From 4dca52dea5b11543b9eac9fd439c07ae51c8a4a1 Mon Sep 17 00:00:00 2001
From: Marc Sanmiquel <marcsanmiquel@gmail.com>
Date: Wed, 16 Oct 2024 12:55:04 +0200
Subject: [PATCH] chore: leverage vault secrets in helm release

---
 .github/workflows/test-vault.yml | 38 ++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 .github/workflows/test-vault.yml

diff --git a/.github/workflows/test-vault.yml b/.github/workflows/test-vault.yml
new file mode 100644
index 0000000000..f10aca2a87
--- /dev/null
+++ b/.github/workflows/test-vault.yml
@@ -0,0 +1,38 @@
+name: Secure Test Vault Secrets Retrieval
+
+on:
+  pull_request:
+
+# These permissions are needed to assume roles from Github's OIDC.
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  test-get-secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - id: get-secrets
+        uses: grafana/shared-workflows/actions/get-vault-secrets@main
+        with:
+          repo_secrets: |
+            APP_ID=secret/ci/repo/grafana/helm-charts/github-app:app-id
+            APP_PRIVATE_KEY=secret/ci/repo/grafana/helm-charts/github-app:private-key
+
+      - name: Check Secrets (Safely)
+        run: |
+          if [ -n "$APP_ID" ]; then
+            echo "app id is set and not empty"
+          else
+            echo "app id is not set or is empty"
+            exit 1
+          fi
+          if [ -n "$APP_PRIVATE_KEY" ]; then
+            echo "private key is set and not empty"
+          else
+            echo "private key is not set or is empty"
+            exit 1
+          fi
+          echo "Secrets retrieved successfully"