replace gh secrets with aws (#279)

.github/actions/fetch-secrets/action.yml

@@ -0,0 +1,50 @@
+name: fetch-secrets
+
+inputs:
+  role_name:
+    type: string
+    required: true
+  region:
+    type: string
+    required: false
+    default: "eu-west-2"
+  app_name:
+    type: string
+    required: true
+    description: "Used for naming role session to audit secrets access"
+  step_name:
+    type: string
+    required: true
+    description: "Used for naming role session to audit secrets access because app_name is not enough"
+  secret_name:
+    type: string
+    required: true
+  secret_prefix:
+    type: string
+    required: true
+  parse_json:
+    type: boolean
+    required: false
+    default: "false"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Install AWS CLI
+      uses: unfor19/install-aws-cli-action@ee0eb151cf1bca186ccf8c35d314b08d62e0e878 # v1
+      with:
+        version: 2
+
+    - name: Configure AWS credentials to fetch secrets
+      uses: aws-actions/configure-aws-credentials@97271860067ec931c45b8d104fbf0d15954ab85c # branch v1-node16
+      with:
+        role-to-assume: ${{ inputs.role_name }}
+        aws-region: ${{ inputs.region }}
+        role-session-name: ${{ inputs.app_name }}-${{ github.run_id }}-${{ github.run_attempt }}
+
+    - name: Fetch AWS secrets
+      uses: aws-actions/aws-secretsmanager-get-secrets@287592d14d9c9c48199db83dc182ae12af3df18e # v1.0.1
+      with:
+        secret-ids: |
+          ${{ inputs.secret_prefix }}, ${{ inputs.secret_name }}
+        parse-json-secrets: ${{ inputs.parse_json }}

.github/workflows/main.yml

@@ -132,6 +132,53 @@ jobs:
                 }
             }'
 
+  ephemeral-deploy-and-benchmark:
+    runs-on: ubuntu-22.04
+    needs:
+      - docker-gateway-api-gcr
+      - docker-data-aggregator-gcr
+      - docker-database-migrations-gcr
+      - setup-tags
+    if: github.ref == 'refs/heads/develop'
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+      - uses: ./.github/actions/fetch-secrets
+        with: 
+          role_name: "arn:aws:iam::308190735829:role/gh-babylon-gateway-secrets-read-access"
+          app_name: "babylon-gateway"
+          step_name: "ephemeral-deploy-and-benchmark"
+          secret_prefix: "JENKINS"
+          secret_name: "github-actions/radixdlt/babylon-gateway/jenkins-api-token"
+          parse_json: true
+      - name: Process ci.env
+        run: |
+          export $(grep -v '^#' ./deployment/ci.env | xargs)
+          echo "FULLNODE_VERSION=$FULLNODE_VERSION" >> $GITHUB_ENV
+      - name: Check if ci.env changed
+        id: changed-files
+        uses: tj-actions/changed-files@db5dd7c176cf59a19ef6561bf1936f059dee4b74
+        with:
+          files: |
+            deployment/ci.env
+      - name: Deploy and run benchmark on an ephemeral network
+        uses: toptal/jenkins-job-trigger-action@649c04c83c099c759aba134bf78138a303ec095f
+        with:
+          jenkins_url: "${{ env.JENKINS_URL }}"
+          jenkins_user: ${{ env.JENKINS_USER }}
+          jenkins_token: ${{ env.JENKINS_TOKEN }}
+          job_name: "ephemeral-deployments/job/ephemeral-env-gateway-benchmark"
+          job_params: |
+            {
+              "gatewayDockerTag": "${{ needs.setup-tags.outputs.gateway-api-tag }}",
+              "gatewayBranch": "${{ env.GATEWAY_BRANCH }}",
+              "nodeDockerTag": "${{ env.FULLNODE_VERSION }}",
+              "postgresVersion": "${{ env.POSTGRES_VERSION }}"
+            }
+          job_timeout: "3600"
+
   deploy-pr:
     runs-on: ubuntu-22.04
     needs:
@@ -171,8 +218,19 @@ jobs:
       - docker-database-migrations-gcr
       - setup-tags
     if: github.event_name == 'pull_request'
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+      - uses: ./.github/actions/fetch-secrets
+        with: 
+          role_name: "arn:aws:iam::308190735829:role/gh-babylon-gateway-secrets-read-access"
+          app_name: "babylon-gateway"
+          step_name: "ephemeral-deploy-and-test"
+          secret_prefix: "JENKINS"
+          secret_name: "github-actions/radixdlt/babylon-gateway/jenkins-api-token"
+          parse_json: true
       - name: Export branch name in github's environment
         run: |
           echo "GATEWAY_BRANCH=$GITHUB_HEAD_REF" >> $GITHUB_ENV
@@ -184,9 +242,9 @@ jobs:
       - name: Deploy and test on an ephemeral network
         uses: toptal/jenkins-job-trigger-action@649c04c83c099c759aba134bf78138a303ec095f
         with:
-          jenkins_url: "${{ secrets.JENKINS_URL }}"
-          jenkins_user: ${{ secrets.JENKINS_USER }}
-          jenkins_token: ${{ secrets.BABYLON_NODE_JENKINS_API_TOKEN }}
+          jenkins_url: "${{ env.JENKINS_URL }}"
+          jenkins_user: ${{ env.JENKINS_USER }}
+          jenkins_token: ${{ env.JENKINS_TOKEN }}
           job_name: "ephemeral-deployments/job/ephemeral-gateway-env-deploy-and-test"
           job_params: |
             {
@@ -199,10 +257,22 @@ jobs:
 
