fi