script to move publish tokens to GCP secret manager

Signed-off-by: Bob Callaway <[email protected]>

.github/workflows/migrate-secrets.yml

@@ -0,0 +1,37 @@
+name: Store Publish Tokens in GCP Secret Manager
+
+on:
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  store-secrets:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v0.8.1
+        with:
+          workload_identity_provider: projects/306323169285/locations/global/workloadIdentityPools/github-actions-pool/providers/github-actions-provider
+          service_account: [email protected]
+
+      - name: Set up Cloud SDK
+        uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2
+        with:
+          project_id: 'sigstore-secrets'
+
+      - name: Store secrets in Secret Manager
+        env:
+          NPM_PUBLISH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CARGO_REGISTRY_TOKEN }}
+          RUBYGEMS_AUTH_TOKEN: ${{ secrets.RUBYGEMS_AUTH_TOKEN }}
+        run: |
+          printenv NPM_PUBLISH_TOKEN | gcloud secrets create protobuf-specs-npm-publish-token --replication-policy="automatic" --data-file=-
+
+          printenv CARGO_REGISTRY_TOKEN | gcloud secrets create protobuf-specs-cargo-registry-token --replication-policy="automatic" --data-file=-
+
+          printenv RUBYGEMS_AUTH_TOKEN | gcloud secrets create protobuf-specs-rubygems-auth-token --replication-policy="automatic" --data-file=-