-
Notifications
You must be signed in to change notification settings - Fork 0
87 lines (83 loc) · 3.27 KB
/
get-secret-from-environment.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
name: Reusable Fetch Secret Workflow
on:
workflow_call:
inputs:
secret_name:
required: true
type: string
env_name:
required: true
type: string
outputs:
secret_value:
description: 'Secret value, encrypted with the encryption key'
value: ${{ jobs.fetch-credentials.outputs.secret_value }}
environment_exists:
description: 'Whether the environment exists or not'
value: ${{ jobs.check-environment.outputs.environment_exists }}
secrets:
gh_token:
required: true
encryption_key:
required: true
# All secrets that are we want to allow access to need
# to be defined in this list
BACKUP_ENCRYPTION_PASSPHRASE:
required: false
SSH_KEY:
required: false
jobs:
check-environment:
name: Check if Environment Exists
runs-on: ubuntu-22.04
outputs:
environment_exists: ${{ steps.check-env.outputs.exists }}
steps:
- name: Check if GITHUB_TOKEN is set
id: check-token
run: |
if [ -z "${{ secrets.gh_token }}" ]; then
echo "Environment secret GITHUB_TOKEN is not set. Make sure you add a correct Github API token before running this pipeline."
exit 1
fi
- name: Check if environment exists
id: check-env
run: |
ENV_NAME="${{ inputs.env_name }}"
RESPONSE=$(curl -s -H "Authorization: Bearer ${{ secrets.gh_token }}" \
"https://api.github.com/repos/${{ github.repository }}/environments/$ENV_NAME")
if echo "$RESPONSE" | grep -q '"name": "'$ENV_NAME'"'; then
echo "Environment $ENV_NAME exists."
echo "::set-output name=exists::true"
else
echo "Environment $ENV_NAME does not exist."
echo "::set-output name=exists::false"
fi
fetch-credentials:
name: Fetch Secret
runs-on: ubuntu-22.04
environment: ${{ inputs.env_name }}
needs: check-environment
# Without this Github actions will create the environment when it doesnt exist
if: needs.check-environment.outputs.environment_exists == 'true'
outputs:
secret_value: ${{ steps.fetch-credentials.outputs.secret_value }}
steps:
- name: Fetch the secret
id: fetch-credentials
env:
SECRET_NAME: ${{ inputs.secret_name }}
run: |
SECRET_VALUE="${{ secrets[env.SECRET_NAME] }}"
if [ -z "$SECRET_VALUE" ]; then
echo "Secret ${{ inputs.secret_name }} is empty. Usually this means you have not explicitly stated the secrets"
echo "in both the workflow file get-secrets-from-environment and in the file you are using the reusable workflow from."
echo "Please make sure you have added the secret to the workflow files and retry."
exit 1
fi
echo -n "$SECRET_VALUE" | openssl enc -aes-256-cbc -pbkdf2 -salt -k "${{ secrets.encryption_key }}" -out encrypted_key.bin
ENCODED_ENCRYPTED_SECRET=$(base64 < encrypted_key.bin)
EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
echo "secret_value<<$EOF" >> $GITHUB_OUTPUT
echo "$ENCODED_ENCRYPTED_SECRET" >> $GITHUB_OUTPUT
echo "$EOF" >> $GITHUB_OUTPUT