infisical-secrets-fetcher/action.yml

name: 'Infisical Secrets Fetcher'
description: 'Fetch and inject secrets from self-hosted Infisical into Gitea Actions'
inputs:
  client_id:
    description: 'Machine Identity Client ID'
    required: true
  client_secret:
    description: 'Machine Identity Client Secret'
    required: true
  project_id:
    description: 'Infisical Project ID (Workspace ID)'
    required: true
  environment:
    description: 'Target Environment (dev, staging, prod)'
    default: 'prod'
    required: false
  secret_path:
    description: 'Path/Folder to secrets (e.g. /Discord_bot). Root is /'
    default: '/'
    required: false
  domain:
    description: 'Infisical Instance URL'
    default: 'https://infisical.lemarechal.eu'
    required: false
  secrets:
    description: 'Comma-separated list of secrets to fetch (e.g. "DISCORD_TOKEN,API_KEY"). If empty, fetches all.'
    required: false

runs:
  using: "composite"
  steps:
    - name: 'Install dependencies'
      shell: bash
      run: |
        sudo apt-get update
        sudo apt-get install -y dnsutils jq curl

    - name: 'Execute Fetch'
      shell: bash
      run: |
        # 1. DNS Fix
        echo "Resolving IP for ${{ inputs.domain }}..."
        DOMAIN_CLEAN=$(echo "${{ inputs.domain }}" | sed 's|https://||g' | sed 's|http://||g' | cut -d'/' -f1)
        PUBLIC_IP=$(dig +short @1.1.1.1 $DOMAIN_CLEAN | tail -n1)
        
        if [ -z "$PUBLIC_IP" ]; then
            echo "::error::Failed to resolve IP for $DOMAIN_CLEAN"
            exit 1
        fi
        
        echo "Resolved $DOMAIN_CLEAN to $PUBLIC_IP. Updating /etc/hosts..."
        echo "$PUBLIC_IP $DOMAIN_CLEAN" | sudo tee -a /etc/hosts

        # 2. Login (Universal Auth)
        echo "Authenticating with Infisical..."
        LOGIN_RESPONSE=$(curl -s -X POST "${{ inputs.domain }}/api/v1/auth/universal-auth/login" \
          -H "Content-Type: application/json" \
          -d "{\"clientId\": \"${{ inputs.client_id }}\", \"clientSecret\": \"${{ inputs.client_secret }}\"}")

        ACCESS_TOKEN=$(echo "$LOGIN_RESPONSE" | jq -r '.accessToken')

        if [ "$ACCESS_TOKEN" == "null" ] || [ -z "$ACCESS_TOKEN" ]; then
            echo "::error::Authentication failed. Response: $LOGIN_RESPONSE"
            exit 1
        fi

        # 3. Fetch Raw Secrets
        echo "Fetching secrets from path: ${{ inputs.secret_path }} (Env: ${{ inputs.environment }})..."
        SECRETS_RESPONSE=$(curl -s -G "${{ inputs.domain }}/api/v3/secrets/raw" \
          -H "Authorization: Bearer $ACCESS_TOKEN" \
          --data-urlencode "workspaceId=${{ inputs.project_id }}" \
          --data-urlencode "environment=${{ inputs.environment }}" \
          --data-urlencode "secretPath=${{ inputs.secret_path }}")

        # Check for errors in response (Infisical usually returns JSON, check if it's an object with 'secrets' or just the raw dictionary if using /raw endpoint? 
        # The prompt says /api/v3/secrets/raw. 
        # CAUTION: /api/v3/secrets/raw typically returns a dictionary of key-value pairs directly: { "KEY": "VALUE" }
        # Let's verify we got valid JSON and not an error message.
        
        if echo "$SECRETS_RESPONSE" | jq -e . >/dev/null 2>&1; then
             # Valid JSON
             :
        else
             echo "::error::API returned invalid JSON: $SECRETS_RESPONSE"
             exit 1
        fi

        # 4. Injection
        echo "Injecting secrets into Gitea Environment..."
        
        # Prepare filter list (add commas to start/end makes matching "key" against ",key1,key2," easier)
        FILTER_LIST="${{ inputs.secrets }}"
        if [ -n "$FILTER_LIST" ]; then
             # Remove spaces
             FILTER_LIST=$(echo "$FILTER_LIST" | tr -d ' ')
             # Surround with commas for exact match check
             FILTER_LIST=",$FILTER_LIST,"
             echo "Filtering for secrets: ${{ inputs.secrets }}"
        fi

        echo "$SECRETS_RESPONSE" | jq -r 'if .secrets then .secrets[] | "\(.secretKey)=\(.secretValue)" else to_entries[] | "\(.key)=\(.value)" end' | while read -r line; do
            key=$(echo "$line" | cut -d'=' -f1)
            
            # Apply filter if set
            if [ -n "$FILTER_LIST" ]; then
                 if [[ "$FILTER_LIST" != *",$key,"* ]]; then
                     # echo "Skipping $key (not in allowlist)"
                     continue
                 fi
            fi

            # Securely append to GITEA_ENV (using the environment file pattern if available, or simpler export approach)
            # Gitea Actions uses $GITHUB_ENV / $GITEA_ENV file pattern.
            echo "$line" >> $GITEA_ENV
            
            # Mask the value in logs to be safe (optional but recommended)
            val=$(echo "$line" | cut -d'=' -f2-)
            echo "::add-mask::$val"
        done
        
        echo "Secrets injected successfully."