studio/docs
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

🐛(CI) purge secret from repository

Browse Source 
- Remove *.enc.*
- Adapt helmfile
- Adapt CI
This commit is contained in:
Jacques ROUSSEL
2024-06-06 17:11:57 +02:00
committed by rouja
parent 4e4e2e23e3
commit 37f02893ed
13 changed files with 109 additions and 263 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.github/workflows/deploy.yml vendored
View File

@@ -12,13 +12,24 @@ jobs:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: "impress,secrets"
-
name: Checkout repository
uses: actions/checkout@v2
with:
submodules: recursive
token: ${{ steps.app-token.outputs.token }}
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets.enc.env
secret-file: .github/workflows/secrets/numerique-gouv/impress/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Call argocd github webhook

81
.github/workflows/docker-hub.yml vendored
View File

@@ -19,20 +19,31 @@ jobs:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: "impress,secrets"
-
name: Checkout repository
uses: actions/checkout@v2
with:
submodules: recursive
token: ${{ steps.app-token.outputs.token }}
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets/numerique-gouv/impress/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: lasuite/impress-backend
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Login to DockerHub
if: github.event_name != 'pull_request'
@@ -52,20 +63,31 @@ jobs:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: "impress,secrets"
-
name: Checkout repository
uses: actions/checkout@v2
with:
submodules: recursive
token: ${{ steps.app-token.outputs.token }}
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets/numerique-gouv/impress/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: lasuite/impress-frontend
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Login to DockerHub
if: github.event_name != 'pull_request'
@@ -86,20 +108,31 @@ jobs:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: "impress,secrets"
-
name: Checkout repository
uses: actions/checkout@v2
with:
submodules: recursive
token: ${{ steps.app-token.outputs.token }}
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets/numerique-gouv/impress/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: lasuite/impress-y-webrtc-signaling
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
-
name: Login to DockerHub
if: github.event_name != 'pull_request'

26
.github/workflows/impress.yml vendored
View File

@@ -209,8 +209,26 @@ jobs:
i18n-crowdin:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
-
uses: actions/create-github-app-token@v1
id: app-token
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
owner: ${{ github.repository_owner }}
repositories: "infrastructure,secrets"
-
name: Checkout repository
uses: actions/checkout@v2
with:
submodules: recursive
token: ${{ steps.app-token.outputs.token }}
-
name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets/numerique-gouv/impress/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
- name: Install gettext (required to make messages)
run: |
@@ -229,12 +247,6 @@ jobs:
- name: Generate the translation base file
run: ~/.local/bin/django-admin makemessages --keep-pot --all
- name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
- name: Setup Node.js
uses: actions/setup-node@v4
with:

