ci: use secrets from the source of truth

Author: v1v

.github/workflows/smoke-tests.yml

@@ -30,10 +30,9 @@ jobs:
       TF_VAR_REPO: "${{ github.repository }}"
       SMOKETEST_VERSIONS: "${{ inputs.smoketest_versions || 'latest' }}"
       SKIP_DESTROY: 0
-      # TODO: replace with keyless (likely AWS and Google Secrets Manager)
+      # TODO: replace with keyless (likely AWS)
       AWS_ACCESS_KEY_ID: ${{ secrets.OBSERVABILITY_AWS_ACCESS_KEY_ID }}
       AWS_SECRET_ACCESS_KEY: ${{ secrets.OBSERVABILITY_AWS_SECRET_ACCESS_KEY }}
-      EC_API_KEY: ${{ secrets.OBSERVABILITY_EC_API_KEY }}
     steps:
       - uses: actions/checkout@v4
       - name: Bootstrap Action Workspace
@@ -43,6 +42,13 @@ jobs:
       - uses: hashicorp/setup-terraform@v3
         with:
           terraform_version: 1.2.3
+
+      - uses: google-github-actions/get-secretmanager-secrets@dc4a1392bad0fd60aee00bb2097e30ef07a1caae # v2.1.3
+        with:
+          export_to_environment: true
+          secrets: |-
+            EC_API_KEY:elastic-observability/secrets/elastic-cloud-observability-team-pro-api-key
+
       - run: make smoketest/run TEST_DIR=./tf
       - if: always()
         name: Tear down