   sonarcloud:
     runs-on: ubuntu-22.04
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
         with:
           fetch-depth: 0  # Shallow clones should be disabled for a better relevancy of analysis
+      - uses: ./.github/actions/fetch-secrets
+        with: 
+          role_name: "arn:aws:iam::308190735829:role/gh-common-secrets-read-access"
+          app_name: "babylon-gateway"
+          step_name: "sonarcloud"
+          secret_prefix: "SONAR"
+          # SonarCloud access token should be generated from https://sonarcloud.io/account/security/
+          secret_name: "github-actions/common/sonar-token"
+          parse_json: true
       - name: SonarScanner for .NET
         uses: highbyte/sonarscan-dotnet@8410b6452e036aff2fb830831e508e723b8af60d
         with:
@@ -213,4 +283,4 @@ jobs:
           sonarBeginArguments: /d:sonar.cs.opencover.reportsPaths="**/TestResults/**/coverage.opencover.xml" -d:sonar.cs.vstest.reportsPaths="**/TestResults/*.trx"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
+          SONAR_TOKEN: ${{ env.SONAR_TOKEN }}

.github/workflows/postman.yml

@@ -29,6 +29,9 @@ jobs:
     name: Sync Postman collection w/ latest specs
     environment: Postman
     runs-on: ubuntu-22.04
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Set current date
         id: date
@@ -37,6 +40,14 @@ jobs:
         uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
         with:
           fetch-depth: 0
+      - uses: ./.github/actions/fetch-secrets
+        with: 
+          role_name: "arn:aws:iam::308190735829:role/gh-babylon-gateway-secrets-read-access"
+          app_name: "babylon-gateway"
+          step_name: "sync_collections"
+          secret_prefix: "POSTMAN_API"
+          secret_name: "github-actions/radixdlt/babylon-gateway/postman-token"
+          parse_json: true
       - name: Set git tags
         id: gittag
         run: echo "gittag=$(git describe --tags --dirty)" >> $GITHUB_OUTPUT
@@ -77,7 +88,7 @@ jobs:
         uses: DamianReeves/write-file-action@a432935930b2e351ec2d2792fc220717b656ec1c
         with:
           path: .env
-          contents: POSTMAN_API_KEY=${{secrets.POSTMAN_API_TOKEN}}
+          contents: POSTMAN_API_KEY=${{env.POSTMAN_API_TOKEN}}
           write-mode: append
 
       # ========== Actually updating the postman collection ==========
@@ -87,7 +98,7 @@ jobs:
             --postmanUid ${{env.gateway_api_collection_id}} --syncPostman true --envFile .env
       - name: Download the collection
         run: |
-          curl -X GET -H "X-API-KEY:${{secrets.POSTMAN_API_TOKEN}}" https://api.getpostman.com/collections/${{env.gateway_api_collection_id}} > tmp.collection.json
+          curl -X GET -H "X-API-KEY:${{env.POSTMAN_API_TOKEN}}" https://api.getpostman.com/collections/${{env.gateway_api_collection_id}} > tmp.collection.json
       - name: Update the collection name w/ timestamp and git tag
         run: |
           sed -i 's/"name":".*","description":"This/"name":"${{env.gateway_api_collection_name}}","description":"This/' tmp.collection.json
@@ -96,5 +107,5 @@ jobs:
           sed -i 's/{{baseUrl}}/{{gatewayBaseUrl}}/g' tmp.collection.json
       - name: Update the collection
         run: |
-          curl -X PUT -H "X-API-KEY:${{secrets.POSTMAN_API_TOKEN}}" -H "Content-Type: application/json" \
+          curl -X PUT -H "X-API-KEY:${{env.POSTMAN_API_TOKEN}}" -H "Content-Type: application/json" \
             https://api.getpostman.com/collections/${{env.gateway_api_collection_id}} --data "@tmp.collection.json"

.github/workflows/publish-typescript-sdk.yml

@@ -15,16 +15,26 @@ jobs:
     defaults:
       run:
         working-directory: ./sdk/typescript
-
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b
+      - uses: ./.github/actions/fetch-secrets
+        with: 
+          role_name: "arn:aws:iam::308190735829:role/gh-babylon-gateway-secrets-read-access"
+          app_name: "babylon-gateway"
+          step_name: "publish-gateway-sdk-npmjs"
+          secret_prefix: "NPM"
+          secret_name: "github-actions/radixdlt/babylon-gateway/npm-publishing-secret"
+          parse_json: true
       - name: Use Node.js
         uses: actions/setup-node@8c91899e586c5b171469028077307d293428b516
         with:
           node-version: "18.x"
           registry-url: "https://registry.npmjs.org"
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ env.NPM_TOKEN }}
       - run: cat $NPM_CONFIG_USERCONFIG
       - name: Build alphanet-gateway-sdk
         run: |
@@ -49,4 +59,4 @@ jobs:
           npm config set access public
           npm publish
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ env.NPM_TOKEN }}