fix/stop-showing-secrets #6
+9
-15
@@ -21,8 +21,7 @@ inputs:
|
|||||||
required: true
|
required: true
|
||||||
dot-env-path:
|
dot-env-path:
|
||||||
description: "Path to write the DOT_ENV secret to instead of exporting it via GITHUB_ENV"
|
description: "Path to write the DOT_ENV secret to instead of exporting it via GITHUB_ENV"
|
||||||
required: false
|
required: true
|
||||||
default: ""
|
|
||||||
|
|
||||||
runs:
|
runs:
|
||||||
using: "composite"
|
using: "composite"
|
||||||
@@ -31,19 +30,15 @@ runs:
|
|||||||
shell: sh
|
shell: sh
|
||||||
run: bw config server "${{ inputs.server }}"
|
run: bw config server "${{ inputs.server }}"
|
||||||
|
|
||||||
- name: Unlock Vault
|
- name: Unlock vault and retrieve secrets
|
||||||
shell: sh
|
shell: sh
|
||||||
run: |
|
|
||||||
bw login --apikey
|
|
||||||
BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)
|
|
||||||
echo "BW_SESSION=$BW_SESSION" >> $GITHUB_ENV
|
|
||||||
env:
|
env:
|
||||||
BW_CLIENTID: "${{ inputs.client-id }}"
|
BW_CLIENTID: "${{ inputs.client-id }}"
|
||||||
BW_CLIENTSECRET: "${{ inputs.client-secret }}"
|
BW_CLIENTSECRET: "${{ inputs.client-secret }}"
|
||||||
|
|
||||||
- name: Retrieve Secrets
|
|
||||||
shell: sh
|
|
||||||
run: |
|
run: |
|
||||||
|
bw login --apikey
|
||||||
|
BW_SESSION=$(bw unlock '${{ inputs.password }}' --raw)
|
||||||
|
|
||||||
echo "${{ inputs.secrets }}" | while IFS='>' read SECRET_ID ENV_VAR; do
|
echo "${{ inputs.secrets }}" | while IFS='>' read SECRET_ID ENV_VAR; do
|
||||||
SECRET_ID=$(echo "$SECRET_ID" | sed 's/^ *//;s/ *$//')
|
SECRET_ID=$(echo "$SECRET_ID" | sed 's/^ *//;s/ *$//')
|
||||||
ENV_VAR=$(echo "$ENV_VAR" | sed 's/^ *//;s/ *$//')
|
ENV_VAR=$(echo "$ENV_VAR" | sed 's/^ *//;s/ *$//')
|
||||||
@@ -56,18 +51,17 @@ runs:
|
|||||||
SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null)
|
SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null)
|
||||||
|
|
||||||
if [ -n "$SECRET_VALUE" ]; then
|
if [ -n "$SECRET_VALUE" ]; then
|
||||||
if [ "$ENV_VAR" = "DOT_ENV" ] && [ -n "${{ inputs.dot-env-path }}" ]; then
|
if [ "$ENV_VAR" = "DOT_ENV" ]; then
|
||||||
mkdir -p "$(dirname "${{ inputs.dot-env-path }}")"
|
mkdir -p "$(dirname "${{ inputs.dot-env-path }}")"
|
||||||
umask 077
|
umask 077
|
||||||
printf '%s\n' "$SECRET_VALUE" > "${{ inputs.dot-env-path }}"
|
printf '%s\n' "$SECRET_VALUE" > "${{ inputs.dot-env-path }}"
|
||||||
echo "Stored $SECRET_ID in $ENV_VAR file"
|
echo "Stored $SECRET_ID in $ENV_VAR file"
|
||||||
else
|
else
|
||||||
echo "$ENV_VAR<<EOF" >> $GITHUB_ENV
|
echo "Unsupported ENV_VAR: $ENV_VAR"
|
||||||
echo "$SECRET_VALUE" >> $GITHUB_ENV
|
exit 1
|
||||||
echo "EOF" >> $GITHUB_ENV
|
|
||||||
echo "Stored $SECRET_ID in $ENV_VAR"
|
|
||||||
fi
|
fi
|
||||||
else
|
else
|
||||||
echo "Failed to retrieve secret: $SECRET_ID"
|
echo "Failed to retrieve secret: $SECRET_ID"
|
||||||
|
exit 1
|
||||||
fi
|
fi
|
||||||
done
|
done
|
||||||
|
|||||||
Reference in New Issue
Block a user