- GHO-27: mask secrets in ci mode, revert some changes instituted for… #13
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Feature branch tofu checks (containerized) with tok | |
| on: | |
| push: | |
| branches: | |
| - "feature/**" | |
| pull_request: | |
| branches: | |
| - develop | |
| types: [opened, synchronize, reopened] | |
| permissions: | |
| contents: read | |
| packages: read | |
| jobs: | |
| tofu-checks: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Install Bitwarden Secrets Manager CLI (bws) | |
| run: | | |
| set -euo pipefail | |
| curl -fsSL \ | |
| https://github.com/bitwarden/sdk-sm/releases/download/bws-v1.0.0/bws-x86_64-unknown-linux-gnu-1.0.0.zip \ | |
| -o /tmp/bws.zip | |
| unzip -q /tmp/bws.zip -d /tmp/bws | |
| sudo mv /tmp/bws/bws /usr/local/bin/bws | |
| sudo chmod +x /usr/local/bin/bws | |
| bws --version | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| # Required if the GHCR image is private | |
| - name: Log in to GHCR | |
| env: | |
| GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }} | |
| run: | | |
| docker login ghcr.io -u "noahwhite" --password-stdin <<< "$GHCR_TOKEN" | |
| - name: Pull OpenTofu tools image | |
| run: | | |
| docker pull ghcr.io/noahwhite/ghost-stack-shell:latest | |
| - name: Retrieve secrets via infra-shell.sh (CI mode) | |
| env: | |
| BWS_ACCESS_TOKEN: ${{ secrets.BWS_ACCESS_TOKEN }} | |
| run: | | |
| ./docker/scripts/infra-shell.sh --ci --secrets-only --export-github-env | |
| - name: Run tofu fmt check (recursive) | |
| run: | | |
| docker run --rm \ | |
| -v "${GITHUB_WORKSPACE}:/home/devops/app" \ | |
| -w /home/devops/app \ | |
| ghcr.io/noahwhite/ghost-stack-shell:latest \ | |
| tofu fmt -check -recursive | |