msfjarvis/compose-lobsters
1
Fork 0
mirror of https://github.com/msfjarvis/compose-lobsters synced 2025-08-14 09:27:03 +05:30
Code Issues Projects Releases Packages Wiki Activity Actions 3

chore: re-encrypt secrets with age

Browse source
This commit is contained in:
Harsh Shandilya 2022-12-11 18:03:03 +05:30
parent 010f69031a
commit 943b9bd091
No known key found for this signature in database
7 changed files with 55 additions and 14 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.github/workflows/baseline-profile.yml vendored
View file

@ -38,7 +38,9 @@ jobs:
gradle-home-cache-cleanup: true gradle-home-cache-cleanup: true
- name: Decrypt secrets - name: Decrypt secrets
run: scripts/signing-setup.sh "$ENCRYPT_KEY" run: |
./scripts/setup-age.sh
./scripts/signing-setup.sh "$ENCRYPT_KEY"
env: env:
ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }} ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }}

4
.github/workflows/ci.yml vendored
View file

@ -62,7 +62,9 @@ jobs:
java-version: 18 java-version: 18
- name: Decrypt secrets - name: Decrypt secrets
run: scripts/signing-setup.sh "$ENCRYPT_KEY" run: |
./scripts/setup-age.sh
./scripts/signing-setup.sh "$ENCRYPT_KEY"
env: env:
ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }} ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }}

4
.github/workflows/release.yml vendored
View file

@ -31,7 +31,9 @@ jobs:
cache-read-only: true cache-read-only: true
- name: Decrypt secrets - name: Decrypt secrets
run: scripts/signing-setup.sh "$ENCRYPT_KEY" run: |
./scripts/setup-age.sh
./scripts/signing-setup.sh "$ENCRYPT_KEY"
env: env:
ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }} ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }}

31
scripts/setup-age.sh Executable file
View file

@ -0,0 +1,31 @@
#!/usr/bin/env bash
set -euxo pipefail
TEMP_DIR="$(mktemp -d)"
BIN_DIR=""
AGE_VERSION="v1.0.0"
AGE_FILE=""
case "$(uname)" in
Linux)
AGE_FILE="age-${AGE_VERSION}-linux-amd64.tar.gz"
BIN_DIR="${HOME}/.local/bin"
;;
Darwin)
AGE_FILE="age-${AGE_VERSION}-darwin-amd64.tar.gz"
BIN_DIR="${HOME}/bin"
;;
*) echo "Unsupported system: $(uname)"; exit 1 ;;
esac
pushd "${TEMP_DIR}"
curl -L --silent --show-error --retry 3 --fail -o age.tar.gz "https://github.com/FiloSottile/age/releases/download/v1.0.0/${AGE_FILE:?}"
tar xvf age.tar.gz
rm age/LICENSE
mkdir -p "${BIN_DIR}"
mv -v age/age "${BIN_DIR}" && chmod +x "${BIN_DIR}/age"
mv -v age/age-keygen "${BIN_DIR}" && chmod +x "${BIN_DIR}/age-keygen"
popd

26
scripts/signing-setup.sh
View file

@ -2,16 +2,20 @@
set -euo pipefail set -euo pipefail
ENCRYPT_KEY="${1:-}" ENCRYPT_KEY="${1}"
TEMP_KEY="$(mktemp)"
declare -A SECRETS echo "${ENCRYPT_KEY:?}" > "${TEMP_KEY}"
SECRETS[secrets/keystore.cipher]=keystore.jks
SECRETS[secrets/props.cipher]=keystore.properties
if [[ -n "$ENCRYPT_KEY" ]]; then function decrypt() {
for src in "${!SECRETS[@]}"; do if ! command -v age 1>/dev/null; then
openssl enc -aes-256-cbc -md sha256 -pbkdf2 -d -in "${src}" -out "${SECRETS[${src}]}" -k "${ENCRYPT_KEY}" echo "age not installed"
done exit 1
else fi
echo "Usage: ./signing-setup.sh <encryption key>" SRC="${1}"
fi DST="${2}"
age --decrypt -i "${TEMP_KEY}" -o "${DST:?}" "${SRC:?}"
}
decrypt secrets/keystore.cipher keystore.jks
decrypt secrets/props.cipher keystore.properties

BIN
secrets/keystore.cipher
View file

Binary file not shown.

BIN
secrets/props.cipher
View file

Binary file not shown.