From 7d1f7c7c889c3af476e873405c73180bcc18e28f Mon Sep 17 00:00:00 2001
From: Thomas Cardin <49320132+ThomasCardin@users.noreply.github.com>
Date: Fri, 6 Dec 2024 10:44:05 -0500
Subject: [PATCH] issue #172: vault integration

---
 .../workflow-detect-secret-leaks.yml          | 47 ++++++++++++++-----
 1 file changed, 35 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/workflow-detect-secret-leaks.yml b/.github/workflows/workflow-detect-secret-leaks.yml
index 492bb138..11f5325c 100644
--- a/.github/workflows/workflow-detect-secret-leaks.yml
+++ b/.github/workflows/workflow-detect-secret-leaks.yml
@@ -4,18 +4,45 @@ on:
   workflow_call:
   push:
     branches:
-      - "**"
-  pull_request:
-    branches:
-      - "**"
+      - '**'
 
 jobs:
   detect-secret-leaks:
-    runs-on: ubuntu-latest
+    runs-on: gh-runner
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
 
+      - name: Authenticate with Vault using GitHub OIDC
+        id: vault_auth
+        uses: hashicorp/vault-action@v2.4.0
+        with:
+          url: http://vault.vault.svc.cluster.local:8200
+          caCertificate: ${{ secrets.VAULT_CA_CERT }}
+          method: github
+          githubToken: ${{ secrets.VAULT_TOKEN }}
+
+      # https://github.com/hashicorp/vault-action?tab=readme-ov-file#multiple-secrets
+      - name: Retrieve secrets from Vault
+        id: get_secrets
+        uses: hashicorp/vault-action@v2.4.0
+        with:
+          url: ${{ secrets.VAULT_ADDR }}
+          method: jwt
+          role: github-actions
+          secrets: |
+            secret/kv/fertiscan/frontend * | API_KEY_ ;
+            secret/kv/fertiscan/frontend * | API_KEY_ ;
+            secret/kv/fertiscan/database * | API_KEY_ ;
+            secret/kv/fertiscan-dev * | API_KEY_ ;
+            secret/kv/nachet * | API_KEY_ ;
+            secret/kv/finesse * | API_KEY_
+        env:
+          VAULT_TOKEN: ${{ steps.vault_auth.outputs.vault_token }}
+
       - name: Install git-secrets
         run: |
           sudo apt-get update
@@ -30,14 +57,10 @@ jobs:
           git secrets --install
 
       - name: Add API keys to git-secrets
-        env:
-          API_KEYS: ${{ secrets.AI_CFIA_API_KEYS }}
         run: |
-          echo "$API_KEYS" > api_keys.txt
-          while IFS= read -r api_key; do
-            git secrets --add --literal "$api_key"
-          done < api_keys.txt
-          rm -f api_keys.txt
+          for var in $(compgen -e API_KEY_); do
+            git secrets --add --literal "${!var}"
+          done
 
       - name: Scan repository for secrets
         run: |