name: 'Infisical Secrets Fetcher' description: 'Fetch and inject secrets from self-hosted Infisical into Gitea Actions' inputs: client_id: description: 'Machine Identity Client ID' required: true client_secret: description: 'Machine Identity Client Secret' required: true project_id: description: 'Infisical Project ID (Workspace ID)' required: true environment: description: 'Target Environment (dev, staging, prod)' default: 'prod' required: false secret_path: description: 'Path/Folder to secrets (e.g. /Discord_bot). Root is /' default: '/' required: false domain: description: 'Infisical Instance URL' default: 'https://infisical.lemarechal.eu' required: false secrets: description: 'Comma-separated list of secrets to fetch (e.g. "DISCORD_TOKEN,API_KEY"). If empty, fetches all.' required: false runs: using: "composite" steps: - name: 'Install dependencies' shell: bash run: | sudo apt-get update sudo apt-get install -y dnsutils jq curl - name: 'Execute Fetch' shell: bash run: | # 1. DNS Fix echo "Resolving IP for ${{ inputs.domain }}..." DOMAIN_CLEAN=$(echo "${{ inputs.domain }}" | sed 's|https://||g' | sed 's|http://||g' | cut -d'/' -f1) PUBLIC_IP=$(dig +short @1.1.1.1 $DOMAIN_CLEAN | tail -n1) if [ -z "$PUBLIC_IP" ]; then echo "::error::Failed to resolve IP for $DOMAIN_CLEAN" exit 1 fi echo "Resolved $DOMAIN_CLEAN to $PUBLIC_IP. Updating /etc/hosts..." echo "$PUBLIC_IP $DOMAIN_CLEAN" | sudo tee -a /etc/hosts # 2. Login (Universal Auth) echo "Authenticating with Infisical..." LOGIN_RESPONSE=$(curl -s -X POST "${{ inputs.domain }}/api/v1/auth/universal-auth/login" \ -H "Content-Type: application/json" \ -d "{\"clientId\": \"${{ inputs.client_id }}\", \"clientSecret\": \"${{ inputs.client_secret }}\"}") ACCESS_TOKEN=$(echo "$LOGIN_RESPONSE" | jq -r '.accessToken') if [ "$ACCESS_TOKEN" == "null" ] || [ -z "$ACCESS_TOKEN" ]; then echo "::error::Authentication failed. Response: $LOGIN_RESPONSE" exit 1 fi # 3. Fetch Raw Secrets echo "Fetching secrets from path: ${{ inputs.secret_path }} (Env: ${{ inputs.environment }})..." SECRETS_RESPONSE=$(curl -s -G "${{ inputs.domain }}/api/v3/secrets/raw" \ -H "Authorization: Bearer $ACCESS_TOKEN" \ --data-urlencode "workspaceId=${{ inputs.project_id }}" \ --data-urlencode "environment=${{ inputs.environment }}" \ --data-urlencode "secretPath=${{ inputs.secret_path }}") # Check for errors in response (Infisical usually returns JSON, check if it's an object with 'secrets' or just the raw dictionary if using /raw endpoint? # The prompt says /api/v3/secrets/raw. # CAUTION: /api/v3/secrets/raw typically returns a dictionary of key-value pairs directly: { "KEY": "VALUE" } # Let's verify we got valid JSON and not an error message. if echo "$SECRETS_RESPONSE" | jq -e . >/dev/null 2>&1; then # Valid JSON : else echo "::error::API returned invalid JSON: $SECRETS_RESPONSE" exit 1 fi # 4. Injection echo "Injecting secrets into Gitea Environment..." # Prepare filter list (add commas to start/end makes matching "key" against ",key1,key2," easier) FILTER_LIST="${{ inputs.secrets }}" if [ -n "$FILTER_LIST" ]; then # Remove spaces FILTER_LIST=$(echo "$FILTER_LIST" | tr -d ' ') # Surround with commas for exact match check FILTER_LIST=",$FILTER_LIST," echo "Filtering for secrets: ${{ inputs.secrets }}" fi echo "$SECRETS_RESPONSE" | jq -r 'if .secrets then .secrets[] | "\(.secretKey)=\(.secretValue)" else to_entries[] | "\(.key)=\(.value)" end' | while read -r line; do key=$(echo "$line" | cut -d'=' -f1) # Apply filter if set if [ -n "$FILTER_LIST" ]; then if [[ "$FILTER_LIST" != *",$key,"* ]]; then # echo "Skipping $key (not in allowlist)" continue fi fi # Securely append to GITEA_ENV (using the environment file pattern if available, or simpler export approach) # Gitea Actions uses $GITHUB_ENV / $GITEA_ENV file pattern. echo "$line" >> $GITEA_ENV # Mask the value in logs to be safe (optional but recommended) val=$(echo "$line" | cut -d'=' -f2-) echo "::add-mask::$val" done echo "Secrets injected successfully."