forked from Tracer-Cloud/opensre
-
Notifications
You must be signed in to change notification settings - Fork 0
98 lines (89 loc) · 3.6 KB
/
Copy pathbench-seed-secret.yml
File metadata and controls
98 lines (89 loc) · 3.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
name: bench (seed secret)
# Manually-triggered workflow that copies a GitHub repo secret into AWS
# Secrets Manager at opensre-bench/llm/<secret>. The `secret` dropdown
# enforces which target is valid — must match one of the four IAM-granted
# secret ARNs in infra/bench/iam_oidc.tf (anthropic / openai / deepseek /
# hf_token).
#
# Why a workflow instead of a developer running `aws secretsmanager
# put-secret-value` locally: keeps keys off developer laptops + out of
# shell history, and centralizes rotation — rotate the value in the GH
# repo secret and re-run this workflow to propagate.
#
# Pre-reqs:
# - infra/bench/ Terraform has been applied (the secret resource exists)
# - Corresponding GitHub repo secret is set:
# ANTHROPIC_API_KEY / OPENAI_API_KEY / DEEPSEEK_API_KEY / HF_TOKEN
#
# Order of operations:
# 1. terraform-bench.yml (plan) on PR
# 2. terraform apply locally
# 3. this workflow (workflow_dispatch) — pick the secret to seed
# from the dropdown, repeat once per LLM provider key
on:
workflow_dispatch:
inputs:
secret:
description: Which secret to seed (must match the AWS resource name)
required: true
type: choice
options:
- anthropic_api_key
- openai_api_key
- deepseek_api_key
- hf_token
permissions:
contents: read
id-token: write # required for AWS OIDC role assumption
concurrency:
group: bench-seed-${{ inputs.secret }}
cancel-in-progress: false
jobs:
seed:
name: seed ${{ inputs.secret }}
runs-on: ubuntu-latest
env:
AWS_REGION: us-east-1
SECRET_ID: opensre-bench/llm/${{ inputs.secret }}
steps:
- name: Configure AWS credentials (OIDC role assumption)
uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/opensre-bench-github-actions
role-session-name: github-actions-seed-${{ inputs.secret }}-${{ github.run_id }}
aws-region: us-east-1
- name: Verify secret resource exists
run: |
if ! aws secretsmanager describe-secret --secret-id "$SECRET_ID" >/dev/null 2>&1; then
echo "::error::Secret $SECRET_ID not found. Run \`terraform apply\` in infra/bench/ first."
exit 1
fi
- name: Put secret value
# All four candidate values are bound at workflow level. The case
# statement picks the one matching the chosen target — unused
# values stay as masked env vars (GH redacts secret refs in logs).
env:
ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
OPENAI_API_KEY: ${{ secrets.OPENAI_API_KEY }}
DEEPSEEK_API_KEY: ${{ secrets.DEEPSEEK_API_KEY }}
HF_TOKEN: ${{ secrets.HF_TOKEN }}
TARGET: ${{ inputs.secret }}
run: |
case "$TARGET" in
anthropic_api_key) V="$ANTHROPIC_API_KEY" ;;
openai_api_key) V="$OPENAI_API_KEY" ;;
deepseek_api_key) V="$DEEPSEEK_API_KEY" ;;
hf_token) V="$HF_TOKEN" ;;
*)
echo "::error::Unknown target: $TARGET (dropdown should have prevented this)"
exit 1
;;
esac
if [ -z "$V" ]; then
echo "::error::GitHub repo secret for $TARGET is unset. Configure it under Settings > Secrets and variables > Actions."
exit 1
fi
aws secretsmanager put-secret-value \
--secret-id "$SECRET_ID" \
--secret-string "$V" >/dev/null
echo "Seeded $SECRET_ID (length=${#V})."