diff --git a/.forgejo/workflows/release.yml b/.forgejo/workflows/release.yml index 2a4ce36..c9f7d21 100644 --- a/.forgejo/workflows/release.yml +++ b/.forgejo/workflows/release.yml @@ -13,12 +13,12 @@ jobs: runs-on: docker steps: - name: 📤 Checkout source code - uses: actions/checkout@v4 + uses: actions/checkout@v6 - name: ⚙️ Set up Go - uses: actions/setup-go@v5 + uses: actions/setup-go@v6 with: - go-version: 1.25 + go-version: 1.26 - name: ⚙️ Install dependencies run: | @@ -26,19 +26,19 @@ jobs: - name: 👨🏻‍🔧 Build app run: | - go build -o ${{ env.build_name }} + CGO_ENABLED=0 go build -o "${{ env.build_name }}" -ldflags="-s -w" - name: 🤠 Create release run: | set -e - echo "Creating release for ${{ env.GITHUB_REPOSITORY}} with tag ${{ env.GITHUB_REF_NAME }}" + echo "Creating release for ${{ github.repository }} with tag ${{ github.ref_name }}" REQUEST=$(curl --fail --request POST \ - --url ${{ env.GITHUB_API_URL }}/repos/${{ env.GITHUB_REPOSITORY }}/releases \ + --url ${{ env.GITHUB_API_URL }}/repos/${{ github.repository }}/releases \ --header 'Authorization: token ${{ secrets.GIT_TOKEN }}' \ --header 'content-type: application/json' \ - --data '{ "tag_name": "${{ env.GITHUB_REF_NAME }}" }') + --data '{ "tag_name": "${{ github.ref_name }}" }') ls -lh ${{ env.build_name }} @@ -47,6 +47,6 @@ jobs: echo "Uploading release asset for Release ID ${RELEASE_ID}" curl --fail --request POST \ - --url ${{ env.GITHUB_API_URL }}/repos/${{ env.GITHUB_REPOSITORY }}/releases/${RELEASE_ID}/assets?name=${{ env.build_name }} \ + --url ${{ env.GITHUB_API_URL }}/repos/${{ github.repository }}/releases/${RELEASE_ID}/assets?name=${{ env.build_name }} \ --header 'Authorization: token ${{ secrets.GIT_TOKEN }}' \ -F 'attachment=@${{ env.build_name}}' \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..f597e4b --- /dev/null +++ b/.gitignore @@ -0,0 +1,27 @@ +### Go template +# If you prefer the allow list template instead of the deny list, see community template: +# https://github.com/github/gitignore/blob/main/community/Golang/Go.AllowList.gitignore +# +# Binaries for programs and plugins +*.exe +*.exe~ +*.dll +*.so +*.dylib + +# Test binary, built with `go test -c` +*.test + +# Output of the go coverage tool, specifically when used with LiteIDE +*.out + +# Dependency directories (remove the comment below to include it) +# vendor/ + +# Go workspace file +go.work +go.work.sum + +# env file +.env + diff --git a/README.md b/README.md index 08b1e9b..10572c3 100644 --- a/README.md +++ b/README.md @@ -15,7 +15,7 @@ ## usage In this example we assume that there is a Secret on Path "${{ secrets.VAULT_PATH}}" and there is a KVSecret named "test". -In the "Output secret" step we output above mentioned KVSecret "test". We access the outputs of the secrets step. +In the "Output secret" step we output KVSecret "test" mentioned above. We access the outputs of the secrets step. Keep in mind to set an id on the actions step and use that to reference the outputted secrets. diff --git a/action.yml b/action.yml index 9925ad6..9746605 100644 --- a/action.yml +++ b/action.yml @@ -2,10 +2,6 @@ name: STACKIT Secrets Manager Secret Fetcher description: Connects to Secrets Manager using a Go app, gets all secrets under a path, and outputs them. inputs: - go_version: - description: The version of Go to use for building the application. - required: false - default: 1.24.x vault_addr: description: You could optionally override the address. required: false @@ -23,7 +19,7 @@ inputs: debug: description: Turn on debugging logs. required: false - default: false + default: 'false' version: description: The version of the action. required: false @@ -32,6 +28,7 @@ inputs: outputs: secrets: description: A JSON object string containing all the fetched secrets. + value: ${{ steps.secrets.outputs.stdout }} runs: using: composite diff --git a/config/config.go b/config/config.go index 90e0a0f..d01e51b 100644 --- a/config/config.go +++ b/config/config.go @@ -45,7 +45,10 @@ func FatalLog(format string, args ...interface{}) { func ValidateConfig( cfg Config, ) Config { - defaults.Set(&cfg) + err := defaults.Set(&cfg) + if err != nil { + FatalLog("unable to set defaults") + } if cfg.VaultAddr == "" { FatalLog("VAULT_ADDR cannot be empty") diff --git a/go.mod b/go.mod index 2838a56..2e6e585 100644 --- a/go.mod +++ b/go.mod @@ -1,21 +1,21 @@ module secretsmanager -go 1.24.3 +go 1.26.3 require ( - github.com/caarlos0/env/v11 v11.3.1 + github.com/caarlos0/env/v11 