.github/workflows/tools_secret_upload.yml

name: tools_secret_upload
# Triggers the workflow manually
on:
  workflow_dispatch:
    inputs:
      secret_name:
        description: 'Name of the secret'
        required: true
        type: string
      secret_value:
        description: 'Value of the secret'
        required: true
        type: string
jobs:
  approve_upload_tool_secrets_job:
    runs-on: ubuntu-latest
    name: wait for approval
    timeout-minutes: 60

    permissions:
      issues: write

    steps:
      - name: Echo inputs
        run: echo "Secret name:${{ github.event.inputs.secret_name }}"

      - name: Wait for approval
        uses: trstringer/manual-approval@v1
        timeout-minutes: 60
        with:
          secret: ${{ github.TOKEN }}
          approvers: 16oeahr,chjinche,DaweiCai
          minimum-approvals: 1
          issue-title: "Request to upload secret to key vault for e2e test."
  upload_secret_job:
    name: upload secret
    runs-on: ubuntu-latest
    needs: approve_upload_tool_secrets_job
    timeout-minutes: 60
    
    steps:
      - name: Add Mask
        run: |
          SECRET_VALUE=$(jq -r '.inputs.secret_value' $GITHUB_EVENT_PATH)
          echo "::add-mask::$SECRET_VALUE"

      - name: Check for dockerenv file
        run: (ls /.dockerenv && echo Found dockerenv) || (echo No dockerenv)
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Set up Python 3.9 environment
        uses: actions/setup-python@v4
        with:
          python-version: "3.9"
      - run: |
          python -m pip install --upgrade pip
          pip install azure-identity==1.12.0
          pip install azure-keyvault-secrets==4.6.0
          pip install azure-core==1.26.4

      - name: Validate
        run: |
          python scripts/tool/validate_tool_secret.py --tenant_id ${{ secrets.TENANT_ID }} --client_id ${{ secrets.CLIENT_ID }} --client_secret ${{ secrets.CLIENT_SECRET }} --secret_name ${{ github.event.inputs.secret_name }}

      - name: Start upload
        run: |
          python scripts/tool/upload_tool_secret.py --tenant_id ${{ secrets.TENANT_ID }} --client_id ${{ secrets.CLIENT_ID }} --client_secret ${{ secrets.CLIENT_SECRET }} --secret_name ${{ github.event.inputs.secret_name }} --secret_value ${{ github.event.inputs.secret_value }}