BUILD-2143: vault migration

vlad-sonar · malena-ebert-sonarsource · commit e501aec4a6bd · 2022-11-29T14:21:21.000+01:00
diff --git a/.cirrus.star b/.cirrus.star
@@ -0,0 +1,4 @@
+load("github.com/SonarSource/cirrus-modules@v2", "load_features")
+
+def main(ctx):
+    return load_features(ctx, features=["vault"])
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -6,24 +6,19 @@ gcp_credentials: ENCRYPTED[8b32c15733323dbb62734f04c9090473e2272ed5820f6deb0b226
 #
 env:
   ### Shared variables
-  ARTIFACTORY_URL: ENCRYPTED[!2f8fa307d3289faa0aa6791f18b961627ae44f1ef46b136e1a1e63b0b4c86454dbb25520d49b339e2d50a1e1e5f95c88!]
-  ARTIFACTORY_PRIVATE_USERNAME: repox-private-reader-sq-ef42e7
-  ARTIFACTORY_PRIVATE_PASSWORD: ENCRYPTED[!bdffdd216a1b768605552475d16e8a5cedd97acbf8ca0aeb7256eaf98a2bc54f752c6c1be5391531742ebfee0cbd2ccf!]
-  ARTIFACTORY_API_KEY: ENCRYPTED[!bdffdd216a1b768605552475d16e8a5cedd97acbf8ca0aeb7256eaf98a2bc54f752c6c1be5391531742ebfee0cbd2ccf!]
-  ARTIFACTORY_DEPLOY_USERNAME: repox-qa-deployer-sq-ef42e7
-  ARTIFACTORY_DEPLOY_PASSWORD: ENCRYPTED[!d8838c939fe77f3b0a0510774c3b270832646e06cab8e477b35ff776933042105d211e7a0fb8ddcf826ce9f53258c519!]
+  ARTIFACTORY_URL: VAULT[development/kv/data/repox data.url]
+  ARTIFACTORY_PRIVATE_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader
+  ARTIFACTORY_PRIVATE_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
+  ARTIFACTORY_ACCESS_TOKEN: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-private-reader access_token]
+  ARTIFACTORY_DEPLOY_USERNAME: vault-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer
+  ARTIFACTORY_DEPLOY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-qa-deployer access_token]
   ARTIFACTORY_DEPLOY_REPO: sonarsource-public-qa
 
   CIRRUS_CLONE_DEPTH: 50
 
-  GCF_ACCESS_TOKEN: ENCRYPTED[!1fb91961a5c01e06e38834e55755231d649dc62eca354593105af9f9d643d701ae4539ab6a8021278b8d9348ae2ce8be!]
-  PROMOTE_URL: ENCRYPTED[!e22ed2e34a8f7a1aea5cff653585429bbd3d5151e7201022140218f9c5d620069ec2388f14f83971e3fd726215bc0f5e!]
-
-  GITHUB_TOKEN: ENCRYPTED[!f458126aa9ed2ac526f220c5acb51dd9cc255726b34761a56fc78d4294c11089502a882888cef0ca7dd4085e72e611a5!]
-
-  BURGR_URL: ENCRYPTED[!c7e294da94762d7bac144abef6310c5db300c95979daed4454ca977776bfd5edeb557e1237e3aa8ed722336243af2d78!]
-  BURGR_USERNAME: ENCRYPTED[!b29ddc7610116de511e74bec9a93ad9b8a20ac217a0852e94a96d0066e6e822b95e7bc1fe152afb707f16b70605fddd3!]
-  BURGR_PASSWORD: ENCRYPTED[!83e130718e92b8c9de7c5226355f730e55fb46e45869149a9223e724bb99656878ef9684c5f8cfef434aa716e87f4cf2!]
+  BURGR_URL: VAULT[development/kv/data/burgr data.url]
+  BURGR_USERNAME: VAULT[development/kv/data/burgr data.cirrus_username]
+  BURGR_PASSWORD: VAULT[development/kv/data/burgr data.cirrus_password]
 
   ### Project variables
   DEPLOY_PULL_REQUEST: true
@@ -54,10 +49,10 @@ build_task:
     cpu: 2
     memory: 1G
   env:
-    SONAR_TOKEN: ENCRYPTED[!b6fd814826c51e64ee61b0b6f3ae621551f6413383f7170f73580e2e141ac78c4b134b506f6288c74faa0dd564c05a29!]
+    SONAR_TOKEN: VAULT[development/kv/data/next data.token]
     SONAR_HOST_URL: https://next.sonarqube.com/sonarqube
-    SIGN_KEY: ENCRYPTED[!cc216dfe592f79db8006f2a591f8f98b40aa2b078e92025623594976fd32f6864c1e6b6ba74b50647f608e2418e6c336!]
-    PGP_PASSPHRASE: ENCRYPTED[!314a8fc344f45e462dd5e8dccd741d7562283a825e78ebca27d4ae9db8e65ce618e7f6aece386b2782a5abe5171467bd!]
+    SIGN_KEY: VAULT[development/kv/data/sign data.key]
+    PGP_PASSPHRASE: VAULT[development/kv/data/sign data.passphrase]
   maven_cache:
     folder: ${CIRRUS_WORKING_DIR}/.m2/repository
   script:
@@ -81,6 +76,7 @@ qa_task:
       - QA_CATEGORY: DEV
     JAVA_VERSION:
       - LATEST_RELEASE
+    GITHUB_TOKEN: VAULT[development/github/token/licenses-ro token]
   maven_cache:
     folder: ${CIRRUS_WORKING_DIR}/.m2/repository
   qa_script:
@@ -103,6 +99,10 @@ promote_task:
     <<: *CONTAINER_DEFINITION
     cpu: 0.5
     memory: 500M
+  env:
+    GITHUB_TOKEN: VAULT[development/github/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-promotion token]
+    GCF_ACCESS_TOKEN: VAULT[development/kv/data/promote data.token]
+    PROMOTE_URL: VAULT[development/kv/data/promote data.url]
   maven_cache:
     folder: $CIRRUS_WORKING_DIR/.m2/repository
   script:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,98 +5,16 @@ on:
     types:
       - published
 
