[ACC-585] Verify vault secrets workflow #14
Conversation
| @@ -0,0 +1,55 @@ | |||
| const envVarsRegex = /System\.fetch_env!\("([^"]+)"\)/g; | |||
There was a problem hiding this comment.
should we also check for System.fetch_env (without the bang) and System.get_env?
There was a problem hiding this comment.
also I think this would fail in a cases like
generate_env_key()
|> System.fetch_env()
# or
|> Enum.map(&System.fetch_env/1)
There was a problem hiding this comment.
I was wondering, how far can we get with heuristic like "all caps, numbers, underscore, at least 2 in length"
So we can just get rid of all fetch_env elixir prefixes.
[A-Z_0-9]{2,}
| @@ -1,4 +1,4 @@ | |||
| const envVarsRegex = /System\.fetch_env!\("([^"]+)"\)/g; | |||
| const envVarsRegex = /[A-Z0-9_]{2,}/g; | |||
There was a problem hiding this comment.
testing this out a lot of unrelated stuff comes up
it almost works if we surround with quotes, but there are some exceptions still
it would work if we only target runtime.exs
There was a problem hiding this comment.
Yeah. I updated the regex to catch fetch_env, fetch_env!, and get_env - how's that?
There was a problem hiding this comment.
there's no button to resolve the comment weird, but looks good
Relevant ticket: https://thescore.atlassian.net/browse/ACC-585
Adding a shared workflow to verify that environment variables referenced in Elixir projects have values defined for all environments and edges in Vault.
The action takes inputs (example):
identity)"['us-core']")"['common','kafka-worker','oban']")"['staging','demo','uat','audit1','ps','production']")APP_VERSION)https://vault.prod.thescore.is)https://vault.non-prod.thescore.is)It will use those inputs to generate a matrix of jobs that pull secret names from Vault and store them as artifacts. Then we check per edge and environment that the retrieved keys include environment variables that are referenced in files changed in the relevant PR.
It uses a JS action to compare the referenced environment variables to the secret names retrieved from Vault. That JS action is tested and added to CI for this repo.