v11.4.1 github.com/creasty/defaults v1.8.0 github.com/hashicorp/vault-client-go v0.4.3 ) require ( github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/hashicorp/go-retryablehttp v0.7.7 // indirect + github.com/hashicorp/go-retryablehttp v0.7.8 // indirect github.com/hashicorp/go-rootcerts v1.0.2 // indirect github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect github.com/stretchr/testify v1.10.0 // indirect - golang.org/x/sys v0.31.0 // indirect - golang.org/x/time v0.0.0-20220922220347-f3bd1da661af // indirect + golang.org/x/sys v0.44.0 // indirect + golang.org/x/time v0.15.0 // indirect ) diff --git a/go.sum b/go.sum index 6e65122..a15b9fd 100644 --- a/go.sum +++ b/go.sum @@ -1,5 +1,9 @@ github.com/caarlos0/env/v11 v11.3.1 h1:cArPWC15hWmEt+gWk7YBi7lEXTXCvpaSdCiZE2X5mCA= github.com/caarlos0/env/v11 v11.3.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U= +github.com/caarlos0/env/v11 v11.4.0 h1:Kcb6t5kIIr4XkoQC9AF2j+8E1Jsrl3Wz/hhm1LtoGAc= +github.com/caarlos0/env/v11 v11.4.0/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U= +github.com/caarlos0/env/v11 v11.4.1 h1:fYwH0sWEsBSMPG7t4e/PEfTFzrWrpjyygXyUnWiSwEw= +github.com/caarlos0/env/v11 v11.4.1/go.mod h1:qupehSf/Y0TUTsxKywqRt/vJjN5nz6vauiYEUUr8P4U= github.com/creasty/defaults v1.8.0 h1:z27FJxCAa0JKt3utc0sCImAEb+spPucmKoOdLHvHYKk= github.com/creasty/defaults v1.8.0/go.mod h1:iGzKe6pbEHnpMPtfDXZEr0NVxWnPTjb1bbDy08fPzYM= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= @@ -12,6 +16,8 @@ github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB1 github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= +github.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVUrx/c8Unxc48= +github.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw= github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= @@ -32,7 +38,13 @@ github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOf github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= +golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= +golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ= +golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= golang.org/x/time v0.0.0-20220922220347-f3bd1da661af h1:Yx9k8YCG3dvF87UAn2tu2HQLf2dt/eR1bXxpLMWeH+Y= golang.org/x/time v0.0.0-20220922220347-f3bd1da661af/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= +golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U= +golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/main.go b/main.go index 3073dbf..861211c 100644 --- a/main.go +++ b/main.go @@ -1,8 +1,8 @@ package main import ( - "log" "fmt" + "log" "secretsmanager/config" "secretsmanager/secretsmanager" @@ -19,9 +19,12 @@ func main() { cfg = config.ValidateConfig(cfg) s := secretsmanager.InitializeClient(cfg) - data, _ := secretsmanager.GetSecrets(&s, cfg) + data, err := secretsmanager.GetSecrets(&s, cfg) + if err != nil { + log.Fatalf("Error retrieving secrets: %s", err) + } for _, secret := range data { - fmt.Println(secret) + fmt.Println(secret) } -} \ No newline at end of file +} diff --git a/secretsmanager/client.go b/secretsmanager/client.go index d2252c9..520e182 100644 --- a/secretsmanager/client.go +++ b/secretsmanager/client.go @@ -35,7 +35,10 @@ func InitializeClient( config.FatalLog("Vault login request failed: %s", err) } config.InfoLog("Login successful. Token received.") - s.Client.SetToken(loginResp.Auth.ClientToken) + err = s.Client.SetToken(loginResp.Auth.ClientToken) + if err != nil { + config.FatalLog("Vault login could not set token: %s", err) + } return s } diff --git a/secretsmanager/secrets.go b/secretsmanager/secrets.go index 4d0f65b..6e76557 100644 --- a/secretsmanager/secrets.go +++ b/secretsmanager/secrets.go @@ -3,7 +3,6 @@ package secretsmanager import ( "fmt" "secretsmanager/config" - "log" "github.com/hashicorp/vault-client-go" ) @@ -16,13 +15,11 @@ func GetSecrets( config.InfoLog("Attempting to read secret from mount '%s' at path '%s'", cfg.VaultSecretsManagerID, cfg.VaultPath) secret, err := s.Client.Secrets.KvV2Read(s.Ctx, cfg.VaultPath, vault.WithMountPath(cfg.VaultSecretsManagerID)) if err != nil { - log.Fatalf("Failed to read secret from vault: %v", err) return nil, fmt.Errorf("failed to read secret from vault: %w", err) } if secret == nil || secret.Data.Data == nil { - log.Fatal("No data found at the specified secret path.") - return []string{}, nil + return []string{}, fmt.Errorf("no data found at the specified secret path") } var secretsAsKeyValue []string