Actions/Hashicorp Vault integration

Actions

scubbo March 18, 2025, 6:42pm 1

Does anyone have a working implementation of a Gitea Action workflow fetching secrets from Hashicorp Vault? There’s an existing GitHub Action which I’ve used to great effect at $DAY_JOB (with GitHUB actions, not Gitea Actions), but I can’t get my head around how to authenticate to Vault from GiteaActions:

• JWT with GitHub OIDC Tokens doesn’t seem feasible as Gitea cannot currently act as an OIDC provider
• AppRole-, Userpass-, or Token-based authentication would require provision of static secrets, which defeats the purpose of dynamic secret provision.
• GitHub Auth is presumably not available (though I admit I haven’t tried it!)
• Kuberenetes auth could work, though I don’t think that would provide the ability for different repo’s Actions to have access to differing Vault Roles - this would use the serviceAccountName for the hosted act-runners, which would not differentiate based on source repo.
• JWT with OIDC Provider and LDAP are probably feasible, but require a whole external system.

ben-freke July 19, 2025, 6:17pm 2

I’m hitting exactly the same problem. Did you come up with a resolution for this?

ben-freke July 19, 2025, 6:36pm 3

I’ve just spent time reading up on the various Issues / PRs associcated with this, so glad it’s got a milestone attached to it now and thanks for all your work!

As that milestone is set for August of this year, I’m interested as to what your workaround is for the meantime? The solution I’ve “settled” on until OIDC comes along is using an AppRole and some quirkly policy combinations to minimise any potential damage, accepting I cannot make it perfect.

Related topics

Topic		Replies	Views	Activity
Using user secrets - tokens Actions	0	1577	April 4, 2024
Multi repo and auth problem Actions	6	144	November 20, 2024
How to use custom Gitea Actions Actions	2	2030	March 28, 2024
Gitea + Infisical Password Vault General	2	409	June 24, 2024
Gitea & oidc (keycloak) role mapping General	1	2545	January 29, 2024