name: List Infisical Secrets on: push: branches: [ main ] workflow_dispatch: jobs: list-secrets: runs-on: ubuntu-latest steps: - name: Force DNS resolution run: | # Install dnsutils for 'dig' and jq for JSON processing sudo apt-get update && sudo apt-get install -y dnsutils jq # Dynamically fetch the public IP to handle dynamic DNS PUBLIC_IP=$(dig +short @1.1.1.1 infisical.lemarechal.eu | tail -n1) echo "Public IP found: $PUBLIC_IP" echo "$PUBLIC_IP infisical.lemarechal.eu" | sudo tee -a /etc/hosts - name: Fetch and Inject Secrets env: CLIENT_ID: ${{ secrets.INFISICAL_CLIENT_ID }} CLIENT_SECRET: ${{ secrets.INFISICAL_CLIENT_SECRET }} PROJECT_ID: ${{ secrets.INFISICAL_PROJECT_ID }} run: | echo "Logging in to Infisical..." LOGIN_RES=$(curl -s -X POST https://infisical.lemarechal.eu/api/v1/auth/universal-auth/login \ -H "Content-Type: application/json" \ -d "{\"clientId\": \"$CLIENT_ID\", \"clientSecret\": \"$CLIENT_SECRET\"}") TOKEN=$(echo $LOGIN_RES | jq -r .accessToken) if [ "$TOKEN" == "null" ] || [ -z "$TOKEN" ]; then echo "❌ Login failed: $LOGIN_RES" exit 1 fi echo "✅ Login successful. Fetching secrets..." # Fetch raw secrets from the verified v3 endpoint FETCH_RES=$(curl -s -X GET "https://infisical.lemarechal.eu/api/v3/secrets/raw?workspaceId=$PROJECT_ID&environment=prod&secretPath=%2FDiscord_bot" \ -H "Authorization: Bearer $TOKEN") # Inject secrets into GITEA_ENV to make them available for subsequent steps # We use jq to format them as KEY=VALUE pairs echo "$FETCH_RES" | jq -r '.secrets[] | "\(.secretKey)=\(.secretValue)"' >> $GITEA_ENV echo "✅ Secrets successfully fetched and injected." - name: Display Secrets (Masked) run: | echo "Secrets fetched and injected as environment variables." # Gitea will automatically mask the values of these variables in the logs env | grep -v "GITHUB_" | grep -v "GITEA_" | sort