Does anyone have a working implementation of a Gitea Action workflow fetching secrets from Hashicorp Vault? There’s an existing GitHub Action which I’ve used to great effect at $DAY_JOB (with GitHUB actions, not Gitea Actions), but I can’t get my head around how to authenticate to Vault from GiteaActions:
- JWT with GitHub OIDC Tokens doesn’t seem feasible as Gitea cannot currently act as an OIDC provider
- AppRole-, Userpass-, or Token-based authentication would require provision of static secrets, which defeats the purpose of dynamic secret provision.
- GitHub Auth is presumably not available (though I admit I haven’t tried it!)
- Kuberenetes auth could work, though I don’t think that would provide the ability for different repo’s Actions to have access to differing Vault Roles - this would use the
serviceAccountNamefor the hostedact-runners, which would not differentiate based on source repo. - JWT with OIDC Provider and LDAP are probably feasible, but require a whole external system.