guettli/sharedinbox
1
0
Fork 0
Code Issues 21 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

fix: register SOPS-decrypted secrets for CI log redaction #460

Merged
guettlibot merged 1 commits from refs/pull/460/head into main 2026-06-06 03:38:48 +00:00
Conversation 0 Commits 1 Files Changed 1
+13
1 changed files with 13 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/setup_dagger_remote.sh
+13
View File
@@ -17,12 +17,25 @@ sops --decrypt --output-type json secrets.enc.yaml > "$SECRETS_JSON"
DAGGER_SSH_KEY=$(jq -r '.DAGGER_SSH_KEY' "$SECRETS_JSON")
DAGGER_ENGINE_HOST=$(jq -r '.DAGGER_ENGINE_HOST' "$SECRETS_JSON")
# Register inline secrets for log redaction. Multiline values (e.g. SSH keys)
# must be masked line-by-line because ::add-mask:: covers one line at a time.
printf '::add-mask::%s\n' "$DAGGER_ENGINE_HOST"
while IFS= read -r line; do
[ -n "$line" ] && printf '::add-mask::%s\n' "$line"
done <<< "$DAGGER_SSH_KEY"
# Export all CI secrets to the GitHub Actions environment so subsequent steps
# can use them without referencing Forgejo secrets directly.
export_secret() {
local name="$1"
local value
value=$(jq -r --arg k "$name" '.[$k] // empty' "$SECRETS_JSON")
# Register each non-empty line for log redaction in the Actions runner.
if [ -n "$value" ] && [ -n "${GITHUB_ENV:-}" ]; then
while IFS= read -r line; do
[ -n "$line" ] && printf '::add-mask::%s\n' "$line"
done <<< "$value"
fi
if [ -n "${GITHUB_ENV:-}" ]; then
# Use heredoc syntax for multiline-safe export.
# Avoid adding a second trailing newline for values that already end with one