[ACC-585] Verify vault secrets workflow

.github/workflows/ci.yaml

@@ -0,0 +1,30 @@
+name: Run Jest Tests
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+  push:
+    branches:
+      - master
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: ./.github/workflows/verify-vault-secrets
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 18
+
+      - name: Install dependencies
+        run: npm install
+
+      - name: Run Jest tests
+        run: npm test

.github/workflows/verify-vault-secrets.yaml

@@ -0,0 +1,112 @@
+name: Verify Vault Secrets Elixir
+
+on:
+  workflow_call:
+    inputs:
+      service:
+        required: true
+        type: string
+      edges:
+        required: true
+        type: string
+      path_suffixes:
+        required: true
+        type: string
+      environments:
+        required: false
+        type: string
+        default: "['staging','demo','uat','audit1','ps','production']"
+      ignored_keys:
+        required: false
+        type: string
+        default: ""
+      vault_addr_prod:
+        required: false
+        type: string
+        default: "https://vault.prod.thescore.is"
+      vault_addr_non_prod:
+        required: false
+        type: string
+        default: "https://vault.non-prod.thescore.is"
+
+jobs:
+  retrieve-vault-secret-keys:
+    runs-on: non-prod-scorebet-org-runner
+    permissions:
+      contents: read
+      id-token: write
+    strategy:
+      matrix:
+        env: ${{ fromJSON(inputs.environments) }}
+        edge: ${{ fromJSON(inputs.edges) }}
+        suffix: ${{ fromJSON(inputs.path_suffixes) }}
+    steps:
+      - name: Get Vault Keys
+        id: vault-keys
+        uses: hashicorp/vault-action@v3
+        with:
+          method: jwt
+          path: github-actions
+          url: ${{ matrix.env == 'production' && 'https://vault.prod.thescore.is' || 'https://vault.non-prod.thescore.is' }}
+          role: identity
+          exportToken: true
+          secrets: |
+            scorebet/subkeys/identity/${{ matrix.env }}/${{ matrix.edge }}/${{ matrix.suffix }} subkeys ;
+      - name: Set Output
+        id: vault-keys-output
+        shell: bash
+        run: |
+          echo ${{ toJson(steps.vault-keys.outputs.subkeys) }} >> ./${{ matrix.env }}-${{ matrix.edge }}-${{ matrix.suffix }}-keys.json
+      - name: Upload output artifact
+        id: vault-keys-artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ matrix.env }}-${{ matrix.edge }}-${{ matrix.suffix }}-keys
+          path: ./${{ matrix.env }}-${{ matrix.edge }}-${{ matrix.suffix }}-keys.json
+
+  verify-vault-secrets:
+    runs-on: ubuntu-latest
+    needs: retrieve-vault-secret-keys
+    strategy:
+      matrix:
+        env: ${{ fromJson(inputs.environments) }}
+        edge : ${{ fromJson(inputs.edges) }}
+    env:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    steps:
+      - name: Download env-edge keys artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: keys
+          pattern: ${{ matrix.env }}-${{ matrix.edge }}-*-keys
+          merge-multiple: true
+
+      - name: Extract keys
+        id: extract-keys
+        shell: bash
+        run: |
+          keys=$(find ./keys -type f -name "*.json" -exec jq -r 'keys_unsorted[]' {} + | tr '\n' ',')
+          echo "keys='$keys'" >> $GITHUB_OUTPUT
+
+      - uses: actions/checkout@v4
+        with:
+          repository: scoremedia/devops-github-workflow
+          ref: master
+          path: shared-actions
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 18
+
+      - name: npm install
+        shell: bash
+        run: |
+          cd ./shared-actions/.github/workflows/verify-vault-secrets && npm install
+
+      - uses: actions/github-script@v7
+        with:
+          script: |
+            const script = require('./shared-actions/.github/workflows/verify-vault-secrets/verifyVaultSecrets.js')
+            await script({github, context, core})
+          keys: ${{ fromJSON(steps.extract-keys.outputs.keys) }}
+          ignored_keys: ${{ inputs.ignored_keys }}