fix(release): update secrets handling scripts
This commit is contained in:
parent
1e5f830652
commit
ca6b941cbb
|
@ -60,9 +60,9 @@ jobs:
|
|||
- name: Decrypt secrets
|
||||
run: |
|
||||
./scripts/setup-age.sh
|
||||
./scripts/signing-setup.sh "$ENCRYPT_KEY"
|
||||
./scripts/signing-setup.sh "$AGE_SECRET_KEY"
|
||||
env:
|
||||
ENCRYPT_KEY: ${{ secrets.ENCRYPT_KEY }}
|
||||
AGE_SECRET_KEY: ${{ secrets.AGE_SECRET_KEY }}
|
||||
|
||||
- name: Build release app
|
||||
uses: gradle/gradle-build-action@a4cf152f482c7ca97ef56ead29bf08bcd953284c # v2.7.0
|
||||
|
|
|
@ -2,15 +2,17 @@
|
|||
|
||||
set -euo pipefail
|
||||
|
||||
# Simple script that uses OpenSSL to encrypt a provided file with a provided key, and writes the result
|
||||
# to the provided path. Yes it's very needy.
|
||||
|
||||
INPUT_FILE="${1:-}"
|
||||
OUTPUT_FILE="${2:-}"
|
||||
ENCRYPT_KEY="${3:-}"
|
||||
AGE_KEY="${3:-}"
|
||||
|
||||
if [[ -n "$ENCRYPT_KEY" && -n "$INPUT_FILE" && -n "$OUTPUT_FILE" ]]; then
|
||||
openssl enc -aes-256-cbc -md sha256 -pbkdf2 -e -in "${INPUT_FILE}" -out "${OUTPUT_FILE}" -k "${ENCRYPT_KEY}"
|
||||
else
|
||||
echo "Usage: ./encrypt-secret.sh <input file> <output file> <encryption key>"
|
||||
if ! command -v age 1>/dev/null; then
|
||||
echo "age not installed"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ -n "$AGE_KEY" && -n "$INPUT_FILE" && -n "$OUTPUT_FILE" ]]; then
|
||||
age --encrypt -r "$(echo "${AGE_KEY}" | age-keygen -y)" -o "${OUTPUT_FILE}" < "${INPUT_FILE}"
|
||||
else
|
||||
echo "Usage: ./encrypt-secret.sh <input file> <output file> <encryption key>"
|
||||
fi
|
||||
|
|
|
@ -3,11 +3,11 @@
|
|||
set -euo pipefail
|
||||
|
||||
ENCRYPT_KEY="${1}"
|
||||
TEMP_KEY="$(mktemp)"
|
||||
KEY_FILE="$(mktemp)"
|
||||
|
||||
trap "rm -rf ${TEMP_KEY} 2>/dev/null" INT TERM EXIT
|
||||
trap "rm -rf ${KEY_FILE} 2>/dev/null" INT TERM EXIT
|
||||
|
||||
echo "${ENCRYPT_KEY:?}" > "${TEMP_KEY}"
|
||||
echo "${ENCRYPT_KEY:?}" > "${KEY_FILE}"
|
||||
|
||||
function decrypt() {
|
||||
if ! command -v age 1>/dev/null; then
|
||||
|
@ -16,8 +16,8 @@ function decrypt() {
|
|||
fi
|
||||
SRC="${1}"
|
||||
DST="${2}"
|
||||
age --decrypt -i "${TEMP_KEY}" -o "${DST:?}" "${SRC:?}"
|
||||
age --decrypt -i "${KEY_FILE}" -o "${DST:?}" "${SRC:?}"
|
||||
}
|
||||
|
||||
decrypt secrets/keystore.cipher keystore.jks
|
||||
decrypt secrets/props.cipher keystore.properties
|
||||
decrypt secrets/keystore.jks.age keystore.jks
|
||||
decrypt secrets/keystore.properties.age keystore.properties
|
||||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading…
Reference in New Issue