From d56ad08d332d10ee440170afec64bd1efecc5282 Mon Sep 17 00:00:00 2001
From: Kim Gustyr <kim.gustyr@flagsmith.com>
Date: Mon, 24 Jun 2024 13:46:35 +0100
Subject: [PATCH] fix(ci): Secrets unavailable for deploy jobs (#4215)

---
 .github/actions/api-deploy-ecs/action.yml            | 2 +-
 .github/actions/task-processor-deploy-ecs/action.yml | 2 +-
 .github/workflows/.reusable-deploy-ecs.yml           | 6 +++---
 .github/workflows/api-deploy-production-ecs.yml      | 1 +
 .github/workflows/api-deploy-staging-ecs.yml         | 1 +
 Dockerfile                                           | 4 ++--
 6 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/.github/actions/api-deploy-ecs/action.yml b/.github/actions/api-deploy-ecs/action.yml
index d81db5f8f195..e6a367a830a3 100644
--- a/.github/actions/api-deploy-ecs/action.yml
+++ b/.github/actions/api-deploy-ecs/action.yml
@@ -50,7 +50,7 @@ runs:
 
   steps:
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v1-node16
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         aws-access-key-id: ${{ inputs.aws_access_key_id }}
         aws-secret-access-key: ${{ inputs.aws_secret_access_key }}
diff --git a/.github/actions/task-processor-deploy-ecs/action.yml b/.github/actions/task-processor-deploy-ecs/action.yml
index 48d1b6cb9428..d622636f1ba9 100644
--- a/.github/actions/task-processor-deploy-ecs/action.yml
+++ b/.github/actions/task-processor-deploy-ecs/action.yml
@@ -26,7 +26,7 @@ runs:
 
   steps:
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v1-node16
+      uses: aws-actions/configure-aws-credentials@v4
       with:
         aws-access-key-id: ${{ inputs.aws_access_key_id }}
         aws-secret-access-key: ${{ inputs.aws_secret_access_key }}
diff --git a/.github/workflows/.reusable-deploy-ecs.yml b/.github/workflows/.reusable-deploy-ecs.yml
index c694eeb7f40b..72e58be119bd 100644
--- a/.github/workflows/.reusable-deploy-ecs.yml
+++ b/.github/workflows/.reusable-deploy-ecs.yml
@@ -33,11 +33,12 @@ jobs:
         uses: depot/setup-action@v1
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v1-node16
+        uses: aws-actions/configure-aws-credentials@v4
         with:
           aws-access-key-id: ${{ vars.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           aws-region: eu-west-2
+          mask-aws-account-id: 'no'
 
       - name: Login to Amazon ECR
         id: login-ecr
@@ -61,7 +62,7 @@ jobs:
           build-args: CI_COMMIT_SHA=${{ github.sha }}
           secrets: |
             github_private_cloud_token=${{ secrets.GH_PRIVATE_ACCESS_TOKEN }}
-            sse_pgp_pkey=${{ secrets.SSE_PGP_PRIVATE_KEY }}
+            "sse_pgp_pkey=${{ secrets.SSE_PGP_PRIVATE_KEY }}"
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
@@ -85,7 +86,6 @@ jobs:
           aws_ecs_service_name: ${{ vars.AWS_ECS_SERVICE_NAME }}
           aws_vpc_subnet_id: ${{ vars.AWS_VPC_SUBNET_ID }}
           aws_ecs_security_group_id: ${{ vars.AWS_ECS_SECURITY_GROUP_ID }}
-          aws_ecr_repository_arn: ${{ vars.AWS_ECR_REPOSITORY_ARN }}
           aws_identity_migration_event_bus_name: ${{ vars.AWS_IDENTITY_MIGRATION_EVENT_BUS_NAME }}
           aws_identity_migration_event_bus_rule_id: ${{ vars.AWS_IDENTITY_MIGRATION_EVENT_BUS_RULE_ID }}
           aws_identity_migration_task_role_arn: ${{ vars.AWS_IDENTITY_MIGRATION_TASK_ROLE_ARN }}
diff --git a/.github/workflows/api-deploy-production-ecs.yml b/.github/workflows/api-deploy-production-ecs.yml
index 66118043bddf..d06d5d7ab1b6 100644
--- a/.github/workflows/api-deploy-production-ecs.yml
+++ b/.github/workflows/api-deploy-production-ecs.yml
@@ -14,3 +14,4 @@ jobs:
     uses: ./.github/workflows/.reusable-deploy-ecs.yml
     with:
       environment: production
+    secrets: inherit
diff --git a/.github/workflows/api-deploy-staging-ecs.yml b/.github/workflows/api-deploy-staging-ecs.yml
index 0cc139aeb5e1..b02ff61bebe9 100644
--- a/.github/workflows/api-deploy-staging-ecs.yml
+++ b/.github/workflows/api-deploy-staging-ecs.yml
@@ -15,3 +15,4 @@ jobs:
     uses: ./.github/workflows/.reusable-deploy-ecs.yml
     with:
       environment: staging
+    secrets: inherit
diff --git a/Dockerfile b/Dockerfile
index 8afc45d4f8d7..914ba471d6f1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -167,8 +167,8 @@ FROM api-runtime-private as saas-api
 RUN --mount=type=secret,id=sse_pgp_pkey \
   apt-get update && apt-get install -y gnupg && \
   gpg --import /run/secrets/sse_pgp_pkey && \
-  mv /root/.gnupg /app/; \
-  chown -R nobody /app/.gnupg
+  mv /root/.gnupg/ /app/ && \
+  chown -R nobody /app/.gnupg/
 
 ARG PYTHON_SITE_DIR
 COPY --from=build-python-private ${PYTHON_SITE_DIR} ${PYTHON_SITE_DIR}