From d529c8c7a762f157318b966c8dec0aceb834911a Mon Sep 17 00:00:00 2001
From: Jack Yu <jack.yu@suse.com>
Date: Fri, 12 Apr 2024 15:25:31 +0800
Subject: [PATCH] ci: use vault to read secret

Signed-off-by: Jack Yu <jack.yu@suse.com>
---
 .github/workflows/template-build.yml | 31 ++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/template-build.yml b/.github/workflows/template-build.yml
index 812daed3..cd63b41f 100644
--- a/.github/workflows/template-build.yml
+++ b/.github/workflows/template-build.yml
@@ -11,6 +11,9 @@ on:
 jobs:
   dapper-build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     container:
       image: rancher/dapper:v0.5.8
     strategy:
@@ -33,6 +36,8 @@ jobs:
           arch=$(echo ${{ matrix.platform }} | cut -c 7-)
           echo "ARCH=$arch" >> "$GITHUB_OUTPUT"
 
+      
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
@@ -42,12 +47,20 @@ jobs:
       - name: Run dapper
         run: dapper ci
 
+      - name: Read some Secrets
+        uses: rancher-eio/read-vault-secrets@main
+        if: ${{ inputs.push == true }}
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
+
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         if: ${{ inputs.push == true }}
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          username: ${{ env.DOCKER_USERNAME }}
+          password: ${{ env.DOCKER_PASSWORD }}
 
       - name: Docker Build
         uses: docker/build-push-action@v5
@@ -65,17 +78,27 @@ jobs:
   manifest:
     if: ${{ inputs.push == true }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     needs:
       - dapper-build
     steps:
       - name: Checkout code
         uses: actions/checkout@v2
 
+      - name: Read some Secrets
+        uses: rancher-eio/read-vault-secrets@main
+        with:
+          secrets: |
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials username | DOCKER_USERNAME ;
+            secret/data/github/repo/${{ github.repository }}/dockerhub/rancher/credentials password | DOCKER_PASSWORD
+
       - name: Login to Docker Hub
         uses: docker/login-action@v2
         with:
-          username: ${{ secrets.docker_username }}
-          password: ${{ secrets.docker_password }}
+          username: ${{ env.docker_username }}
+          password: ${{ env.docker_password }}
 
       - name: Create Manifest arm64 and amd64
         run: >