Skip to content

Commit a6f70c8

Browse files
nickfloydnickfloyd
committed
fix the remaining batch of resources
1 parent c7ae539 commit a6f70c8

1 file changed

Lines changed: 127 additions & 0 deletions

File tree

.github/workflows/copy-secrets-to-environment.yml

Lines changed: 127 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,127 @@
1+
name: Copy Secrets to Release Environment
2+
3+
on:
4+
workflow_dispatch:
5+
inputs:
6+
environment:
7+
description: 'Target environment'
8+
required: true
9+
default: 'release'
10+
11+
jobs:
12+
copy-secrets:
13+
runs-on: ubuntu-latest
14+
permissions:
15+
contents: read
16+
actions: write
17+
18+
steps:
19+
- name: Install dependencies
20+
run: pip3 install PyNaCl requests
21+
22+
- name: Copy secrets to environment
23+
env:
24+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
25+
TARGET_ENV: ${{ inputs.environment }}
26+
27+
SECRET_GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
28+
SECRET_PASSPHRASE: ${{ secrets.PASSPHRASE }}
29+
30+
run: |
31+
python3 << 'EOF'
32+
import os
33+
import sys
34+
import base64
35+
import requests
36+
from nacl import encoding, public
37+
38+
def encrypt_secret(public_key: str, secret_value: str) -> str:
39+
"""Encrypt a secret using the public key."""
40+
public_key_bytes = base64.b64decode(public_key)
41+
sealed_box = public.SealedBox(public.PublicKey(public_key_bytes))
42+
encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
43+
return base64.b64encode(encrypted).decode("utf-8")
44+
45+
# Get config from environment
46+
token = os.environ["GITHUB_TOKEN"]
47+
repo = os.environ["GITHUB_REPOSITORY"]
48+
target_env = os.environ["TARGET_ENV"]
49+
50+
headers = {
51+
"Authorization": f"token {token}",
52+
"Accept": "application/vnd.github+json",
53+
"Content-Type": "application/json"
54+
}
55+
56+
# Get environment public key
57+
print(f"Fetching public key for environment: {target_env}")
58+
response = requests.get(
59+
f"https://api.github.com/repos/{repo}/environments/{target_env}/secrets/public-key",
60+
headers=headers
61+
)
62+
response.raise_for_status()
63+
env_key_data = response.json()
64+
env_key = env_key_data["key"]
65+
env_key_id = env_key_data["key_id"]
66+
67+
print(f"✓ Got public key (ID: {env_key_id})")
68+
print()
69+
70+
# Get secrets from environment variables (prefixed with SECRET_)
71+
secrets_to_copy = {}
72+
for key, value in os.environ.items():
73+
if key.startswith("SECRET_") and value:
74+
secret_name = key[7:] # Remove SECRET_ prefix
75+
secrets_to_copy[secret_name] = value
76+
77+
if not secrets_to_copy:
78+
print("⚠️ No secrets found to copy!")
79+
sys.exit(1)
80+
81+
print(f"Copying {len(secrets_to_copy)} secret(s) to environment '{target_env}':")
82+
print()
83+
84+
success_count = 0
85+
fail_count = 0
86+
87+
for secret_name, secret_value in secrets_to_copy.items():
88+
try:
89+
print(f" • {secret_name} ... ", end="", flush=True)
90+
91+
# Encrypt the secret
92+
encrypted_value = encrypt_secret(env_key, secret_value)
93+
94+
# Upload to environment
95+
response = requests.put(
96+
f"https://api.github.com/repos/{repo}/environments/{target_env}/secrets/{secret_name}",
97+
headers=headers,
98+
json={
99+
"encrypted_value": encrypted_value,
100+
"key_id": env_key_id
101+
}
102+
)
103+
104+
if response.status_code in [201, 204]:
105+
print("✓")
106+
success_count += 1
107+
else:
108+
print(f"✗ (HTTP {response.status_code})")
109+
print(f" Error: {response.text}")
110+
fail_count += 1
111+
112+
except Exception as e:
113+
print(f"✗ (Error: {str(e)})")
114+
fail_count += 1
115+
116+
print()
117+
print("Summary:")
118+
print(f" ✓ Successfully copied: {success_count}")
119+
if fail_count > 0:
120+
print(f" ✗ Failed: {fail_count}")
121+
print()
122+
123+
if fail_count > 0:
124+
sys.exit(1)
125+
126+
print("All secrets copied successfully!")
127+
EOF

0 commit comments

Comments
 (0)