actions/infisical-secrets-fetcher
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
Aydent
2026-01-25 11:33:39 +01:00
commit 3dd8ad4c1f
2 changed files with 136 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
action.yml Normal file
View File

@@ -0,0 +1,94 @@
name: 'Infisical Secrets Fetcher'
description: 'Fetch and inject secrets from self-hosted Infisical into Gitea Actions'
inputs:
client_id:
description: 'Machine Identity Client ID'
required: true
client_secret:
description: 'Machine Identity Client Secret'
required: true
project_id:
description: 'Infisical Project ID (Workspace ID)'
required: true
environment:
description: 'Target Environment (dev, staging, prod)'
default: 'prod'
required: false
secret_path:
description: 'Path/Folder to secrets (e.g. /Discord_bot). Root is /'
default: '/'
required: false
domain:
description: 'Infisical Instance URL'
default: 'https://infisical.lemarechal.eu'
required: false
runs:
using: "composite"
steps:
- name: 'Install dependencies'
shell: bash
run: |
sudo apt-get update
sudo apt-get install -y dnsutils jq curl
- name: 'Execute Fetch'
shell: bash
run: |
# 1. DNS Fix
echo "Resolving IP for ${{ inputs.domain }}..."
DOMAIN_CLEAN=$(echo "${{ inputs.domain }}" | sed 's|https://||g' | sed 's|http://||g' | cut -d'/' -f1)
PUBLIC_IP=$(dig +short @1.1.1.1 $DOMAIN_CLEAN | tail -n1)
if [ -z "$PUBLIC_IP" ]; then
echo "::error::Failed to resolve IP for $DOMAIN_CLEAN"
exit 1
fi
echo "Resolved $DOMAIN_CLEAN to $PUBLIC_IP. Updating /etc/hosts..."
echo "$PUBLIC_IP $DOMAIN_CLEAN" | sudo tee -a /etc/hosts
# 2. Login (Universal Auth)
echo "Authenticating with Infisical..."
LOGIN_RESPONSE=$(curl -s -X POST "${{ inputs.domain }}/api/v1/auth/universal-auth/login" \
-H "Content-Type: application/json" \
-d "{\"clientId\": \"${{ inputs.client_id }}\", \"clientSecret\": \"${{ inputs.client_secret }}\"}")
ACCESS_TOKEN=$(echo "$LOGIN_RESPONSE" | jq -r '.accessToken')
if [ "$ACCESS_TOKEN" == "null" ] || [ -z "$ACCESS_TOKEN" ]; then
echo "::error::Authentication failed. Response: $LOGIN_RESPONSE"
exit 1
fi
# 3. Fetch Raw Secrets
echo "Fetching secrets from path: ${{ inputs.secret_path }} (Env: ${{ inputs.environment }})..."
SECRETS_RESPONSE=$(curl -s -X GET "${{ inputs.domain }}/api/v3/secrets/raw?workspaceId=${{ inputs.project_id }}&environment=${{ inputs.environment }}&secretPath=${{ inputs.secret_path }}" \
-H "Authorization: Bearer $ACCESS_TOKEN")
# Check for errors in response (Infisical usually returns JSON, check if it's an object with 'secrets' or just the raw dictionary if using /raw endpoint?
# The prompt says /api/v3/secrets/raw.
# CAUTION: /api/v3/secrets/raw typically returns a dictionary of key-value pairs directly: { "KEY": "VALUE" }
# Let's verify we got valid JSON and not an error message.
if echo "$SECRETS_RESPONSE" | jq -e . >/dev/null 2>&1; then
# Valid JSON
:
else
echo "::error::API returned invalid JSON: $SECRETS_RESPONSE"
exit 1
fi
# 4. Injection
echo "Injecting secrets into Gitea Environment..."
echo "$SECRETS_RESPONSE" | jq -r 'to_entries | .[] | "\(.key)=\(.value)"' | while read -r line; do
# Securely append to GITEA_ENV (using the environment file pattern if available, or simpler export approach)
# Gitea Actions uses $GITHUB_ENV / $GITEA_ENV file pattern.
echo "$line" >> $GITEA_ENV
# Mask the value in logs to be safe (optional but recommended)
val=$(echo "$line" | cut -d'=' -f2-)
echo "::add-mask::$val"
done
echo "Secrets injected successfully."