Skip to content

ci: remove SOPS age workflow secret #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
xnoto merged 1 commit into from
Jun 19, 2026
+4 −15
Merged

ci: remove SOPS age workflow secret #8

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 0 additions & 8 deletions .github/workflows/opentofu.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,6 @@ on:
type: string
default: arn:aws:iam::332355796717:role/github-actions-sops-kms
secrets:
SOPS_AGE_KEY:
required: false
SSH_PRIVATE_KEY:
required: false
SSH_KNOWN_HOSTS:
Expand All @@ -39,8 +37,6 @@ permissions:
jobs:
test:
runs-on: ${{ inputs.runs-on }}
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
steps:
- name: Checkout
uses: actions/checkout@v4
Expand Down Expand Up @@ -75,8 +71,6 @@ jobs:
runs-on: ${{ inputs.runs-on }}
if: github.event_name == 'pull_request'
needs: [test]
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
steps:
- name: Checkout
uses: actions/checkout@v4
Expand Down Expand Up @@ -130,8 +124,6 @@ jobs:
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
needs: [test]
environment: ${{ inputs.environment }}
env:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
steps:
- name: Checkout
uses: actions/checkout@v4
Expand Down
2 changes: 1 addition & 1 deletion AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ Reusable workflow for OpenTofu/Terraform root module repositories (`tfroot-*`).
| `aws-region` | `us-west-2` | AWS region for SOPS KMS access |
| `aws-role-to-assume` | `arn:aws:iam::332355796717:role/github-actions-sops-kms` | IAM role assumed via GitHub OIDC for SOPS KMS decrypt/encrypt |

Caller workflows must grant `id-token: write` permissions for OIDC. `SOPS_AGE_KEY` is optional while SOPS files retain age recipients, but the preferred path is AWS KMS via OIDC.
Caller workflows must grant `id-token: write` permissions for OIDC. SOPS decryption for `tfroot-*` repos uses AWS KMS via OIDC; do not pass `SOPS_AGE_KEY` to this workflow.

There is no `container` input. The `arc-tf` runner pod IS the image, so adding `container:` on top would nest a container inside a container — don't do it.

Expand Down
9 changes: 3 additions & 6 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,6 @@ permissions:
jobs:
opentofu:
uses: makeitworkcloud/shared-workflows/.github/workflows/opentofu.yml@main
secrets:
SOPS_AGE_KEY: ${{ secrets.SOPS_AGE_KEY }}
```

## Available Workflows
Expand All @@ -44,7 +42,6 @@ See [images](https://github.com/makeitworkcloud/images) for container source and
## Repository Setup

1. Grant `id-token: write` in the caller workflow so GitHub OIDC can assume the SOPS KMS role.
2. Optionally add `SOPS_AGE_KEY` secret as an age fallback while SOPS files retain age recipients.
3. Ensure the default `aws-role-to-assume` exists (`arn:aws:iam::332355796717:role/github-actions-sops-kms`) or pass another role ARN.
4. Create caller workflow in `.github/workflows/`.
5. Ensure repository has required files (e.g., `Makefile` with expected targets).
2. Ensure the default `aws-role-to-assume` exists (`arn:aws:iam::332355796717:role/github-actions-sops-kms`) or pass another role ARN.
3. Create caller workflow in `.github/workflows/`.
4. Ensure repository has required files (e.g., `Makefile` with expected targets).
Loading