Using Secrets in Github Workflows.
Overview
This page covers the use of the Secrets Management workflow & action in https://github.com/ministryofjustice/modernisation-platform-github-actions to add secrets to our workflows. Previously, secrets were either added directly via /terraform/github/repositories.tf or in some cases they were added manually. The new reusable workflow & action makes it easier to use secrets across our various repositories whilst avoiding unnecessary duplication of both code and effort. This allows us to define secrets just once, manage their values in one place and ensure that encryption, decryption and the masking of values is applied consistently.
The reusable workflow & action are:
- https://github.com/ministryofjustice/modernisation-platform-github-actions/blob/main/.github/workflows/aws-secrets-management.yml
A workflow used to obtain the encrypted value of a secret. This workflow must be referenced as a job and is best used at the beginning of a workflow.
The workflow requires two parameters for use:
MODERNISATION_PLATFORM_ACCOUNT_NUMBER, and
PASSPHRASE.
Both of these are defined as secrets in /terraform/github/repositories.tf
- https://github.com/ministryofjustice/modernisation-platform-github-actions/blob/main/decrypt-secrets/action.yml
An action that returns the decrypted value of an encrypted secret. This can be called as a step within a job. The decrypted value is automatically masked and added as a github environment variable.
The action requires the PASSPHRASE parameter (see above).
Further information can be found in the README.