Safe Output custom token source #18362
Description
Right now, safe outputs support github_token and an app with a private key, etc.
Large Enterprises(tm) like mine use Vault to store/generate app github_tokens instead of allowing us to put the app's private key in the repository (which is what the current app implementation requires I think)
A new setup-steps field on safe-outputs that injects steps at the start of the consolidated safe-outputs job (same slot where the App token minting goes):
safe-outputs:
setup-steps:
- name: Fetch GitHub Token from Vault
id: vault-token
uses: elastic/ci-gh-actions/fetch-github-token@v1.1
with:
vault-instance: "ci-prod"
github-token: "${{ steps.vault-token.outputs.token }}"
create-issue:
add-comment:
or maybe just call it steps to match the agent?
Note: jobs that's already on safe-output won't work because you cant pass secrets between jobs!
This would:
Insert the steps at the beginning of the safe_outputs job (after setup/downloads, same insertion point as App token minting)
Let github-token reference ${{ steps.vault-token.outputs.token }} since it's the same job
Follow the established pattern — the App token minting already does exactly this, just with a hardcoded action
Be a relatively small compiler change (in my pure imagination) — the insertion logic in buildConsolidatedSafeOutputsJob around lines 241-280 already handles this for App tokens