98 lines
4.0 KiB
YAML
98 lines
4.0 KiB
YAML
name: 'Infisical Secrets Fetcher'
|
|
description: 'Fetch and inject secrets from self-hosted Infisical into Gitea Actions'
|
|
inputs:
|
|
client_id:
|
|
description: 'Machine Identity Client ID'
|
|
required: true
|
|
client_secret:
|
|
description: 'Machine Identity Client Secret'
|
|
required: true
|
|
project_id:
|
|
description: 'Infisical Project ID (Workspace ID)'
|
|
required: true
|
|
environment:
|
|
description: 'Target Environment (dev, staging, prod)'
|
|
default: 'prod'
|
|
required: false
|
|
secret_path:
|
|
description: 'Path/Folder to secrets (e.g. /Discord_bot). Root is /'
|
|
default: '/'
|
|
required: false
|
|
domain:
|
|
description: 'Infisical Instance URL'
|
|
default: 'https://infisical.lemarechal.eu'
|
|
required: false
|
|
|
|
runs:
|
|
using: "composite"
|
|
steps:
|
|
- name: 'Install dependencies'
|
|
shell: bash
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y dnsutils jq curl
|
|
|
|
- name: 'Execute Fetch'
|
|
shell: bash
|
|
run: |
|
|
# 1. DNS Fix
|
|
echo "Resolving IP for ${{ inputs.domain }}..."
|
|
DOMAIN_CLEAN=$(echo "${{ inputs.domain }}" | sed 's|https://||g' | sed 's|http://||g' | cut -d'/' -f1)
|
|
PUBLIC_IP=$(dig +short @1.1.1.1 $DOMAIN_CLEAN | tail -n1)
|
|
|
|
if [ -z "$PUBLIC_IP" ]; then
|
|
echo "::error::Failed to resolve IP for $DOMAIN_CLEAN"
|
|
exit 1
|
|
fi
|
|
|
|
echo "Resolved $DOMAIN_CLEAN to $PUBLIC_IP. Updating /etc/hosts..."
|
|
echo "$PUBLIC_IP $DOMAIN_CLEAN" | sudo tee -a /etc/hosts
|
|
|
|
# 2. Login (Universal Auth)
|
|
echo "Authenticating with Infisical..."
|
|
LOGIN_RESPONSE=$(curl -s -X POST "${{ inputs.domain }}/api/v1/auth/universal-auth/login" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{\"clientId\": \"${{ inputs.client_id }}\", \"clientSecret\": \"${{ inputs.client_secret }}\"}")
|
|
|
|
ACCESS_TOKEN=$(echo "$LOGIN_RESPONSE" | jq -r '.accessToken')
|
|
|
|
if [ "$ACCESS_TOKEN" == "null" ] || [ -z "$ACCESS_TOKEN" ]; then
|
|
echo "::error::Authentication failed. Response: $LOGIN_RESPONSE"
|
|
exit 1
|
|
fi
|
|
|
|
# 3. Fetch Raw Secrets
|
|
echo "Fetching secrets from path: ${{ inputs.secret_path }} (Env: ${{ inputs.environment }})..."
|
|
SECRETS_RESPONSE=$(curl -s -G "${{ inputs.domain }}/api/v3/secrets/raw" \
|
|
-H "Authorization: Bearer $ACCESS_TOKEN" \
|
|
--data-urlencode "workspaceId=${{ inputs.project_id }}" \
|
|
--data-urlencode "environment=${{ inputs.environment }}" \
|
|
--data-urlencode "secretPath=${{ inputs.secret_path }}")
|
|
|
|
# Check for errors in response (Infisical usually returns JSON, check if it's an object with 'secrets' or just the raw dictionary if using /raw endpoint?
|
|
# The prompt says /api/v3/secrets/raw.
|
|
# CAUTION: /api/v3/secrets/raw typically returns a dictionary of key-value pairs directly: { "KEY": "VALUE" }
|
|
# Let's verify we got valid JSON and not an error message.
|
|
|
|
if echo "$SECRETS_RESPONSE" | jq -e . >/dev/null 2>&1; then
|
|
# Valid JSON
|
|
:
|
|
else
|
|
echo "::error::API returned invalid JSON: $SECRETS_RESPONSE"
|
|
exit 1
|
|
fi
|
|
|
|
# 4. Injection
|
|
echo "Injecting secrets into Gitea Environment..."
|
|
echo "$SECRETS_RESPONSE" | jq -r 'if .secrets then .secrets[] | "\(.secretKey)=\(.secretValue)" else to_entries[] | "\(.key)=\(.value)" end' | while read -r line; do
|
|
# Securely append to GITEA_ENV (using the environment file pattern if available, or simpler export approach)
|
|
# Gitea Actions uses $GITHUB_ENV / $GITEA_ENV file pattern.
|
|
echo "$line" >> $GITEA_ENV
|
|
|
|
# Mask the value in logs to be safe (optional but recommended)
|
|
val=$(echo "$line" | cut -d'=' -f2-)
|
|
echo "::add-mask::$val"
|
|
done
|
|
|
|
echo "Secrets injected successfully."
|