Skip to content

Fetch GitHub Actions secrets from AWS Secrets Manager via OIDC#388

Open
AndreyVMarkelov wants to merge 2 commits into
mainfrom
oidc-aws-secrets
Open

Fetch GitHub Actions secrets from AWS Secrets Manager via OIDC#388
AndreyVMarkelov wants to merge 2 commits into
mainfrom
oidc-aws-secrets

Conversation

@AndreyVMarkelov

@AndreyVMarkelov AndreyVMarkelov commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Moves the GitHub Actions secrets these workflows use out of GitHub repo secrets and into AWS Secrets Manager, fetched at runtime via GitHub OIDC — the same approach dropbox/stone and dropbox-sdk-python now use. The old GitHub secrets are being retired.

Changes

All three workflows assume the repo's OIDC role (oidc-github-dropbox-dropbox-sdk-dotnet-repo, AWS account 082972943155, us-west-2) and fetch their secrets with aws-actions/aws-secretsmanager-get-secrets:

  • nuget_upload.ymlNUGET_TOKEN from nuget-api-token-dropbox-sdk-dotnet.
  • spec_update.ymlSPEC_UPDATE_TOKEN from spec-update-token-dropbox-sdk-dotnet.
  • ci.yml
    • IntegrationTests: the Dropbox app credentials from a single JSON secret dotnet-integration-test-creds (parse-json-secrets: true, exposed as CREDS_* and mapped back to the DROPBOX_INTEGRATION_* env vars the tests expect), plus the Codecov token.
    • UnitTests: the Codecov token for coverage upload.

Fork PRs

Fork PRs cannot assume the OIDC role (GitHub withholds id-token from fork runs — the same limitation the old GitHub secrets had). So the IntegrationTests job and the coverage-upload steps are gated to same-repo runs (push to main, same-repo PRs, and the nightly cron). Unit tests and the linter still run on forks.

Requires infra first

The IAM role and secrets these workflows reference must be provisioned in AWS first. Do not merge until that infrastructure is in place and the secret values are set, or these workflows will fail on the role-assume / secret-fetch step.

The signing key (dropbox_api_key.snk) is unchanged — it is checked into the repo, not a secret.

The GitHub secrets these workflows relied on are being retired in favor of a
PyPI/NuGet-style setup where tokens live in AWS Secrets Manager and are fetched
at runtime using GitHub OIDC, matching dropbox/stone and dropbox-sdk-python.

All three workflows now assume the repo's OIDC role
(oidc-github-dropbox-dropbox-sdk-dotnet-repo in account 082972943155) and fetch
their secrets with aws-actions/aws-secretsmanager-get-secrets:

- nuget_upload.yml: NUGET_TOKEN from nuget-api-token-dropbox-sdk-dotnet
- spec_update.yml:  SPEC_UPDATE_TOKEN from spec-update-token-dropbox-sdk-dotnet
- ci.yml:
  - IntegrationTests: the Dropbox app credentials from a single JSON secret
    (dotnet-integration-test-creds, parse-json-secrets) mapped back to the
    DROPBOX_INTEGRATION_* env vars the tests expect, plus the Codecov token.
  - UnitTests: the Codecov token for coverage upload.

Fork PRs cannot assume the OIDC role (GitHub withholds id-token from fork
runs), so the integration-test job and the coverage-upload steps are gated to
same-repo runs; unit tests and the linter still run on forks.

Requires the corresponding IAM role and secrets to be provisioned in AWS
before these workflows can authenticate.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants