mirror of
https://github.com/msfjarvis/compose-lobsters
synced 2025-08-14 09:27:03 +05:30
chore: re-encrypt secrets with age
This commit is contained in:
parent
010f69031a
commit
943b9bd091
7 changed files with 55 additions and 14 deletions
4
.github/workflows/baseline-profile.yml
vendored
4
.github/workflows/baseline-profile.yml
vendored
|
|
@ -38,7 +38,9 @@ jobs:
|
|||
gradle-home-cache-cleanup: true
|
||||
|
||||
- name: Decrypt secrets
|
||||
run: scripts/signing-setup.sh "$ENCRYPT_KEY"
|
||||
run: |
|
||||
./scripts/setup-age.sh
|
||||
./scripts/signing-setup.sh "$ENCRYPT_KEY"
|
||||
env:
|
||||
ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }}
|
||||
|
||||
|
|
|
|||
4
.github/workflows/ci.yml
vendored
4
.github/workflows/ci.yml
vendored
|
|
@ -62,7 +62,9 @@ jobs:
|
|||
java-version: 18
|
||||
|
||||
- name: Decrypt secrets
|
||||
run: scripts/signing-setup.sh "$ENCRYPT_KEY"
|
||||
run: |
|
||||
./scripts/setup-age.sh
|
||||
./scripts/signing-setup.sh "$ENCRYPT_KEY"
|
||||
env:
|
||||
ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }}
|
||||
|
||||
|
|
|
|||
4
.github/workflows/release.yml
vendored
4
.github/workflows/release.yml
vendored
|
|
@ -31,7 +31,9 @@ jobs:
|
|||
cache-read-only: true
|
||||
|
||||
- name: Decrypt secrets
|
||||
run: scripts/signing-setup.sh "$ENCRYPT_KEY"
|
||||
run: |
|
||||
./scripts/setup-age.sh
|
||||
./scripts/signing-setup.sh "$ENCRYPT_KEY"
|
||||
env:
|
||||
ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }}
|
||||
|
||||
|
|
|
|||
31
scripts/setup-age.sh
Executable file
31
scripts/setup-age.sh
Executable file
|
|
@ -0,0 +1,31 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
set -euxo pipefail
|
||||
|
||||
TEMP_DIR="$(mktemp -d)"
|
||||
BIN_DIR=""
|
||||
AGE_VERSION="v1.0.0"
|
||||
AGE_FILE=""
|
||||
|
||||
case "$(uname)" in
|
||||
Linux)
|
||||
AGE_FILE="age-${AGE_VERSION}-linux-amd64.tar.gz"
|
||||
BIN_DIR="${HOME}/.local/bin"
|
||||
;;
|
||||
Darwin)
|
||||
AGE_FILE="age-${AGE_VERSION}-darwin-amd64.tar.gz"
|
||||
BIN_DIR="${HOME}/bin"
|
||||
;;
|
||||
*) echo "Unsupported system: $(uname)"; exit 1 ;;
|
||||
esac
|
||||
|
||||
pushd "${TEMP_DIR}"
|
||||
|
||||
curl -L --silent --show-error --retry 3 --fail -o age.tar.gz "https://github.com/FiloSottile/age/releases/download/v1.0.0/${AGE_FILE:?}"
|
||||
tar xvf age.tar.gz
|
||||
rm age/LICENSE
|
||||
mkdir -p "${BIN_DIR}"
|
||||
mv -v age/age "${BIN_DIR}" && chmod +x "${BIN_DIR}/age"
|
||||
mv -v age/age-keygen "${BIN_DIR}" && chmod +x "${BIN_DIR}/age-keygen"
|
||||
|
||||
popd
|
||||
|
|
@ -2,16 +2,20 @@
|
|||
|
||||
set -euo pipefail
|
||||
|
||||
ENCRYPT_KEY="${1:-}"
|
||||
ENCRYPT_KEY="${1}"
|
||||
TEMP_KEY="$(mktemp)"
|
||||
|
||||
declare -A SECRETS
|
||||
SECRETS[secrets/keystore.cipher]=keystore.jks
|
||||
SECRETS[secrets/props.cipher]=keystore.properties
|
||||
echo "${ENCRYPT_KEY:?}" > "${TEMP_KEY}"
|
||||
|
||||
if [[ -n "$ENCRYPT_KEY" ]]; then
|
||||
for src in "${!SECRETS[@]}"; do
|
||||
openssl enc -aes-256-cbc -md sha256 -pbkdf2 -d -in "${src}" -out "${SECRETS[${src}]}" -k "${ENCRYPT_KEY}"
|
||||
done
|
||||
else
|
||||
echo "Usage: ./signing-setup.sh <encryption key>"
|
||||
function decrypt() {
|
||||
if ! command -v age 1>/dev/null; then
|
||||
echo "age not installed"
|
||||
exit 1
|
||||
fi
|
||||
SRC="${1}"
|
||||
DST="${2}"
|
||||
age --decrypt -i "${TEMP_KEY}" -o "${DST:?}" "${SRC:?}"
|
||||
}
|
||||
|
||||
decrypt secrets/keystore.cipher keystore.jks
|
||||
decrypt secrets/props.cipher keystore.properties
|
||||
|
|
|
|||
Binary file not shown.
Binary file not shown.
Loading…
Add table
Add a link
Reference in a new issue