-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathaction.yml
More file actions
65 lines (56 loc) · 1.88 KB
/
action.yml
File metadata and controls
65 lines (56 loc) · 1.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
name: 'GitHub Secrets Exporter'
description: 'Securely export repository secrets encrypted with age'
branding:
icon: 'lock'
color: 'blue'
inputs:
public_encryption_key:
description: 'Your public encryption key (age or SSH format)'
required: true
secrets_json:
description: 'JSON of repository secrets (e.g. toJSON(secrets))'
required: true
runs:
using: 'composite'
steps:
- name: Install age
shell: bash
run: sudo apt-get update && sudo apt-get install -y age
- name: Export and encrypt all secrets
shell: bash
run: |
set -euo pipefail
recipient='${{ inputs.public_encryption_key }}'
secrets_json='${{ inputs.secrets_json }}'
# Validate recipient format to avoid shell interpretation
[[ "$recipient" =~ ^[A-Za-z0-9._:+/=-]+$ ]] || {
echo "public_encryption_key contains unsafe characters" >&2
exit 1
}
# Validate secrets_json is not empty
[ -n "$secrets_json" ] || {
echo "Error: secrets_json input is empty" >&2
exit 1
}
# Stream secrets to age without echoing (secrets only exist in memory)
printf '%s' "$secrets_json" | \
age -r "$recipient" \
-o /tmp/encrypted-secrets.age
- name: Upload encrypted secrets
uses: actions/upload-artifact@v4
with:
name: encrypted-secrets
path: /tmp/encrypted-secrets.age
retention-days: 1
- name: Cleanup and show instructions
shell: bash
run: |
echo "✓ Secrets encrypted and uploaded as artifact"
echo ""
echo "Download with:"
echo " gh run download ${{ github.run_id }} -n encrypted-secrets"
echo ""
echo "Then decrypt:"
echo " age --decrypt --identity private.key < encrypted-secrets.age"
echo ""
echo "Artifact will auto-delete in 1 day"