sharedinbox/.forgejo/workflows/dump-secrets.yml

name: Dump Secrets (TEMP - delete after use)

on:
  push:
    branches: [sops-migrate]

jobs:
  dump:
    name: Encrypt secrets with age pubkey
    runs-on: ubuntu-latest
    steps:
      - name: Install age if missing
        run: |
          if command -v age >/dev/null 2>&1; then
            echo "age already available: $(age --version)"
          else
            echo "age not found, installing from apt"
            apt-get install -y --no-install-recommends age 2>&1 | tail -3
            age --version
          fi

      - name: Encrypt all secrets with age
        env:
          SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
          SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
          SSH_USER: ${{ secrets.SSH_USER }}
          SSH_HOST: ${{ secrets.SSH_HOST }}
          WEBSITE_SSH_HOST: ${{ secrets.WEBSITE_SSH_HOST }}
          PLAY_STORE_CONFIG_JSON: ${{ secrets.PLAY_STORE_CONFIG_JSON }}
          ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
          ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
          FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY }}
          RENOVATE_FORGEJO_TOKEN: ${{ secrets.RENOVATE_FORGEJO_TOKEN }}
        run: |
          AGE_PUBKEY="age1r0k34dkgzppaew7etm3ka7p0dgxcd365gxe66kuuqsnw6hqax9qswda0sh"

          encrypt_secret() {
            local name="$1"
            local value="$2"
            echo "=== BEGIN $name ==="
            if [ -z "$value" ]; then
              echo "(empty — not set in Forgejo secrets)"
            else
              printf '%s' "$value" | age -r "$AGE_PUBKEY" | base64 -w0
              echo
            fi
            echo "=== END $name ==="
            echo
          }

          encrypt_secret "SSH_PRIVATE_KEY"                       "$SSH_PRIVATE_KEY"
          encrypt_secret "SSH_KNOWN_HOSTS"                       "$SSH_KNOWN_HOSTS"
          encrypt_secret "SSH_USER"                              "$SSH_USER"
          encrypt_secret "SSH_HOST"                              "$SSH_HOST"
          encrypt_secret "WEBSITE_SSH_HOST"                      "$WEBSITE_SSH_HOST"
          encrypt_secret "PLAY_STORE_CONFIG_JSON"                "$PLAY_STORE_CONFIG_JSON"
          encrypt_secret "ANDROID_KEYSTORE_BASE64"               "$ANDROID_KEYSTORE_BASE64"
          encrypt_secret "ANDROID_KEYSTORE_PASSWORD"             "$ANDROID_KEYSTORE_PASSWORD"
          encrypt_secret "FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY" "$FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY"
          encrypt_secret "RENOVATE_FORGEJO_TOKEN"                "$RENOVATE_FORGEJO_TOKEN"