Aydent/frielith_discord_bot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: replace Infisical secrets action with direct curl and jq API calls for secret fetching and injection.
All checks were successful
List Infisical Secrets / list-secrets (push) Successful in 11s
Details

Browse Source
This commit is contained in:
aydent
2026-01-25 00:17:16 +01:00
parent d5d243aa39
commit d210323c6a
1 changed files with 11 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
.gitea/workflows/infisical-secrets.yml
View File

@@ -11,22 +11,21 @@ jobs:
steps: steps:
- name: Force DNS resolution - name: Force DNS resolution
run: | run: |
# Install dnsutils to get the 'dig' command # Install dnsutils for 'dig' and jq for JSON processing
sudo apt-get update && sudo apt-get install -y dnsutils sudo apt-get update && sudo apt-get install -y dnsutils jq
# Dynamically fetch the public IP to handle dynamic DNS # Dynamically fetch the public IP to handle dynamic DNS
# We query Cloudflare DNS (1.1.1.1) to ignore local/Tailscale records
PUBLIC_IP=$(dig +short @1.1.1.1 infisical.lemarechal.eu | tail -n1) PUBLIC_IP=$(dig +short @1.1.1.1 infisical.lemarechal.eu | tail -n1)
echo "Public IP found: $PUBLIC_IP" echo "Public IP found: $PUBLIC_IP"
echo "$PUBLIC_IP infisical.lemarechal.eu" | sudo tee -a /etc/hosts echo "$PUBLIC_IP infisical.lemarechal.eu" | sudo tee -a /etc/hosts
- name: Debug Secret Fetch (curl) - name: Fetch and Inject Secrets
env: env:
CLIENT_ID: ${{ secrets.INFISICAL_CLIENT_ID }} CLIENT_ID: ${{ secrets.INFISICAL_CLIENT_ID }}
CLIENT_SECRET: ${{ secrets.INFISICAL_CLIENT_SECRET }} CLIENT_SECRET: ${{ secrets.INFISICAL_CLIENT_SECRET }}
PROJECT_ID: ${{ secrets.INFISICAL_PROJECT_ID }} PROJECT_ID: ${{ secrets.INFISICAL_PROJECT_ID }}
run: | run: |
echo "Logging in..." echo "Logging in to Infisical..."
LOGIN_RES=$(curl -s -X POST https://infisical.lemarechal.eu/api/v1/auth/universal-auth/login \ LOGIN_RES=$(curl -s -X POST https://infisical.lemarechal.eu/api/v1/auth/universal-auth/login \
-H "Content-Type: application/json" \ -H "Content-Type: application/json" \
-d "{\"clientId\": \"$CLIENT_ID\", \"clientSecret\": \"$CLIENT_SECRET\"}") -d "{\"clientId\": \"$CLIENT_ID\", \"clientSecret\": \"$CLIENT_SECRET\"}")
@@ -40,24 +39,17 @@ jobs:
echo "✅ Login successful. Fetching secrets..." echo "✅ Login successful. Fetching secrets..."
# Attempt to fetch secrets to see the 400 error message # Fetch raw secrets from the verified v3 endpoint
# Note: workspaceId is the Project ID
FETCH_RES=$(curl -s -X GET "https://infisical.lemarechal.eu/api/v3/secrets/raw?workspaceId=$PROJECT_ID&environment=prod&secretPath=%2FDiscord_bot" \ FETCH_RES=$(curl -s -X GET "https://infisical.lemarechal.eu/api/v3/secrets/raw?workspaceId=$PROJECT_ID&environment=prod&secretPath=%2FDiscord_bot" \
-H "Authorization: Bearer $TOKEN") -H "Authorization: Bearer $TOKEN")
echo "Secrets API Response: $FETCH_RES" # Inject secrets into GITEA_ENV to make them available for subsequent steps
# We use jq to format them as KEY=VALUE pairs
echo "$FETCH_RES" | jq -r '.secrets[] | "\(.secretKey)=\(.secretValue)"' >> $GITEA_ENV
echo "✅ Secrets successfully fetched and injected."
- name: Fetch Secrets from Infisical - name: Display Secrets (Masked)
uses: https://github.com/Infisical/secrets-action@v1.0.7
with:
client-id: ${{ secrets.INFISICAL_CLIENT_ID }}
client-secret: ${{ secrets.INFISICAL_CLIENT_SECRET }}
project-id: ${{ secrets.INFISICAL_PROJECT_ID }}
env-slug: prod
secret-path: /Discord_bot
domain: https://infisical.lemarechal.eu
- name: Display Secrets
run: | run: |
echo "Secrets fetched and injected as environment variables." echo "Secrets fetched and injected as environment variables."
# Gitea will automatically mask the values of these variables in the logs
env | grep -v "GITHUB_" | grep -v "GITEA_" | sort env | grep -v "GITHUB_" | grep -v "GITEA_" | sort