frontend/.github/workflows/build_app_android.yaml

@@ -39,11 +39,23 @@ jobs:
           # remove the 'v' prefix from the tag name
           echo "BUILD_NAME=${REF_NAME//v}" >> $GITHUB_ENV
 
+      - name: Load secrets
+        id: load-secrets
+        uses: hashicorp/vault-action@v3
+        with:
+          url: https://api.hashicorp.com
+          token: ${{ secrets.VAULT_TOKEN }}
+          secrets: |
+            secret/release GOOGLE_MAPS_API_KEY | GOOGLE_MAPS_API_KEY ;
+            secret/release ANDROID_SECRET_PROPERTIES_BASE64 | ANDROID_SECRET_PROPERTIES_BASE64 ;
+            secret/release ANDROID_GOOGLE_PLAY_JSON_BASE64 | ANDROID_GOOGLE_PLAY_JSON_BASE64 ;
+            secret/release ANDROID_KEYSTORE_BASE64 | ANDROID_KEYSTORE_BASE64 ;
+
       - name: Put selected secrets into files
         run: |
-          echo "${{ secrets.ANDROID_SECRET_PROPERTIES_BASE64 }}" | base64 -d > secrets.properties
-          echo "${{ secrets.ANDROID_GOOGLE_PLAY_JSON_BASE64 }}" | base64 -d > google-key.json
-          echo "${{ secrets.ANDROID_KEYSTORE_BASE64 }}" | base64 -d > release.keystore
+          echo "${{ steps.load-secrets.outputs.ANDROID_SECRET_PROPERTIES_BASE64 }}" | base64 -d > secrets.properties
+          echo "${{ steps.load-secrets.outputs.ANDROID_GOOGLE_PLAY_JSON_BASE64 }}" | base64 -d > google-key.json
+          echo "${{ steps.load-secrets.outputs.ANDROID_KEYSTORE_BASE64 }}" | base64 -d > release.keystore
         working-directory: android
 
       - name: Install fastlane
@@ -56,4 +68,4 @@ jobs:
         env:
           BUILD_NUMBER: ${{ github.run_number }}
           # BUILD_NAME is implicitly available
-          GOOGLE_MAPS_API_KEY: ${{ secrets.GOOGLE_MAPS_API_KEY }}
+          GOOGLE_MAPS_API_KEY: ${{ steps.load-secrets.outputs.GOOGLE_MAPS_API_KEY }}

frontend/.github/workflows/build_app_ios.yaml

@@ -30,10 +30,23 @@ jobs:
           # remove the 'v' prefix from the tag name
           echo "BUILD_NAME=${REF_NAME//v}" >> $GITHUB_ENV
 
+      - name: Load secrets
+        id: load-secrets
+        uses: hashicorp/vault-action@v3
+        with:
+          url: https://api.hashicorp.com
+          token: ${{ secrets.VAULT_TOKEN }}
+          secrets: |
+            secret/release GOOGLE_MAPS_API_KEY | GOOGLE_MAPS_API_KEY ;
+            secret/release IOS_ASC_KEY_ID | IOS_ASC_KEY_ID ;
+            secret/release IOS_ASC_ISSUER_ID | IOS_ASC_ISSUER_ID ;
+            secret/release IOS_ASC_KEY | IOS_ASC_KEY ;
+            secret/release IOS_MATCH_REPO_SSH_KEY_BASE64 | IOS_MATCH_REPO_SSH_KEY_BASE64 ;
+
       - name: Setup SSH key for match git repo
         run: echo "$MATCH_REPO_SSH_KEY" | base64 --decode > ~/.ssh/id_rsa && chmod 600 ~/.ssh/id_rsa
         env:
-          MATCH_REPO_SSH_KEY: ${{ secrets.IOS_MATCH_REPO_SSH_KEY_BASE64 }}
+          MATCH_REPO_SSH_KEY: ${{ steps.load-secrets.outputs.IOS_MATCH_REPO_SSH_KEY_BASE64 }}
 
       - name: Install fastlane
         run: bundle install
@@ -45,8 +58,8 @@ jobs:
         env:
           BUILD_NUMBER: ${{ github.run_number }}
           # BUILD_NAME is implicitly available
-          GOOGLE_MAPS_API_KEY: ${{ secrets.GOOGLE_MAPS_API_KEY }}
-          IOS_ASC_KEY_ID: ${{ secrets.IOS_ASC_KEY_ID }}
-          IOS_ASC_ISSUER_ID: ${{ secrets.IOS_ASC_ISSUER_ID }}
-          IOS_ASC_KEY: ${{ secrets.IOS_ASC_KEY }}
-          MATCH_PASSWORD: ${{ secrets.IOS_MATCH_PASSWORD }}
+          GOOGLE_MAPS_API_KEY: ${{ steps.load-secrets.outputs.GOOGLE_MAPS_API_KEY }}
+          IOS_ASC_KEY_ID: ${{ steps.load-secrets.outputs.IOS_ASC_KEY_ID }}
+          IOS_ASC_ISSUER_ID: ${{ steps.load-secrets.outputs.IOS_ASC_ISSUER_ID }}
+          IOS_ASC_KEY: ${{ steps.load-secrets.outputs.IOS_ASC_KEY }}
+          MATCH_PASSWORD: ${{ steps.load-secrets.outputs.IOS_MATCH_PASSWORD }}

frontend/android/fallback.properties

@@ -1,2 +1,3 @@
 # This file mirrors the state of secrets.properties as a reference for the developer.
 # And as a fallback for build.gradle
+MAPS_API_KEY=Key