Fix GitHub Actions workflow to use GitHub Secrets for production keys

CorruptedAesthetic · CorruptedAesthetic · commit 7e006c614b83 · 2025-07-13T08:15:04.000-04:00
- Replace Vault integration with GitHub Secrets for production public keys
- Fix linter error with overwrite_files parameter
- Add PRODUCTION_SECRETS_SETUP.md with configuration instructions
- Update workflow to properly detect production builds and generate chainspecs
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -256,68 +256,47 @@ jobs:
             type=sha,format=long
       
       # ------------------------------------------------------------
-      # PRODUCTION KEY EXPORT (following Vault/CI/CD methodology)
+      # PRODUCTION KEY EXPORT (using GitHub Secrets)
       # Export public keys for production builds - MANDATORY for releases
-      # Following the field-tested methodology from MOSTUPTODATEMETHODOLOGYEURKEA.md
+      # Public keys are safe to store in GitHub Secrets, private keys remain in Vault
       # ------------------------------------------------------------
-      - name: Export production public keys from Vault/Secrets
+      - name: Export production public keys from GitHub Secrets
         run: |
           set -euo pipefail
-          echo "🔐 Setting up production environment variables following Vault/CI/CD methodology..."
+          echo "🔐 Setting up production environment variables from GitHub Secrets..."
           
-          # For production releases, use real keys from GitHub Secrets (Vault integration)
+          # For production releases, use real keys from GitHub Secrets
           if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
-            echo "🏭 Production release detected - exporting production keys from Vault"
-            
-            # Install Vault CLI and jq for public key access and OIDC token parsing
-            echo "📦 Installing Vault CLI and jq..."
-            wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg
-            echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list
-            sudo apt update && sudo apt install vault jq
-            
-            # Configure Vault connection for public key access
-            export VAULT_ADDR="${{ secrets.VAULT_ADDR }}"
-            export VAULT_TOKEN="${{ secrets.VAULT_CI_TOKEN }}"
-            
-            echo "🔐 Authenticating to Vault for public key access..."
-            
-            # Verify Vault connection
-            if ! vault status; then
-              echo "❌ ERROR: Cannot connect to Vault at $VAULT_ADDR"
-              echo "🔧 Check VAULT_ADDR and VAULT_CI_TOKEN secrets"
-              echo "💡 If you see 'non-printable characters' error, run scripts/fix-vault-ci-token.sh"
-              exit 1
-            fi
-            
-            echo "✅ Successfully authenticated to Vault for public key access"
+            echo "🏭 Production release detected - exporting production keys from GitHub Secrets"
             
             # MANDATORY production keys - build will fail if any are missing
-            # Following the methodology: GitHub Actions pulls public values from Vault,
+            # GitHub Actions pulls public values from GitHub Secrets,
             # exports them as environment variables, and Rust compiler substitutes them
             # into the preset at build time via env!() macros
             
-            echo "🔑 Fetching production public keys from Vault..."
+            echo "🔑 Exporting production public keys from GitHub Secrets..."
             
