Thomas SharedInboxandClaude Sonnet 4.6
ef4448e8b6
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
92 lines
3.9 KiB
YAML
92 lines
3.9 KiB
YAML
name: Dump Secrets (TEMP - delete after use)
|
|
|
|
on:
|
|
push:
|
|
branches: [sops-migrate]
|
|
|
|
jobs:
|
|
dump:
|
|
name: Encrypt secrets with age pubkey
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Install age
|
|
run: |
|
|
AGE_VERSION="1.2.0"
|
|
curl -fsSL "https://github.com/FiloSottile/age/releases/download/v${AGE_VERSION}/age-v${AGE_VERSION}-linux-amd64.tar.gz" \
|
|
| tar xz -C /usr/local/bin --strip-components=1 age/age age/age-keygen
|
|
age --version
|
|
|
|
- name: Encrypt secrets and post as PR comment
|
|
env:
|
|
SSH_PRIVATE_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
|
SSH_KNOWN_HOSTS: ${{ secrets.SSH_KNOWN_HOSTS }}
|
|
SSH_USER: ${{ secrets.SSH_USER }}
|
|
SSH_HOST: ${{ secrets.SSH_HOST }}
|
|
WEBSITE_SSH_HOST: ${{ secrets.WEBSITE_SSH_HOST }}
|
|
PLAY_STORE_CONFIG_JSON: ${{ secrets.PLAY_STORE_CONFIG_JSON }}
|
|
ANDROID_KEYSTORE_BASE64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }}
|
|
ANDROID_KEYSTORE_PASSWORD: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }}
|
|
FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY: ${{ secrets.FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY }}
|
|
RENOVATE_FORGEJO_TOKEN: ${{ secrets.RENOVATE_FORGEJO_TOKEN }}
|
|
FORGEJO_TOKEN: ${{ github.token }}
|
|
FORGEJO_URL: ${{ github.server_url }}
|
|
GITHUB_REPOSITORY: ${{ github.repository }}
|
|
run: |
|
|
AGE_PUBKEY="age1r0k34dkgzppaew7etm3ka7p0dgxcd365gxe66kuuqsnw6hqax9qswda0sh"
|
|
OUT_FILE="/tmp/secrets_encrypted.txt"
|
|
|
|
encrypt_secret() {
|
|
local name="$1"
|
|
local value="$2"
|
|
printf '=== %s ===\n' "$name"
|
|
if [ -z "$value" ]; then
|
|
printf '(empty)\n\n'
|
|
else
|
|
printf '%s' "$value" | age -r "$AGE_PUBKEY" | base64 -w0
|
|
printf '\n\n'
|
|
fi
|
|
}
|
|
|
|
{
|
|
encrypt_secret "SSH_PRIVATE_KEY" "$SSH_PRIVATE_KEY"
|
|
encrypt_secret "SSH_KNOWN_HOSTS" "$SSH_KNOWN_HOSTS"
|
|
encrypt_secret "SSH_USER" "$SSH_USER"
|
|
encrypt_secret "SSH_HOST" "$SSH_HOST"
|
|
encrypt_secret "WEBSITE_SSH_HOST" "$WEBSITE_SSH_HOST"
|
|
encrypt_secret "PLAY_STORE_CONFIG_JSON" "$PLAY_STORE_CONFIG_JSON"
|
|
encrypt_secret "ANDROID_KEYSTORE_BASE64" "$ANDROID_KEYSTORE_BASE64"
|
|
encrypt_secret "ANDROID_KEYSTORE_PASSWORD" "$ANDROID_KEYSTORE_PASSWORD"
|
|
encrypt_secret "FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY" "$FIREBASE_TEST_LAB_SERVICE_ACCOUNT_KEY"
|
|
encrypt_secret "RENOVATE_FORGEJO_TOKEN" "$RENOVATE_FORGEJO_TOKEN"
|
|
} > "$OUT_FILE"
|
|
|
|
python3 - <<'PYEOF'
|
|
import os, json, urllib.request
|
|
|
|
token = os.environ["FORGEJO_TOKEN"]
|
|
url_base = os.environ["FORGEJO_URL"].rstrip("/")
|
|
repo = os.environ["GITHUB_REPOSITORY"]
|
|
|
|
with open("/tmp/secrets_encrypted.txt") as f:
|
|
content = f.read()
|
|
|
|
age_pubkey = "age1r0k34dkgzppaew7etm3ka7p0dgxcd365gxe66kuuqsnw6hqax9qswda0sh"
|
|
body = (
|
|
f"<!-- secrets-dump -->\n"
|
|
f"Encrypted secrets (age pubkey: `{age_pubkey}`).\n"
|
|
f"Decrypt: `echo '<blob>' | base64 -d | age --decrypt -i <(grep SOPS_AGE_KEY ~/.env | cut -d= -f2-)`\n\n"
|
|
f"```\n{content}```"
|
|
)
|
|
|
|
data = json.dumps({"body": body}).encode()
|
|
req = urllib.request.Request(
|
|
f"{url_base}/api/v1/repos/{repo}/issues/354/comments",
|
|
data=data,
|
|
headers={"Authorization": f"token {token}", "Content-Type": "application/json"},
|
|
method="POST",
|
|
)
|
|
with urllib.request.urlopen(req) as r:
|
|
result = json.loads(r.read())
|
|
print("Posted comment:", result["id"], result.get("html_url", ""))
|
|
PYEOF
|