.github/workflows/blank.yml

# This is a basic workflow to help you get started with Actions

name: CI

# Controls when the workflow will run
on:
  # Triggers the workflow on push or pull request events but only for the "main" branch
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  # This workflow contains a single job called "build"
  build:
    # The type of runner that the job will run on
    runs-on: ubuntu-latest
    name: Vault-gtihub integration
    permissions:
        contents: read
 
    
    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
      # - uses: actions/checkout@v3
      # - name: perform token run
      #   run: | 
      #    echo $(curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=gha-medium" | base64)


      # Runs a single command using the runners shel

      - name: Troubleshooting
        run: |
          curl -sSL -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "$ACTIONS_ID_TOKEN_REQUEST_URL" | \
          jq "{ jwt: .value, role: \"$VAULT_ROLE\" }" > ./token.json
            
          echo 'GitHub Actions Token Claims'
          cat ./token.json | jq -r '.jwt | split(".") | .[1] | @base64d' | jq

          echo 'Vault Login Response'
          curl -sSLf -X POST -H "Content-Type: application/json" -H "X-Vault-Namespace: $VAULT_NAMESPACE" --data @token.json $VAULT_URL/v1/auth/$VAULT_AUTH_PATH/login

          # Remove the token file when we're done (if we don't fail)
          rm ./token.json
        env:
         VAULT_URL: https://vault-public-vault-22deb760.8ee49bbe.z1.hashicorp.cloud:8200
         VAULT_AUTH_PATH: jwt
         VAULT_ROLE: demo1
         VAULT_NAMESPACE: admin/kalam-test      
      # Runs a set of commands using the runners shell
      - name: Retrieve Secrets
        id: secretdata
        uses: hashicorp/vault-action@v2.4.0
        with:
          url: https://vault-public-vault-22deb760.8ee49bbe.z1.hashicorp.cloud:8200
          role: demo
          method: jwt
          namespace: admin
          secrets: |
                secrets/data/ci app_secret | MY_SECRET ;

      - name: Print Secrets
        run: |
          echo '${{ steps.secretdata.outputs.MY_SECRET }}' | sed 's/./& /g'