-env:
-  PYTHONUNBUFFERED: 1
-
 jobs:
   run_release:
     runs-on: ubuntu-latest
     name: Start release process
     timeout-minutes: 60
-    steps:
-      - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1
-        with:
-          aws-access-key-id: ${{ secrets.BINARIES_AWS_ACCESS_KEY_ID }}
-          aws-secret-access-key: ${{ secrets.BINARIES_AWS_SECRET_ACCESS_KEY }}
-          aws-region: ${{ secrets.BINARIES_AWS_REGION }}
-      - name: Run release action
-        id: run_release
-        uses: SonarSource/gh-action_release/main@v4
-        with:
-          publish_to_binaries: true
-          attach_artifacts_to_github_release: false
-          run_rules_cov: false
-          slack_channel: sonarqube-build
-        env:
-          ARTIFACTORY_API_KEY: ${{ secrets.ARTIFACTORY_API_KEY }}
-          BINARIES_AWS_DEPLOY: ${{ secrets.BINARIES_AWS_DEPLOY }}
-          BURGRX_USER: ${{ secrets.BURGRX_USER }}
-          BURGRX_PASSWORD: ${{ secrets.BURGRX_PASSWORD }}
-          CIRRUS_TOKEN: ${{ secrets.CIRRUS_TOKEN }}
-          PATH_PREFIX: ${{ secrets.BINARIES_PATH_PREFIX }}
-          GITHUB_TOKEN: ${{ secrets.RELEASE_GITHUB_TOKEN }}
-          RELEASE_SSH_USER: ${{ secrets.RELEASE_SSH_USER }}
-          RELEASE_SSH_KEY: ${{ secrets.RELEASE_SSH_KEY }}
-          SLACK_API_TOKEN: ${{secrets.SLACK_API_TOKEN }}
-      - name: Log outputs
-        if: always()
-        run: |
-          echo "${{ steps.run_release.outputs.releasability }}"
-          echo "${{ steps.run_release.outputs.release }}"
-          echo "${{ steps.run_release.outputs.distribute_release }}"
-      - name: Notify success on Slack
-        uses: Ilshidur/action-slack@2.0.0
-        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-        with:
-          args: "Release successful for {{ GITHUB_REPOSITORY }} by {{ GITHUB_ACTOR }}"
-      - name: Notify failures on Slack
-        uses: Ilshidur/action-slack@2.0.0
-        if: failure()
-        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
-        with:
-          args: "Release failed, see the logs at https://github.com/{{ GITHUB_REPOSITORY }}/actions by {{ GITHUB_ACTOR }}"
-  maven-central-sync:
-    runs-on: ubuntu-latest
-    needs:
-      - run_release
-    steps:
-      - name: Setup JFrog CLI
-        uses: jfrog/setup-jfrog-cli@v1
-      - name: JFrog config
-        run: jfrog rt config repox --url https://repox.jfrog.io/artifactory/ --apikey $ARTIFACTORY_API_KEY --basic-auth-only
-        env:
-          ARTIFACTORY_API_KEY: ${{ secrets.ARTIFACTORY_API_KEY }}
-      - name: Get the version
-        id: get_version
-        run: |
-          IFS=. read major minor patch build <<< "${{ github.event.release.tag_name }}"
-          echo ::set-output name=build::"${build}"
-      - name: Create local repository directory
-        id: local_repo
-        run: echo ::set-output name=dir::"$(mktemp -d repo.XXXXXXXX)"
-      - name: Download Artifacts
-        uses: SonarSource/gh-action_release/download-build@v4
-        with:
-          build-number: ${{ steps.get_version.outputs.build }}
-          local-repo-dir: ${{ steps.local_repo.outputs.dir }}
-      - name: Maven Central Sync
-        id: maven-central-sync
-        continue-on-error: true
-        uses: SonarSource/gh-action_release/maven-central-sync@v4
-        with:
-          local-repo-dir: ${{ steps.local_repo.outputs.dir }}
-        env:
-          OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-          OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
-      - name: Notify on failure
-        if: ${{ failure() || steps.maven-central-sync.outcome == 'failure' }}
-        uses: 8398a7/action-slack@v3
-        with:
-          status: failure
-          fields: repo,author,eventName
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_BUILD_WEBHOOK }}
-
+    permissions:
+      contents: read
+      id-token: write
+    uses: SonarSource/gh-action_release/.github/workflows/main.yaml@d42e8be3a9772d0447a7d2f3d2be31312b218383  # tag=5.0.1
+    with:
+      publishToBinaries: true
+      mavenCentralSync: true
+      slackChannel: sonarqube-build