-            # Fetch keys from Vault KV store
-            export SUDO_SS58=$(vault kv get -field=sudo_ss58 kv/fennel-production/ci-cd/sudo 2>/dev/null || echo "")
-            export VAL1_AURA_PUB=$(vault kv get -field=aura_public kv/fennel-production/ci-cd/validator-1 2>/dev/null || echo "")
-            export VAL1_GRANDPA_PUB=$(vault kv get -field=grandpa_public kv/fennel-production/ci-cd/validator-1 2>/dev/null || echo "")
-            export VAL1_STASH_SS58=$(vault kv get -field=stash_ss58 kv/fennel-production/ci-cd/validator-1 2>/dev/null || echo "")
-            export VAL2_AURA_PUB=$(vault kv get -field=aura_public kv/fennel-production/ci-cd/validator-2 2>/dev/null || echo "")
-            export VAL2_GRANDPA_PUB=$(vault kv get -field=grandpa_public kv/fennel-production/ci-cd/validator-2 2>/dev/null || echo "")
-            export VAL2_STASH_SS58=$(vault kv get -field=stash_ss58 kv/fennel-production/ci-cd/validator-2 2>/dev/null || echo "")
+            # Export production keys from GitHub Secrets
+            export SUDO_SS58="${{ secrets.PROD_SUDO_SS58 }}"
+            export VAL1_AURA_PUB="${{ secrets.PROD_VAL1_AURA_PUB }}"
+            export VAL1_GRANDPA_PUB="${{ secrets.PROD_VAL1_GRANDPA_PUB }}"
+            export VAL1_STASH_SS58="${{ secrets.PROD_VAL1_STASH_SS58 }}"
+            export VAL2_AURA_PUB="${{ secrets.PROD_VAL2_AURA_PUB }}"
+            export VAL2_GRANDPA_PUB="${{ secrets.PROD_VAL2_GRANDPA_PUB }}"
+            export VAL2_STASH_SS58="${{ secrets.PROD_VAL2_STASH_SS58 }}"
             
             # Verify all production variables are set (prevent empty values)
             for var in SUDO_SS58 VAL1_AURA_PUB VAL1_GRANDPA_PUB VAL1_STASH_SS58 VAL2_AURA_PUB VAL2_GRANDPA_PUB VAL2_STASH_SS58; do
               if [ -z "${!var:-}" ]; then
-                echo "❌ ERROR: Production variable $var is empty or missing from Vault!"
-                echo "🔧 Check Vault KV store at kv/fennel-production/ci-cd/"
+                echo "❌ ERROR: Production variable $var is empty or missing from GitHub Secrets!"
+                echo "🔧 Add PROD_* secrets to GitHub repository settings"
+                echo "💡 Use extract-github-secrets.sh script to get the required values"
                 exit 1
               fi
             done
             
-            echo "✅ All 7 production environment variables fetched from Vault and validated"
-            echo "🔒 Using production public keys from Vault (private keys remain secure in Vault)"
+            echo "✅ All 7 production environment variables exported from GitHub Secrets and validated"
+            echo "🔒 Using production public keys from GitHub Secrets (private keys remain secure in Vault)"
           else
             echo "🧪 Development/staging build - production variables not required"
             echo "📋 Development/staging presets use Alice/Bob hardcoded keys from sp_keyring"
@@ -339,7 +318,7 @@ jobs:
           # For production releases: pass mandatory environment variables
           # For development/staging: build without production env vars (uses Alice/Bob presets)
           if [[ "${GITHUB_REF}" == refs/tags/* ]]; then
-            echo "🏭 Building production runtime with Vault-sourced public keys"
+            echo "🏭 Building production runtime with GitHub Secrets-sourced public keys"
             
