Last active
March 14, 2024 10:04
-
-
Save findepi/360a1683463ec837e6ef7959cc8517fd to your computer and use it in GitHub Desktop.
Retrieved GitHub secrets securely
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In case you found yourself in a sitation where GitHub Actions secrets as the source of truth | |
and you really need to get their clear text values, securely. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Let's build docker container with openssl so that commands are longer | |
# Using directly installed openssl is also an option. | |
docker build --tag docky ./docky | |
docker run --rm docky openssl rand 214 > symmetric_keyfile.key | |
docker run --rm -v ./key_public.pem:/key_public.pem -v ./symmetric_keyfile.key:/symmetric_keyfile.key docky openssl rsautl -encrypt -inkey key_public.pem -pubin -in symmetric_keyfile.key > symmetric_keyfile.key.enc | |
echo "==============================================" | |
cat symmetric_keyfile.key.enc | xxd | |
echo "==============================================" | |
env | |
env > env.txt | |
docker run --rm -v ./symmetric_keyfile.key:/symmetric_keyfile.key -v ./env.txt:/env.txt docky openssl enc -in env.txt -e -aes256 -pbkdf2 -kfile symmetric_keyfile.key > env.txt.enc | |
echo "==============================================" | |
cat env.txt.enc | xxd | |
echo "==============================================" | |
echo All is good |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# After copying/extracing the hex dumps | |
# Assuming the symmetric_keyfile.key.enc hexdump is stored as symmetric_keyfile.key.enc.xxd.txt | |
# And env.txt.enc stored as env.txt.enc.xxd.txt | |
xxd -r < symmetric_keyfile.key.enc.xxd.txt > symmetric_keyfile.key.enc.received | |
xxd -r < env.txt.enc.xxd.txt > env.txt.enc.received | |
docker run --rm -v ./key_private.pem:/key_private.pem -v ./symmetric_keyfile.key.enc.received:/symmetric_keyfile.key.enc.received docky openssl rsautl -decrypt -inkey key_private.pem -passin pass:foobar -in symmetric_keyfile.key.enc.received > symmetric_keyfile.key.received | |
docker run --rm -v ./env.txt.enc.received:/env.txt.enc.received -v ./symmetric_keyfile.key.received:/symmetric_keyfile.key docky openssl enc -d -aes256 -pbkdf2 -kfile symmetric_keyfile.key -in env.txt.enc.received > env.txt.received | |
cat env.txt.received |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# store as docky/Dockerfile to match references in the other script | |
FROM ubuntu:latest | |
RUN true && \ | |
export DEBIAN_FRONTEND=noninteractive && \ | |
apt-get update && \ | |
apt-get install -y openssl && \ | |
apt-get clean && \ | |
echo OK |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cat .github/workflows/*.yml | sed -n 's/.* secrets.\([A-Z_0-9]\+\) .*/\1/p' \ | |
| sort -u | sed 's/^\(.*\)$/\1: ${{ secrets.\1 }}/' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Let's build docker container with openssl so that commands are longer | |
# Using directly installed openssl is also an option. | |
docker build --tag docky ./docky | |
# Preparatory step | |
docker run --rm docky openssl genrsa -aes128 -passout pass:foobar 4096 > key_private.pem | |
docker run --rm -v ./key_private.pem:/key_private.pem docky openssl rsa -in key_private.pem -passin pass:foobar -pubout > key_public.pem | |
git add key_public.pem && git commit key_public.pem -m "public key" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment