Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

New OIDC auth method #20

Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

New OIDC auth method #20

wants to merge 6 commits into from

Conversation

rgharris
Copy link
Member

@rgharris rgharris commented Dec 3, 2024

This depends on yet to be released API changes and is not ready to be merged yet. This has been tested with the unpublished API changes via the new doppler-api-domain option.

Release Note: Add OIDC support to the Github Secrets Fetch Action. This allows the action to retrieve secrets from a Doppler service account by authenticating via identity auth.

Closes ENG-8513

Example usages:

name: Doppler secrets from outputs

on: [push]

jobs:
  secrets-fetch-sa-oidc:
    runs-on: ubuntu-latest
    permissions:
      id-token: write # required for obtaining the OIDC JWT from Github
    steps:
    - uses: dopplerhq/secrets-fetch-action@rgharris/oidc # update to use @v1.3.0 after launch
      id: doppler
      with:
        auth-method: oidc        
        doppler-identity-id: 78efd55a-a93c-4415-8078-7db6a588ba73
        doppler-project: example-project
        doppler-config: dev
        doppler-api-domain: your-custom-local-domain # for local testing only
    - run: echo "DOPPLER_PROJECT is ${{ steps.doppler.outputs.DOPPLER_PROJECT }} (Doppler meta environment variables are unmasked)"
    - run: echo "ANEWONE is ${{ steps.doppler.outputs.ANEWONE }} (secret masked output)"

  secrets-fetch-sa-token:
    runs-on: ubuntu-latest
    steps:
    - uses: dopplerhq/secrets-fetch-action@rgharris/oidc # update to use @v1.3.0 after launch
      id: doppler
      with:
        doppler-token: ${{ secrets.DOPPLER_SA_TOKEN }}
        doppler-project: example-project
        doppler-config: dev
        doppler-api-domain: your-custom-local-domain # for local testing only
    - run: echo "DOPPLER_PROJECT is ${{ steps.doppler.outputs.DOPPLER_PROJECT }} (Doppler meta environment variables are unmasked)"
    - run: echo "ANEWONE is ${{ steps.doppler.outputs.ANEWONE }} (secret masked output)"

  secrets-fetch-service-token:
    runs-on: ubuntu-latest
    steps:
    - uses: dopplerhq/secrets-fetch-action@rgharris/oidc # update to use @v1.3.0 after launch
      id: doppler
      with:
        doppler-token: ${{ secrets.DOPPLER_SERVICE_TOKEN }}
        doppler-api-domain: your-custom-local-domain # for local testing only
    - run: echo "DOPPLER_PROJECT is ${{ steps.doppler.outputs.DOPPLER_PROJECT }} (Doppler meta environment variables are unmasked)"
    - run: echo "ANEWONE is ${{ steps.doppler.outputs.ANEWONE }} (secret masked output)"

Copy link
Member

@nmanoogian nmanoogian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice! 🎉

action.yml Outdated Show resolved Hide resolved
doppler.js Outdated Show resolved Hide resolved
README.md Outdated Show resolved Hide resolved
Copy link
Member

@nmanoogian nmanoogian left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All changes look good! Approving once more for good measure 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants