55 lines
1.8 KiB
YAML
55 lines
1.8 KiB
YAML
name: Auto-Unseal for Vault
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: "30 5 * * *"
|
|
|
|
env:
|
|
HC_VAULT_VERSION: "1.20.4"
|
|
|
|
jobs:
|
|
auto-unseal:
|
|
name: Unseal Vault
|
|
runs-on: ubuntu-latest
|
|
env:
|
|
VAULT_ADDR: ${{ secrets.TREZ_VAULT_ADDR }}
|
|
VAULT_TOKEN: ${{ secrets.VAULT_GITEA_TOKEN }}
|
|
VAULT_SHARDS: ${{ secrets.VAULT_UNSEAL_SHARDS }}
|
|
VAULT_NAMESPACE: ""
|
|
steps:
|
|
- name: Vault Unseal Start
|
|
uses: eikendev/gotify-action@0.0.3
|
|
with:
|
|
gotify_api_base: "${{ secrets.RUNNER_GOTIFY_URL }}"
|
|
gotify_app_token: "${{ secrets.RUNNER_GOTIFY_TOKEN }}"
|
|
notification_title: "GITEA: HC Vault @ Rinoa"
|
|
notification_message: "Hashicorp Vault unsealing started... 🔐"
|
|
|
|
- name: Cache Vault install
|
|
id: cache-vault
|
|
uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
|
|
with:
|
|
path: /opt/hostedtoolcache/vault/${{ env.HC_VAULT_VERSION }}/x64
|
|
key: vault-${{ runner.os }}-${{ env.HC_VAULT_VERSION }}
|
|
|
|
- name: Install Vault (only if not cached)
|
|
if: steps.cache-vault.outputs.cache-hit != 'true'
|
|
uses: cpanato/vault-installer@main
|
|
with:
|
|
version: ${{ env.HC_VAULT_VERSION }}
|
|
|
|
- name: Unseal Vault
|
|
run: |
|
|
for vault_shard in $VAULT_SHARDS; do
|
|
vault operator unseal -address="${VAULT_ADDR}" -non-interactive "${vault_shard}"
|
|
done
|
|
|
|
- name: Vault Unseal Completion
|
|
uses: eikendev/gotify-action@0.0.3
|
|
with:
|
|
gotify_api_base: "${{ secrets.RUNNER_GOTIFY_URL }}"
|
|
gotify_app_token: "${{ secrets.RUNNER_GOTIFY_TOKEN }}"
|
|
notification_title: "GITEA: HC Vault @ Rinoa"
|
|
notification_message: "Hashicorp Vault unsealed! 🔓"
|