From a79b4b32c2007e1674ab57c66494456e02812ac5 Mon Sep 17 00:00:00 2001 From: Sebastien Vermeille Date: Tue, 4 Jun 2024 14:08:32 +0200 Subject: [PATCH 1/3] BUILD-5219 Use Hashicorp Vault to retrieve VSCE_TOKEN That way it retrieves an up-to-date secret --- .github/workflows/release.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 135eed4d4..0c51cfb17 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,6 +48,7 @@ jobs: with: secrets: | development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN; + development/kv/data/visualstudio VSCE_TOKEN | VISUALSTUDIO_PAT; - name: Install dependencies for vsce-publish run: | cp ${GITHUB_WORKSPACE}/.cirrus/.npmrc ./.npmrc @@ -91,7 +92,7 @@ jobs: env: ARTIFACT_FILE: ${{ steps.download_artifact.outputs.artifactFile }} TARGET_PLATFORM: ${{ matrix.platform }} - VSCE_TOKEN: ${{ secrets.VISUALSTUDIO_PAT }} + VSCE_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).VISUALSTUDIO_PAT }} uses: ./.github/actions/vsce-publish deploy_to_openvsx: From a0de38aa304bb161458b2724c4c8be4e49370f1f Mon Sep 17 00:00:00 2001 From: Sebastien Vermeille Date: Tue, 4 Jun 2024 14:11:52 +0200 Subject: [PATCH 2/3] BUILD-5219 Use Hashicorp Vault to retrieve OPENVSX_TOKEN That way it retrieves an up-to-date secret --- .github/workflows/release.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0c51cfb17..7147c4e43 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -117,6 +117,7 @@ jobs: with: secrets: | development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN; + development/team/sonarlint/kv/data/openvsx token | OPENVSX_TOKEN; - name: Install dependencies for ovsx-publish run: | cp ${GITHUB_WORKSPACE}/.cirrus/.npmrc ./.npmrc @@ -155,5 +156,5 @@ jobs: id: ovsx_publish env: ARTIFACT_FILE: ${{ steps.download_artifact.outputs.artifactFile }} - OPENVSX_TOKEN: ${{ secrets.OPENVSX_TOKEN }} + OPENVSX_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).OPENVSX_TOKEN }} uses: ./.github/actions/ovsx-publish From bdeb830176f8f185cd584c98e525116d3becbdc0 Mon Sep 17 00:00:00 2001 From: Sebastien Vermeille Date: Tue, 4 Jun 2024 16:25:54 +0200 Subject: [PATCH 3/3] BUILD-5219 Update credcheck.yml workflow accordingly That way it also use Hashicorp Vault secrets --- .github/workflows/credcheck.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/credcheck.yml b/.github/workflows/credcheck.yml index 3f2a640e9..73d90ec35 100644 --- a/.github/workflows/credcheck.yml +++ b/.github/workflows/credcheck.yml @@ -27,12 +27,14 @@ jobs: with: secrets: | development/artifactory/token/{REPO_OWNER_NAME_DASH}-private-reader access_token | ARTIFACTORY_ACCESS_TOKEN; + development/kv/data/visualstudio VSCE_TOKEN | VISUALSTUDIO_PAT; + development/team/sonarlint/kv/data/openvsx token | OPENVSX_TOKEN; - name: Check marketplace publisher personal access token if: ${{ !cancelled() }} env: ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} - VSCE_TOKEN: ${{ secrets.VISUALSTUDIO_PAT }} + VSCE_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).VISUALSTUDIO_PAT }} working-directory: ./.github/actions/vsce-publish run: | cp ${GITHUB_WORKSPACE}/.cirrus/.npmrc ./.npmrc @@ -43,7 +45,7 @@ jobs: if: ${{ !cancelled() }} env: ARTIFACTORY_ACCESS_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).ARTIFACTORY_ACCESS_TOKEN }} - OPENVSX_TOKEN: ${{ secrets.OPENVSX_TOKEN }} + OPENVSX_TOKEN: ${{ fromJSON(steps.secrets.outputs.vault).OPENVSX_TOKEN }} working-directory: ./.github/actions/ovsx-publish run: | cp ${GITHUB_WORKSPACE}/.cirrus/.npmrc ./.npmrc