Skip to content

ci: fetch BUF_TOKEN from AWS Secrets Manager in proto-generate workflow#2451

Open
ivotron wants to merge 1 commit into
masterfrom
ivo/proto-generate-aws-sm-buf-token
Open

ci: fetch BUF_TOKEN from AWS Secrets Manager in proto-generate workflow#2451
ivotron wants to merge 1 commit into
masterfrom
ivo/proto-generate-aws-sm-buf-token

Conversation

@ivotron
Copy link
Copy Markdown
Member

@ivotron ivotron commented May 15, 2026
edited by atlassian Bot
Loading

Summary

Migrates proto-generate.yml off the repo-level BUF_TOKEN GitHub secret and onto AWS Secrets Manager, mirroring the pattern already used by buf.yml in this same repo.

After this lands, the BUF_TOKEN repo secret can be deleted — the buf.build vbot token is sourced canonically from sdlc/prod/github/buf_token in AWS SM (managed by the DevProd Secret Maintainer).

Context

  • A recent rotation of the buf.build vbot token updated only the AWS SM copy of the secret; this workflow's stale GH-secret copy would have started failing the next time the upstream token was revoked. See DEVPROD-3054.
  • Same OIDC role / region wiring as the existing buf.yml in this repo — RP_AWS_CRED_BASE_ROLE_NAME and RP_AWS_CRED_REGION are already provisioned for redpanda-data/console.
  • parse-json-secrets: true exports the SM JSON keys as env vars, so BUF_TOKEN is set automatically for the task proto:generate step — the explicit env: block becomes redundant.

Test plan

  • PR's own Proto generate check run succeeds against the new auth path.
  • After merge, run gh secret delete BUF_TOKEN --repo redpanda-data/console and confirm a subsequent proto-touching PR still passes Proto generate check.

@ivotron
ci: fetch BUF_TOKEN from AWS Secrets Manager in proto-generate workflow
ac86a8c 
Mirrors the existing AWS-SM pattern in this repo's buf.yml so the
BUF_TOKEN repo secret is no longer needed. Once this lands, the
repo-level BUF_TOKEN GitHub secret can be deleted; the buf.build token
is sourced exclusively from sdlc/prod/github/buf_token in AWS SM,
which is the canonical location managed by the DevProd Secret Maintainer
(DEVPROD-3054).
@ivotron ivotron requested review from a team, c-julin, cjayani and Copilot and removed request for a team May 15, 2026 23:31
Copilot AI reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Migrates the proto-generate.yml workflow off the repo-level BUF_TOKEN GitHub secret to AWS Secrets Manager, mirroring the existing pattern in buf.yml. This allows the GH-secret copy to be removed and centralizes the buf.build vbot token in AWS SM.

Changes:

  • Adds id-token: write permission to enable OIDC-based AWS role assumption.
  • Adds configure-aws-credentials and aws-secretsmanager-get-secrets steps to fetch BUF_TOKEN from sdlc/prod/github/buf_token.
  • Removes the explicit env: BUF_TOKEN block from the Generate protos step, relying on parse-json-secrets: true to export it.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cjayani cjayani Awaiting requested review from cjayani cjayani was automatically assigned from redpanda-data/devprod

@c-julin c-julin Awaiting requested review from c-julin

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ivotron