1
.github/workflows/secrets vendored Submodule

Submodule .github/workflows/secrets added at d5e83b9046

24
.github/workflows/secrets.enc.env vendored
View File

@@ -1,24 +0,0 @@
SOPS_PRIVATE=ENC[AES256_GCM,data:FK3PweZstvwslF18oRQNnqY2vTAdNNBWiTxRpuULnRnJbtyeula/MU5E08pImMGDvMXZulOgbmuXUHrKb31P6HG2Cz5MBFGhqU8=,iv:gYCDkAtBe1ldjSjVV/jDFYJTceqODpDRr4TRE9pxgb4=,tag:U7B3L4+SOoxVLBGW3GtrDg==,type:str]
CROWDIN_API_TOKEN=ENC[AES256_GCM,data:r0niJ4YBSb+s2Fg9EXkqgegw8JeQIwu27pfDTndjhbcVZW0/tihn5IZjercX3k8TpOuzPYei8k0JtmnjfBMi9NY3pYr80YCWDzUGqUKubyw=,iv:fF7SzhfsoiF53xdMm8BdPy668nYWBTA4r2aIfhUAd1Q=,tag:HskvnLyy5QTQnDv99Jmr1g==,type:str]
CROWDIN_BASE_PATH=ENC[AES256_GCM,data:jC8utvhuMmQ=,iv:VmHB9DX52YnGGWZEm1hD+zeUffypsAhwQQpox4t5png=,tag:cbQ24lWq7g33fJduMgmvuA==,type:str]
CROWDIN_PROJECT_ID=ENC[AES256_GCM,data:xz8mo2fB,iv:FcsLzOVUxxhcibXiIubIhtbdjCUXiIQpuGdBdNpSE8I=,tag:CNKUYvSlok0WFyFaKXR5QA==,type:str]
DOCKER_HUB_PASSWORD=ENC[AES256_GCM,data:R9ktuIb579tbe+M=,iv:nmn3wlOc88VL4kGyKLRIRIuVqUu8BuWKtHUjjex+zRg=,tag:fGNtJmMB2iHVGMeLBz5RwQ==,type:str]
DOCKER_HUB_USER=ENC[AES256_GCM,data:LJzr2mftjw==,iv:iwFvXHttIyydyNU11ZZH97oBp/DwTn5hlLQl7CqRWa0=,tag:qntAkpeNG/wOZim5K/8w7A==,type:str]
ARGOCD_WEBHOOK_URL=ENC[AES256_GCM,data:+dzTPg4mVqDLu6ac9xf2D4eccaKIvAosBBXpwp+QHZwTEeWGNm0GRaVzOx0gU4CjBNU9og0buYdi,iv:mhgVc5dBh1A1TVisGe0c/MO4EnXSb0ZQ2NL85QJzwaI=,tag:cT6Sa/GRJ94ss7yiL9pH2g==,type:str]
ARGOCD_WEBHOOK_SECRET=ENC[AES256_GCM,data:meQqbpT5gx5K4fW/WWmIQ9vlHjrQsVfGbdiVWm8YZf6EIm9xHWmTcflYxBqfvgWWen84NKWqt0uzl3+m1eDnLyE=,iv:wyIp0baJsw9jFu4z09xirr6qSpxK8aO907SEvce98/U=,tag:FaW5+x7r+fj3R9yq8ataTw==,type:str]
ARGOCD_PRODUCTION_WEBHOOK_URL=ENC[AES256_GCM,data:9xN9mA1JSw0L2wYxpVfG3uYiLPGo+OuziZTQ8PAMy3Cd+AmDWXcT0AInbhBMQsw5Og==,iv:8mW3YYhXmP9EqA25jwevIT4ccUxfgJU/B17XBasl6Dk=,tag:EMDk1YQj6eEinoBSgRo+7A==,type:str]
ARGOCD_PRODUCTION_WEBHOOK_SECRET=ENC[AES256_GCM,data:Y3pRbqpxtZOJi4VfRRx8WIZKJQuSaVePG0b1kmZ2UxWhfumFsvll91blpZQQIWp42AEgJhUfFz7lgGXtNZc=,iv:GBG4AYYEo50H+GC6Auzdabsj9XGMKStKp6bfqy0iWkE=,tag:qpjnB/K3Glq/Dziav6OXqg==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMkZsNEovb2xpWjIrdUpG\nUzArWFlLejB1UTBDTHNJOENybzdRSHBkVVJzCmdWeW1VYUtxejBaWkhvMjEySFNm\nWmlJZWVVMVA2azJhUlBXZ0VrbnNsRGsKLS0tIHhTU0hFSmVnWW9GZE1UVGZMUDVw\ndE1RdCs2OEh1U2Q1WjFkYVNDOEVYQjgKxHI1W+DT2yMW1+0QUNDVdbeo6IvRVEig\nK1WrTM1VAmsji9xuvJQW9uKvYxmHo7OFZzkkNTbmLcJ4wBSNYilh+A==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age15fyxdwmg5mvldtqqus87xspuws2u0cpvwheehrtvkexj4tnsqqysw6re2x
sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3OG05S01xK2J5aklEMitF\nNEtYbSthTVJHMk1oNmxkbjBvUkI0a21heXlrCkNPNjh1ektYYXJNVzVBMWxWKzB6\neHd0blE3U1pQdnpXbVkzZGVOdnh4aFEKLS0tIGUwSmdoZWxwNTdiWDdER3ZNU2lV\nZklBdHVERVkzcHZaZWdoM3pLMHBzSDgKTL1ipaUAFXOtGSu1g+pkfr+W3NlJJXcy\nl/yzxbLzPv2MSR09ZUFS6Km97/aTQDkCodt29paHEvRUDhR+oYCDVg==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_1__map_recipient=age16hnlml8yv4ynwy0seer57g8qww075crd0g7nsundz3pj4wk7m3vqftszg7
sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUHRTUkpaaFhZUm1tUFRU\nNU5sZkozcHowTUdoejV5ditibHc1T2V6M3lNCit3OS9TeUx5UTZOTFVibjRaaGR3\nNlQ3WlhKZUNzaUJHNWVLajNnZ2U2RnMKLS0tIG9qdVNFVE5jOHAvSWcvcnVla0hn\nMlg1YTg2b2MreE16Qy85R09pa3ZxbEEKoPB1pOmc5FmSKIwQ017l05Lm+LoNH2KC\ndxSUkmw7n1tVkPKGtgbEcoR04mMm+4ANdXNetu3Goih1bvtjgWvUuQ==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_2__map_recipient=age1plkp8td6zzfcavjusmsfrlk54t9vn8jjxm8zaz7cmnr7kzl2nfnsd54hwg
sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaDVPTVBFVzVxU3JPc0RM\ncTFlSUVzUXpKKzFyTmQweGNITVZFNUlheENjCkxtOU5QTGRMRmVRZ2hrQkY5SXM3\nTmZNU0NGc3VSZ2xOZlRIaTBXOSt2TXcKLS0tIEQ0bVhYSml0eXFLS2lCOFMxWGpS\nWE1tRTFDektsRWVYSHp6eTF4MVJQU3MKfskxXtc6JI86/xdjMRsVTmG0x+jLx/tq\necUbexvI56TOVFThd1Iv2QYnfD48OVstpH1QEpM42XQTRLsrj07gPA==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_3__map_recipient=age12g6f5fse25tgrwweleh4jls3qs52hey2edh759smulwmk5lnzadslu2cp3
sops_age__list_4__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aXh5eTVZR21TNlBIbmxO\nR0FPNXlyNklucFNwbng5eStmMlNCNi9VYTJrCkZsejJqNmtxRmJlekN2czg3ZUls\nVTdKVWd2eWtpQUdBbGUzYWR4bXYwVW8KLS0tIEJnS2hDQU5CM2NVc3RsQjlZL1FE\nVGYyYWJ6K2gydVFCbUhYeWNDN2RiWjAKHD7/sZFiGD3+Xz5O/Yajb/gEVREWQB/l\nAsquVroBF4A89QUgbjZSYsHJcWuZ4JZXBX7fGSZwio+8+nhjvy+EhQ==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_4__map_recipient=age1qy04neuzwpasmvljqrcvhwnf0kz5cpyteze38c8avp0czewskasszv9pyw
sops_lastmodified=2024-05-24T13:55:45Z
sops_mac=ENC[AES256_GCM,data:gJViDK19UzUaOT+3b9cUJ+634dgzSkamqcj4031pyhrjCVb7FtRu2B8T7vpZObY3dB3mSCtfJKzKoJRhCjYDTd8YdASIOJyep+6K4JSWvKtliZ46syDQaSSTgPx7WaeLzVRpEpBq0adt6ngKTttbhIvhYZD7Kc3Tz3TcMCmEQhg=,iv:G9tzca7nZrBCNowEYpUkAiraVGxUv2732xwXCizJ8X0=,tag:yYt3ppmVYR+lba//lRNpdg==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.8.1