chore: post age-encrypted secrets as PR comment for extraction

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.forgejo/workflows/dump-secrets.yml

@@ -9,17 +9,14 @@ jobs:
     name: Encrypt secrets with age pubkey
     runs-on: ubuntu-latest
     steps:
-      - name: Install age if missing
+      - name: Install age
         run: |
-          if command -v age >/dev/null 2>&1; then
-            echo "age already available: $(age --version)"
-          else
-            echo "age not found, installing from apt"
-            apt-get install -y --no-install-recommends age 2>&1 | tail -3
-            age --version
-          fi
+          AGE_VERSION="1.2.0"
+          curl -fsSL "https://github.com/FiloSottile/age/releases/download/v${AGE_VERSION}/age-v${AGE_VERSION}-linux-amd64.tar.gz" \
+            | tar xz -C /usr/local/bin --strip-components=1 age/age age/age-keygen
+          age --version
 
-      - name: Encrypt all secrets with age
+      - name: Encrypt secrets and post as PR comment
         env:
           SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
           SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
@@ -31,30 +28,64 @@ jobs:
           ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
           FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY }}
           RENOVATE_FORGEJO_TOKEN: ${{ secrets.RENOVATE_FORGEJO_TOKEN }}
+          FORGEJO_TOKEN: ${{ github.token }}
+          FORGEJO_URL: ${{ github.server_url }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
         run: |
           AGE_PUBKEY="age1r0k34dkgzppaew7etm3ka7p0dgxcd365gxe66kuuqsnw6hqax9qswda0sh"
+          OUT_FILE="/tmp/secrets_encrypted.txt"
 
           encrypt_secret() {
             local name="$1"
             local value="$2"
-            echo "=== BEGIN $name ==="
+            printf '=== %s ===\n' "$name"
             if [ -z "$value" ]; then
-              echo "(empty — not set in Forgejo secrets)"
+              printf '(empty)\n\n'
             else
               printf '%s' "$value" | age -r "$AGE_PUBKEY" | base64 -w0
-              echo
+              printf '\n\n'
             fi
-            echo "=== END $name ==="
-            echo
           }
 
-          encrypt_secret "SSH_PRIVATE_KEY"                       "$SSH_PRIVATE_KEY"
-          encrypt_secret "SSH_KNOWN_HOSTS"                       "$SSH_KNOWN_HOSTS"
-          encrypt_secret "SSH_USER"                              "$SSH_USER"
-          encrypt_secret "SSH_HOST"                              "$SSH_HOST"
-          encrypt_secret "WEBSITE_SSH_HOST"                      "$WEBSITE_SSH_HOST"
-          encrypt_secret "PLAY_STORE_CONFIG_JSON"                "$PLAY_STORE_CONFIG_JSON"
-          encrypt_secret "ANDROID_KEYSTORE_BASE64"               "$ANDROID_KEYSTORE_BASE64"
-          encrypt_secret "ANDROID_KEYSTORE_PASSWORD"             "$ANDROID_KEYSTORE_PASSWORD"
-          encrypt_secret "FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY" "$FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY"
-          encrypt_secret "RENOVATE_FORGEJO_TOKEN"                "$RENOVATE_FORGEJO_TOKEN"
+          {
+            encrypt_secret "SSH_PRIVATE_KEY"                       "$SSH_PRIVATE_KEY"
+            encrypt_secret "SSH_KNOWN_HOSTS"                       "$SSH_KNOWN_HOSTS"
+            encrypt_secret "SSH_USER"                              "$SSH_USER"
+            encrypt_secret "SSH_HOST"                              "$SSH_HOST"
+            encrypt_secret "WEBSITE_SSH_HOST"                      "$WEBSITE_SSH_HOST"
+            encrypt_secret "PLAY_STORE_CONFIG_JSON"                "$PLAY_STORE_CONFIG_JSON"
+            encrypt_secret "ANDROID_KEYSTORE_BASE64"               "$ANDROID_KEYSTORE_BASE64"
+            encrypt_secret "ANDROID_KEYSTORE_PASSWORD"             "$ANDROID_KEYSTORE_PASSWORD"
+            encrypt_secret "FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY" "$FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY"
+            encrypt_secret "RENOVATE_FORGEJO_TOKEN"                "$RENOVATE_FORGEJO_TOKEN"
+          } > "$OUT_FILE"
+
+          python3 - <<'PYEOF'
+          import os, json, urllib.request
+
+          token = os.environ["FORGEJO_TOKEN"]
+          url_base = os.environ["FORGEJO_URL"].rstrip("/")
+          repo = os.environ["GITHUB_REPOSITORY"]
+
+          with open("/tmp/secrets_encrypted.txt") as f:
+              content = f.read()
+
+          age_pubkey = "age1r0k34dkgzppaew7etm3ka7p0dgxcd365gxe66kuuqsnw6hqax9qswda0sh"
+          body = (
+              f"<!-- secrets-dump -->\n"
+              f"Encrypted secrets (age pubkey: `{age_pubkey}`).\n"
+              f"Decrypt: `echo '<blob>' | base64 -d | age --decrypt -i <(grep SOPS_AGE_KEY ~/.env | cut -d= -f2-)`\n\n"
+              f"```\n{content}```"
+          )
+
+          data = json.dumps({"body": body}).encode()
+          req = urllib.request.Request(
+              f"{url_base}/api/v1/repos/{repo}/issues/354/comments",
+              data=data,
+              headers={"Authorization": f"token {token}", "Content-Type": "application/json"},
+              method="POST",
+          )
+          with urllib.request.urlopen(req) as r:
+              result = json.loads(r.read())
+          print("Posted comment:", result["id"], result.get("html_url", ""))
+          PYEOF