Fetch GitHub Actions secrets from AWS Secrets Manager via OIDC#388
Open
AndreyVMarkelov wants to merge 2 commits into
Open
Fetch GitHub Actions secrets from AWS Secrets Manager via OIDC#388AndreyVMarkelov wants to merge 2 commits into
AndreyVMarkelov wants to merge 2 commits into
Conversation
The GitHub secrets these workflows relied on are being retired in favor of a
PyPI/NuGet-style setup where tokens live in AWS Secrets Manager and are fetched
at runtime using GitHub OIDC, matching dropbox/stone and dropbox-sdk-python.
All three workflows now assume the repo's OIDC role
(oidc-github-dropbox-dropbox-sdk-dotnet-repo in account 082972943155) and fetch
their secrets with aws-actions/aws-secretsmanager-get-secrets:
- nuget_upload.yml: NUGET_TOKEN from nuget-api-token-dropbox-sdk-dotnet
- spec_update.yml: SPEC_UPDATE_TOKEN from spec-update-token-dropbox-sdk-dotnet
- ci.yml:
- IntegrationTests: the Dropbox app credentials from a single JSON secret
(dotnet-integration-test-creds, parse-json-secrets) mapped back to the
DROPBOX_INTEGRATION_* env vars the tests expect, plus the Codecov token.
- UnitTests: the Codecov token for coverage upload.
Fork PRs cannot assume the OIDC role (GitHub withholds id-token from fork
runs), so the integration-test job and the coverage-upload steps are gated to
same-repo runs; unit tests and the linter still run on forks.
Requires the corresponding IAM role and secrets to be provisioned in AWS
before these workflows can authenticate.
rhui-dbx
approved these changes
Jul 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Moves the GitHub Actions secrets these workflows use out of GitHub repo secrets and into AWS Secrets Manager, fetched at runtime via GitHub OIDC — the same approach
dropbox/stoneanddropbox-sdk-pythonnow use. The old GitHub secrets are being retired.Changes
All three workflows assume the repo's OIDC role (
oidc-github-dropbox-dropbox-sdk-dotnet-repo, AWS account082972943155,us-west-2) and fetch their secrets withaws-actions/aws-secretsmanager-get-secrets:nuget_upload.yml—NUGET_TOKENfromnuget-api-token-dropbox-sdk-dotnet.spec_update.yml—SPEC_UPDATE_TOKENfromspec-update-token-dropbox-sdk-dotnet.ci.ymlIntegrationTests: the Dropbox app credentials from a single JSON secretdotnet-integration-test-creds(parse-json-secrets: true, exposed asCREDS_*and mapped back to theDROPBOX_INTEGRATION_*env vars the tests expect), plus the Codecov token.UnitTests: the Codecov token for coverage upload.Fork PRs
Fork PRs cannot assume the OIDC role (GitHub withholds
id-tokenfrom fork runs — the same limitation the old GitHub secrets had). So theIntegrationTestsjob and the coverage-upload steps are gated to same-repo runs (pushto main, same-repo PRs, and the nightly cron). Unit tests and the linter still run on forks.Requires infra first
The IAM role and secrets these workflows reference must be provisioned in AWS first. Do not merge until that infrastructure is in place and the secret values are set, or these workflows will fail on the role-assume / secret-fetch step.
The signing key (
dropbox_api_key.snk) is unchanged — it is checked into the repo, not a secret.