infrastructure: split dependabot secrets

observeinc · Oct 26, 2023 · 0fec618 · 0fec618
1 parent 5fda698
commit 0fec618
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 12 deletions.
diff --git a/infrastructure/main.tf b/infrastructure/main.tf
@@ -1,26 +1,28 @@
 locals {
   organization = "observeinc"
   repository   = "terraform-provider-observe"
+
+  secrets = {
+    for type in ["actions", "dependabot"] : type => {
+      for path in fileset(path.module, "secrets/${type}/*") : basename(path) => trimspace(file(path))
+    }
+  }
 }
 
 resource "github_actions_secret" "secrets" {
-  for_each = setsubtract(fileset("${path.module}/secrets", "*"), ["README.md"])
-
-  repository  = local.repository
-  secret_name = each.key
+  for_each = local.secrets.actions
 
-  encrypted_value = file("${path.module}/secrets/${each.key}")
+  repository      = local.repository
+  secret_name     = each.key
+  encrypted_value = each.value
 }
 
 resource "github_dependabot_secret" "secrets" {
-  for_each = {
-    # Automatically expose any OBSERVE_* credentials as Dependabot secrets to allow aceptance testing PRs
-    for k, v in github_actions_secret.secrets : k => v if startswith(k, "OBSERVE")
-  }
+  for_each = local.secrets.dependabot
 
-  repository      = each.value.repository
+  repository      = local.repository
   secret_name     = each.key
-  encrypted_value = each.value.encrypted_value
+  encrypted_value = each.value
 }
 
 moved {

diff --git a/infrastructure/secrets/README.md b/infrastructure/secrets/README.md
@@ -4,15 +4,20 @@ This directory contains **encrypted** secrets used by GitHub Actions. They are e
 
 Any file added to this directory (other than this readme) should contain an **already-encrypted** secret that will be created by Terraform in GitHub Actions, using the filename as the secret name.
 
+The `actions/` contains Actions secrets while `dependabot/` contains [Dependabot secrets](https://docs.github.com/en/code-security/dependabot/working-with-dependabot/automating-dependabot-with-github-actions#accessing-secrets). These use different encryption keys, so encrypted secrets for Actions cannot be used by Dependabot jobs, and vice versa.
+
 ## Generating a Secret
 
 Using the [GitHub CLI](https://cli.github.com):
 
 ```sh
 SECRET_NAME=MY_SECRET
-gh secret set $SECRET_NAME --no-store > $SECRET_NAME
+APP=actions
+gh secret set "$SECRET_NAME" --app "$APP" --no-store > "$APP/$SECRET_NAME"
 ```
 
+For Dependabot secrets, change `APP` to `dependabot`.
+
 You can optionally pipe a value in, e.g., using the macOS clipboard:
 
 ```sh

diff --git a/infrastructure/secrets/GPG_PRIVATE_KEY → ...structure/secrets/actions/GPG_PRIVATE_KEY b/infrastructure/secrets/GPG_PRIVATE_KEY → ...structure/secrets/actions/GPG_PRIVATE_KEY
diff --git a/infrastructure/secrets/OBSERVE_USER_PASSWORD → ...ure/secrets/actions/OBSERVE_USER_PASSWORD b/infrastructure/secrets/OBSERVE_USER_PASSWORD → ...ure/secrets/actions/OBSERVE_USER_PASSWORD
diff --git a/infrastructure/secrets/dependabot/OBSERVE_USER_PASSWORD b/infrastructure/secrets/dependabot/OBSERVE_USER_PASSWORD
@@ -0,0 +1 @@
+gUhvkZqM9EPL1dAvaB4QhuJr7BEn0fHU85rMDCORSAYcny7rB0qDwpfh48TVFbwqBEj7fSpa5Wpz/bgy4bf9FfyiXw==
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		gUhvkZqM9EPL1dAvaB4QhuJr7BEn0fHU85rMDCORSAYcny7rB0qDwpfh48TVFbwqBEj7fSpa5Wpz/bgy4bf9FfyiXw==