-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
28 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,7 +9,7 @@ This action enables you to fetch Doppler secrets for use in your GitHub Actions. | |
The action can be configured in two ways: | ||
|
||
* Service Token (recommended) | ||
* Service Account Token with Project and Config | ||
* Service Account with Project and Config | ||
|
||
### Service Token | ||
|
||
|
@@ -26,9 +26,13 @@ Then supply the Service Token using the `doppler-token` input: | |
doppler-token: ${{ secrets.DOPPLER_TOKEN }} | ||
``` | ||
### Service Account Token | ||
### Service Account | ||
A Doppler Service Account Token allows for a configurable set of permissions to services in your workplace. The `doppler-project` and `doppler-config` inputs must be provided when using a Service Account Token: | ||
A Doppler Service Account allows for a configurable set of permissions to services in your workplace. A project and config must be specified when using a Service Account. | ||
#### Service Account Token | ||
The `doppler-project` and `doppler-config` inputs must be provided when using a Service Account Token: | ||
|
||
```yaml | ||
- uses: dopplerhq/[email protected] | ||
|
@@ -39,6 +43,27 @@ A Doppler Service Account Token allows for a configurable set of permissions to | |
doppler-config: ci-cd | ||
``` | ||
|
||
#### Service Account Identity via OIDC | ||
|
||
[Identities](https://docs.doppler.com/docs/service-account-identities) allow a service account to authenticate to Doppler via OIDC without using a static API token. This method works like the Service Account Token method above but without a static API token. | ||
|
||
The `auth-method`, `doppler-identity-id`, `doppler-project` and `doppler-config` inputs must be provided when using a Service Account Identity. The permission `id-token: write` is required so that Doppler can obtain an OIDC token from Github for authentication. | ||
|
||
```yaml | ||
jobs: | ||
your-example-job: | ||
permissions: | ||
id-token: write # required for obtaining the OIDC JWT from Github | ||
steps: | ||
- uses: dopplerhq/[email protected] | ||
id: doppler | ||
with: | ||
auth-method: oidc | ||
doppler-identity-id: <your-service-account-identity-uuid> | ||
doppler-project: auth-api | ||
doppler-config: ci-cd | ||
``` | ||
|
||
## Usage | ||
|
||
Secrets can be accessed in two ways: | ||
|