secrets pipeline

.github/workflows/secrets-management.yaml

@@ -0,0 +1,62 @@
+
+---
+name: sync secrets
+on:   # yamllint disable-line rule:truthy
+  push:
+    branches:
+      - engops_maintenance 
+permissions:
+  id-token: write
+  contents: read
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to Azure
+        uses: azure/login@v1
+        with:
+          client-id: ${{ vars.GH_APP_ORG_ENGOPS_MAINTENANCE_CLIENT_ID }}
+          tenant-id: ${{ vars.AZURE_SWI_TENANT_ID }}
+          subscription-id: ${{ vars.AZURE_ITSANDBOX_SUBSCRIPTION_ID }}
+      - name: 'set-org-secret'
+        run: |
+          echo "Syncing APM_RUBY_INSTALL_TESTING_SWO_KEY ..."
+          SECRET="APM_RUBY_INSTALL_TESTING_SWO_KEY"
+          SECRET_NAME="swotel-ruby--${SECRET//_/-}"
+          [ ! -z "${{ secrets.APM_RUBY_INSTALL_TESTING_SWO_KEY }}" ] && az keyvault secret set --name "$SECRET_NAME" --vault-name "gh-scs" --value "${{ secrets.APM_RUBY_INSTALL_TESTING_SWO_KEY }}"
+          echo "Syncing APPLICATION_PRIVATE_KEY ..."
+          SECRET="APPLICATION_PRIVATE_KEY"
+          SECRET_NAME="swotel-ruby--${SECRET//_/-}"
+          [ ! -z "${{ secrets.APPLICATION_PRIVATE_KEY }}" ] && az keyvault secret set --name "$SECRET_NAME" --vault-name "gh-scs" --value "${{ secrets.APPLICATION_PRIVATE_KEY }}"
+          echo "Syncing CI_ACCESS_KEY_ID ..."
+          SECRET="CI_ACCESS_KEY_ID"
+          SECRET_NAME="swotel-ruby--${SECRET//_/-}"
+          [ ! -z "${{ secrets.CI_ACCESS_KEY_ID }}" ] && az keyvault secret set --name "$SECRET_NAME" --vault-name "gh-scs" --value "${{ secrets.CI_ACCESS_KEY_ID }}"
+          echo "Syncing CI_GITHUB_TOKEN ..."
+          SECRET="CI_GITHUB_TOKEN"
+          SECRET_NAME="swotel-ruby--${SECRET//_/-}"
+          [ ! -z "${{ secrets.CI_GITHUB_TOKEN }}" ] && az keyvault secret set --name "$SECRET_NAME" --vault-name "gh-scs" --value "${{ secrets.CI_GITHUB_TOKEN }}"
+          echo "Syncing CI_SECRET_ACCESS_KEY ..."
+          SECRET="CI_SECRET_ACCESS_KEY"
+          SECRET_NAME="swotel-ruby--${SECRET//_/-}"
+          [ ! -z "${{ secrets.CI_SECRET_ACCESS_KEY }}" ] && az keyvault secret set --name "$SECRET_NAME" --vault-name "gh-scs" --value "${{ secrets.CI_SECRET_ACCESS_KEY }}"
+          echo "Syncing DUMMY_SW_APM_SERVICE_KEY ..."
+          SECRET="DUMMY_SW_APM_SERVICE_KEY"
+          SECRET_NAME="swotel-ruby--${SECRET//_/-}"
+          [ ! -z "${{ secrets.DUMMY_SW_APM_SERVICE_KEY }}" ] && az keyvault secret set --name "$SECRET_NAME" --vault-name "gh-scs" --value "${{ secrets.DUMMY_SW_APM_SERVICE_KEY }}"
+          echo "Syncing PACKAGECLOUD_TOKEN ..."
+          SECRET="PACKAGECLOUD_TOKEN"
+          SECRET_NAME="swotel-ruby--${SECRET//_/-}"
+          [ ! -z "${{ secrets.PACKAGECLOUD_TOKEN }}" ] && az keyvault secret set --name "$SECRET_NAME" --vault-name "gh-scs" --value "${{ secrets.PACKAGECLOUD_TOKEN }}"
+          echo "Syncing RUBYGEMS_TOKEN ..."
+          SECRET="RUBYGEMS_TOKEN"
+          SECRET_NAME="swotel-ruby--${SECRET//_/-}"
+          [ ! -z "${{ secrets.RUBYGEMS_TOKEN }}" ] && az keyvault secret set --name "$SECRET_NAME" --vault-name "gh-scs" --value "${{ secrets.RUBYGEMS_TOKEN }}"
+          echo "Syncing TESTBED_ACCESS_CODE ..."
+          SECRET="TESTBED_ACCESS_CODE"
+          SECRET_NAME="swotel-ruby--${SECRET//_/-}"
+          [ ! -z "${{ secrets.TESTBED_ACCESS_CODE }}" ] && az keyvault secret set --name "$SECRET_NAME" --vault-name "gh-scs" --value "${{ secrets.TESTBED_ACCESS_CODE }}"
+          echo "Syncing TRACE_BUILD_RUBY_ACTIONS_API_TOKEN ..."
+          SECRET="TRACE_BUILD_RUBY_ACTIONS_API_TOKEN"
+          SECRET_NAME="swotel-ruby--${SECRET//_/-}"
+          [ ! -z "${{ secrets.TRACE_BUILD_RUBY_ACTIONS_API_TOKEN }}" ] && az keyvault secret set --name "$SECRET_NAME" --vault-name "gh-scs" --value "${{ secrets.TRACE_BUILD_RUBY_ACTIONS_API_TOKEN }}"