findepi/Dockerfile

## README.txt
In case you found yourself in a sitation where GitHub Actions secrets as the source of truth
and you really need to get their clear text values, securely.

## ci.sh
# Let's build docker container with openssl so that commands are longer
# Using directly installed openssl is also an option.
docker build --tag docky ./docky

docker run --rm docky openssl rand 214 > symmetric_keyfile.key

docker run --rm -v ./key_public.pem:/key_public.pem -v ./symmetric_keyfile.key:/symmetric_keyfile.key docky openssl rsautl -encrypt -inkey key_public.pem -pubin -in symmetric_keyfile.key > symmetric_keyfile.key.enc
echo "=============================================="
cat symmetric_keyfile.key.enc | xxd
echo "=============================================="

env
env > env.txt
docker run --rm -v ./symmetric_keyfile.key:/symmetric_keyfile.key -v ./env.txt:/env.txt docky openssl enc -in env.txt -e -aes256 -pbkdf2 -kfile symmetric_keyfile.key > env.txt.enc
echo "=============================================="
cat env.txt.enc | xxd
echo "=============================================="

echo All is good

## decrypt.txt
# After copying/extracing the hex dumps
# Assuming the symmetric_keyfile.key.enc hexdump is stored as symmetric_keyfile.key.enc.xxd.txt
# And env.txt.enc stored as env.txt.enc.xxd.txt

xxd -r < symmetric_keyfile.key.enc.xxd.txt > symmetric_keyfile.key.enc.received
xxd -r < env.txt.enc.xxd.txt > env.txt.enc.received

docker run --rm -v ./key_private.pem:/key_private.pem -v ./symmetric_keyfile.key.enc.received:/symmetric_keyfile.key.enc.received docky openssl rsautl -decrypt -inkey key_private.pem -passin pass:foobar -in symmetric_keyfile.key.enc.received > symmetric_keyfile.key.received
docker run --rm -v ./env.txt.enc.received:/env.txt.enc.received  -v ./symmetric_keyfile.key.received:/symmetric_keyfile.key docky openssl enc -d -aes256 -pbkdf2 -kfile symmetric_keyfile.key -in env.txt.enc.received > env.txt.received
cat env.txt.received

## Dockerfile
# store as docky/Dockerfile to match references in the other script

FROM ubuntu:latest

RUN true && \
        export DEBIAN_FRONTEND=noninteractive && \
        apt-get update && \
        apt-get install -y openssl && \
        apt-get clean && \
        echo OK

## list-secret-names.sh
cat .github/workflows/*.yml | sed -n 's/.* secrets.\([A-Z_0-9]\+\) .*/\1/p' \
  | sort -u | sed 's/^\(.*\)$/\1: ${{ secrets.\1 }}/'

## prep.sh
# Let's build docker container with openssl so that commands are longer
# Using directly installed openssl is also an option.
docker build --tag docky ./docky

# Preparatory step
docker run --rm docky openssl genrsa -aes128 -passout pass:foobar 4096 > key_private.pem
docker run --rm -v ./key_private.pem:/key_private.pem docky openssl rsa -in key_private.pem -passin pass:foobar -pubout > key_public.pem
git add key_public.pem && git commit key_public.pem -m "public key"
	In case you found yourself in a sitation where GitHub Actions secrets as the source of truth
	and you really need to get their clear text values, securely.
	# Let's build docker container with openssl so that commands are longer
	# Using directly installed openssl is also an option.
	docker build --tag docky ./docky

	docker run --rm docky openssl rand 214 > symmetric_keyfile.key

	docker run --rm -v ./key_public.pem:/key_public.pem -v ./symmetric_keyfile.key:/symmetric_keyfile.key docky openssl rsautl -encrypt -inkey key_public.pem -pubin -in symmetric_keyfile.key > symmetric_keyfile.key.enc
	echo "=============================================="
	cat symmetric_keyfile.key.enc \| xxd
	echo "=============================================="

	env
	env > env.txt
	docker run --rm -v ./symmetric_keyfile.key:/symmetric_keyfile.key -v ./env.txt:/env.txt docky openssl enc -in env.txt -e -aes256 -pbkdf2 -kfile symmetric_keyfile.key > env.txt.enc
	echo "=============================================="
	cat env.txt.enc \| xxd
	echo "=============================================="

	echo All is good
	# After copying/extracing the hex dumps
	# Assuming the symmetric_keyfile.key.enc hexdump is stored as symmetric_keyfile.key.enc.xxd.txt
	# And env.txt.enc stored as env.txt.enc.xxd.txt

	xxd -r < symmetric_keyfile.key.enc.xxd.txt > symmetric_keyfile.key.enc.received
	xxd -r < env.txt.enc.xxd.txt > env.txt.enc.received

	docker run --rm -v ./key_private.pem:/key_private.pem -v ./symmetric_keyfile.key.enc.received:/symmetric_keyfile.key.enc.received docky openssl rsautl -decrypt -inkey key_private.pem -passin pass:foobar -in symmetric_keyfile.key.enc.received > symmetric_keyfile.key.received
	docker run --rm -v ./env.txt.enc.received:/env.txt.enc.received -v ./symmetric_keyfile.key.received:/symmetric_keyfile.key docky openssl enc -d -aes256 -pbkdf2 -kfile symmetric_keyfile.key -in env.txt.enc.received > env.txt.received
	cat env.txt.received
	# store as docky/Dockerfile to match references in the other script

	FROM ubuntu:latest

	RUN true && \
	export DEBIAN_FRONTEND=noninteractive && \
	apt-get update && \
	apt-get install -y openssl && \
	apt-get clean && \
	echo OK
	cat .github/workflows/.yml \| sed -n 's/. secrets.\([A-Z_0-9]\+\) .*/\1/p' \
	\| sort -u \| sed 's/^\(.*\)$/\1: ${{ secrets.\1 }}/'