studio/people
Archived
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

👷(ci) sops: configure workflows to use sops secrets

Browse Source 
Github secrets are difficult to maintain in time because we do not have
a way to track them efficiently. So to avoid this issue, we prefer to use
sops encrypted files to manage our secrets.
This commit is contained in:
Jacques ROUSSEL
2024-01-08 11:33:56 +01:00
committed by rouja
parent c2c6ae88db
commit 8f2f47d3b1
4 changed files with 62 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
.github/workflows/people.yml vendored
View File

@@ -272,13 +272,18 @@ jobs:
run: pip install --user .[dev]
- name: Generate the translation base file
run: ~/.local/bin/django-admin makemessages --keep-pot --all
- name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
- name: Upload files to Crowdin
run: |
docker run \
--rm \
-e CROWDIN_API_TOKEN=${{ secrets.CROWDIN_API_TOKEN }} \
-e CROWDIN_PROJECT_ID=${{ vars.CROWDIN_PROJECT_ID }} \
-e CROWDIN_BASE_PATH=${{ vars.CROWDIN_BASE_PATH }} \
-e CROWDIN_API_TOKEN=$CROWDIN_API_TOKEN \
-e CROWDIN_PROJECT_ID=$CROWDIN_PROJECT_ID \
-e CROWDIN_BASE_PATH=$CROWDIN_BASE_PATH \
-v "${{ github.workspace }}:/app" \
crowdin/cli:3.16.0 \
crowdin upload sources -c /app/crowdin/config.yml
@@ -298,8 +303,13 @@ jobs:
run: docker build -t people:${{ github.sha }} --target production .
- name: Check built images availability
run: docker images "people:${{ github.sha }}*"
- name: Load sops secrets
uses: rouja/actions-sops@main
with:
secret-file: .github/workflows/secrets.enc.env
age-key: ${{ secrets.SOPS_PRIVATE }}
- name: Login to DockerHub
run: echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_HUB_USER }}" --password-stdin
run: echo "$DOCKER_HUB_PASSWORD" | docker login -u "$DOCKER_HUB_USER" --password-stdin
- name: Tag images
run: |
DOCKER_TAG=$([[ -z "${{ github.event.ref }}" ]] && echo "${{ github.event.ref }}" || echo "${{ github.event.ref }}" | sed 's/^v//')