Skip to content

ci: add KMS fetch-and-decrypt verification workflow#11844

Closed
qwang1113 wants to merge 1 commit into
OneKeyHQ:xfrom
qwang1113:feat/kms-fetch-verify
Closed

ci: add KMS fetch-and-decrypt verification workflow#11844
qwang1113 wants to merge 1 commit into
OneKeyHQ:xfrom
qwang1113:feat/kms-fetch-verify

Conversation

@qwang1113

@qwang1113 qwang1113 commented May 31, 2026

Copy link
Copy Markdown
Contributor

Draft — depends on OneKeyHQ/actions#108 (the fetch-kms-secrets action). Merge that first.

What

Adds .github/workflows/kms-fetch-verify.yml, a workflow_dispatch workflow that exercises the fetch-kms-secrets action end-to-end (GitHub OIDC → Volcengine STS → KMS GetSecretValue → hybrid AES-256-GCM + RSA-OAEP-SHA256 decrypt → $GITHUB_ENV) and prints only non-sensitive signals — fetched key names + masked values + lengths.

  • secret-names is a required run-time input (passed when you dispatch the workflow), not a stored variable.
  • All Volcengine config comes from repo/org Variables/Secrets with no silent defaults — a missing value fails fast.

Before this can merge

  • uses: currently points at the verification fork qwang1113/actions/fetch-kms-secrets@feat/fetch-kms-secrets. Re-point to OneKeyHQ/actions/fetch-kms-secrets@<pinned-SHA> once feat: add fetch-kms-secrets composite action actions#108 merges.
  • Required config: Variables VOLC_ACCOUNT_ID / VOLC_ROLE_TRN / VOLC_KMS_REGION, Secret KMS_DECRYPT_PRIVATE_KEY, and a Volcengine trust policy allowing this repo's oidc:sub.

Verification

Verified on a fork: a real run fetched + decrypted a KMS secret in cn-beijing and printed CODACY_PROJECT_TOKEN = *** (length=7).

@revan-zhang

revan-zhang commented May 31, 2026

Copy link
Copy Markdown
Contributor

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@socket-security

socket-security Bot commented May 31, 2026

Copy link
Copy Markdown

No dependency changes detected. Learn more about Socket for GitHub.

👍 No dependency changes detected in pull request

@qwang1113
qwang1113 force-pushed the feat/kms-fetch-verify branch from cdc943c to 46b72a3 Compare June 1, 2026 02:08
Manual workflow_dispatch that exercises fetch-kms-secrets end-to-end
(OIDC -> STS -> KMS -> hybrid decrypt) and prints masked values + lengths
to confirm fetch/decrypt works downstream. uses: points at the fork for
verification; re-point to OneKeyHQ/actions before the upstream PR.
@qwang1113
qwang1113 force-pushed the feat/kms-fetch-verify branch from 46b72a3 to 3d34d5c Compare June 1, 2026 02:18
@qwang1113 qwang1113 closed this Jun 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants