refactor: replace Infisical secrets action with direct curl and jq API calls for secret fetching and injection.
All checks were successful
List Infisical Secrets / list-secrets (push) Successful in 11s
All checks were successful
List Infisical Secrets / list-secrets (push) Successful in 11s
This commit is contained in:
aydent
@@ -11,22 +11,21 @@ jobs:
|
||||
steps:
|
||||
- name: Force DNS resolution
|
||||
run: |
|
||||
# Install dnsutils to get the 'dig' command
|
||||
sudo apt-get update && sudo apt-get install -y dnsutils
|
||||
# Install dnsutils for 'dig' and jq for JSON processing
|
||||
sudo apt-get update && sudo apt-get install -y dnsutils jq
|
||||
|
||||
# Dynamically fetch the public IP to handle dynamic DNS
|
||||
# We query Cloudflare DNS (1.1.1.1) to ignore local/Tailscale records
|
||||
PUBLIC_IP=$(dig +short @1.1.1.1 infisical.lemarechal.eu | tail -n1)
|
||||
echo "Public IP found: $PUBLIC_IP"
|
||||
echo "$PUBLIC_IP infisical.lemarechal.eu" | sudo tee -a /etc/hosts
|
||||
|
||||
- name: Debug Secret Fetch (curl)
|
||||
- name: Fetch and Inject Secrets
|
||||
env:
|
||||
CLIENT_ID: ${{ secrets.INFISICAL_CLIENT_ID }}
|
||||
CLIENT_SECRET: ${{ secrets.INFISICAL_CLIENT_SECRET }}
|
||||
PROJECT_ID: ${{ secrets.INFISICAL_PROJECT_ID }}
|
||||
run: |
|
||||
echo "Logging in..."
|
||||
echo "Logging in to Infisical..."
|
||||
LOGIN_RES=$(curl -s -X POST https://infisical.lemarechal.eu/api/v1/auth/universal-auth/login \
|
||||
-H "Content-Type: application/json" \
|
||||
-d "{\"clientId\": \"$CLIENT_ID\", \"clientSecret\": \"$CLIENT_SECRET\"}")
|
||||
@@ -40,24 +39,17 @@ jobs:
|
||||
|
||||
echo "✅ Login successful. Fetching secrets..."
|
||||
|
||||
# Attempt to fetch secrets to see the 400 error message
|
||||
# Note: workspaceId is the Project ID
|
||||
# Fetch raw secrets from the verified v3 endpoint
|
||||
FETCH_RES=$(curl -s -X GET "https://infisical.lemarechal.eu/api/v3/secrets/raw?workspaceId=$PROJECT_ID&environment=prod&secretPath=%2FDiscord_bot" \
|
||||
-H "Authorization: Bearer $TOKEN")
|
||||
|
||||
echo "Secrets API Response: $FETCH_RES"
|
||||
# Inject secrets into GITEA_ENV to make them available for subsequent steps
|
||||
# We use jq to format them as KEY=VALUE pairs
|
||||
echo "$FETCH_RES" | jq -r '.secrets[] | "\(.secretKey)=\(.secretValue)"' >> $GITEA_ENV
|
||||
echo "✅ Secrets successfully fetched and injected."
|
||||
|
||||
- name: Fetch Secrets from Infisical
|
||||
uses: https://github.com/Infisical/secrets-action@v1.0.7
|
||||
with:
|
||||
client-id: ${{ secrets.INFISICAL_CLIENT_ID }}
|
||||
client-secret: ${{ secrets.INFISICAL_CLIENT_SECRET }}
|
||||
project-id: ${{ secrets.INFISICAL_PROJECT_ID }}
|
||||
env-slug: prod
|
||||
secret-path: /Discord_bot
|
||||
domain: https://infisical.lemarechal.eu
|
||||
|
||||
- name: Display Secrets
|
||||
- name: Display Secrets (Masked)
|
||||
run: |
|
||||
echo "Secrets fetched and injected as environment variables."
|
||||
# Gitea will automatically mask the values of these variables in the logs
|
||||
env | grep -v "GITHUB_" | grep -v "GITEA_" | sort
|
||||
|
||||
Reference in New Issue
Block a user