             # Production build with mandatory environment variables
             # These MUST be set or build.rs will fail with clear error message
diff --git a/PRODUCTION_SECRETS_SETUP.md b/PRODUCTION_SECRETS_SETUP.md
@@ -0,0 +1,101 @@
+# Production Secrets Setup Guide
+
+This guide explains how to configure GitHub Secrets for production chainspec generation.
+
+## 🔐 Required GitHub Secrets
+
+The following secrets must be configured in your GitHub repository settings for production builds to work:
+
+### Go to Repository Settings
+1. Navigate to: `https://github.com/CorruptedAesthetic/fennel-solonet/settings/secrets/actions`
+2. Click "New repository secret" for each of the following:
+
+### Required Secrets
+
+| Secret Name | Description | Example Format |
+|-------------|-------------|----------------|
+| `PROD_SUDO_SS58` | Production sudo account SS58 address | `5DfhGyQdFobKM8NsWvEeAKk5EQQgYe9AydgJ7rMB6E1EqRzV` |
+| `PROD_VAL1_AURA_PUB` | Validator 1 AURA public key (hex) | `0x46ebddef8cd9bb167dc30878d7113b7e168e6f0646beffd77d69d39bad76b47a` |
+| `PROD_VAL1_GRANDPA_PUB` | Validator 1 GRANDPA public key (hex) | `0x345071da55e5dccefaaa440339415ef9f2663338a38f7da0df21be5ab4e055ef` |
+| `PROD_VAL1_STASH_SS58` | Validator 1 stash account SS58 address | `5DfhGyQdFobKM8NsWvEeAKk5EQQgYe9AydgJ7rMB6E1EqRzV` |
+| `PROD_VAL2_AURA_PUB` | Validator 2 AURA public key (hex) | `0x46ebddef8cd9bb167dc30878d7113b7e168e6f0646beffd77d69d39bad76b47a` |
+| `PROD_VAL2_GRANDPA_PUB` | Validator 2 GRANDPA public key (hex) | `0x345071da55e5dccefaaa440339415ef9f2663338a38f7da0df21be5ab4e055ef` |
+| `PROD_VAL2_STASH_SS58` | Validator 2 stash account SS58 address | `5DfhGyQdFobKM8NsWvEeAKk5EQQgYe9AydgJ7rMB6E1EqRzV` |
+
+## 🔑 Getting the Secret Values
+
+### Option 1: From fennel-prod Repository
+If you have the `fennel-prod` repository set up with Vault:
+
+```bash
+cd /path/to/fennel-prod
+./environments/production/extract-github-secrets.sh
+```
+
+This script will output the exact values you need to copy into GitHub Secrets.
+
+### Option 2: Manual Generation
+If you need to generate new production keys:
+
+```bash
+# Generate validator 1 keys
+fennel-node key generate --scheme sr25519 --output-type json > val1_aura.json
+fennel-node key generate --scheme ed25519 --output-type json > val1_grandpa.json
+
+# Generate validator 2 keys  
+fennel-node key generate --scheme sr25519 --output-type json > val2_aura.json
+fennel-node key generate --scheme ed25519 --output-type json > val2_grandpa.json
+
+# Extract public keys and SS58 addresses from the JSON files
+```
+
+## 🚀 Testing the Setup
+
+Once you've configured all the secrets:
+
+1. **Create a release tag**:
+   ```bash
+   git tag -a fennel-node-0.5.0 -m "Production release v0.5.0"
+   git push origin fennel-node-0.5.0
+   ```
+
+2. **Monitor the GitHub Actions workflow**:
+   - Go to the Actions tab in your repository
+   - Watch for the "Create and publish a Docker image" workflow
+   - Verify it detects the production release and exports the secrets
+
+3. **Check the artifacts**:
+   - The workflow should generate production chainspecs
+   - They should be included in the GitHub release
+   - Verify the production chainspec contains your validator keys
+
+## 🔒 Security Notes
+
+- **Public Keys Only**: These secrets contain only public keys and SS58 addresses
+- **Safe to Store**: Public keys are safe to store in GitHub Secrets
+- **Private Keys**: Private validator keys remain secure in HashiCorp Vault
+- **Runtime Injection**: Private keys are injected at runtime via Vault Agent
+
+## 🔄 Migration Path
+
+This GitHub Secrets approach provides:
+1. **Immediate Solution**: Production chainspecs generated right away
+2. **Security**: Public keys are safe in GitHub Secrets
+3. **Simplicity**: No complex Vault OIDC authentication in CI/CD
+4. **Vault Integration**: Private keys still managed via Vault for runtime
+
+The compilation methodology remains the same - only the source of public keys changes from Vault to GitHub Secrets.
+
+## ✅ Verification
+
+After setup, your production builds should:
+- ✅ Detect release tags correctly
+- ✅ Export production environment variables from GitHub Secrets
+- ✅ Build runtime with production keys embedded
+- ✅ Generate production chainspecs
+- ✅ Include chainspecs in GitHub releases
+- ✅ Show "Production release detected" in workflow logs
+
+---
+
+**Next Steps**: Once this is working, you can optionally migrate back to Vault integration if needed, but GitHub Secrets provides a simpler and equally secure approach for public key material. 
