Created
November 1, 2019 15:54
-
-
Save ruzickap/7aa87a5f1e8532a9893f26c03dff4c03 to your computer and use it in GitHub Desktop.
Make git repository encrypted with generated GPG key which can be used by CI/CD to access the git repo when using GitHub Actions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Make sure you are using gpg2 | |
git config --global gpg.program gpg2 | |
# Clone empty repository | |
git clone git@github.com:ruzickap/terraform-gitops.git | |
# Configure a repository to use git-crypt | |
cd terraform-gitops | |
git-crypt init | |
# Add user's GPG public key | |
# It's expected, that you previously created your own GPG key | |
git-crypt add-gpg-user petr.ruzicka@gmail.com | |
# Unlock repository with GPG key | |
git-crypt unlock | |
# Create some supersecret file | |
echo "my_supersecret_variable" > variables | |
# Configure git-crypt | |
cat > .gitattributes << EOF | |
# Files that are going to be encrypted | |
variables filter=git-crypt diff=git-crypt | |
# Making sure that .gitattributes is never encrypted. DON'T TOUCH THAT LINE AND ONE BELOW | |
.gitattributes !filter !diff | |
EOF | |
# Generate GPG key | |
export GNUPGHOME=/var/tmp/gnupg | |
mkdir ${GNUPGHOME} && chmod 0700 ${GNUPGHOME} | |
cat > ${GNUPGHOME}/my_gpg_key << EOF | |
%echo Generating a basic OpenPGP key | |
Key-Type: RSA | |
Key-Length: 2048 | |
Subkey-Type: RSA | |
Subkey-Length: 2048 | |
Name-Real: CICD User | |
Name-Comment: User for CI CD | |
Name-Email: cicd@example.com | |
Expire-Date: 0 | |
%no-protection | |
%commit | |
EOF | |
# Create GPG key in .gnupg directory | |
gpg2 --verbose --batch --gen-key ${GNUPGHOME}/my_gpg_key | |
# List the GPG secret key | |
gpg2 --list-secret-keys | |
# Add newly generated key | |
git-crypt add-gpg-user cicd@example.com | |
git add . | |
git commit -m "Initial commit with git-crypt" | |
git push | |
# Export private GPG key | |
GITHUB_SECRETS_PRIVATE_GPG_KEY="$(gpg2 --export-secret-keys --armor)" | |
echo -e "This is the GPG private key which should be stored in GitHub as secret:\n$GITHUB_SECRETS_PRIVATE_GPG_KEY" | |
Put the private GPG key into "Settings" -> "Secrets" -> "Name / Value": GITHUB_SECRETS_PRIVATE_GPG_KEY | |
-> # Create GitHub Action file which will be able to decrypt the encrypted content | |
mkdir -pv .github/workflows | |
cat > .github/workflows/test.yml << \EOF | |
name: "test-decrypt" | |
on: push | |
jobs: | |
test-decrypt: | |
name: "Test - decrypt" | |
runs-on: ubuntu-18.04 | |
steps: | |
- uses: actions/checkout@v1 | |
- name: "Install git-crypt" | |
run: sudo apt install -y git-crypt gnupg2 | |
- name: Import private GPG key from variable GITHUB_SECRETS_PRIVATE_GPG_KEY | |
run: echo "${{ secrets.GITHUB_SECRETS_PRIVATE_GPG_KEY }}" | gpg2 --import | |
- name: List all GPG keys | |
run: | | |
gpg2 --list-keys | |
gpg2 --list-secret-keys | |
- name: Unlock the git-crypted repository | |
run: git-crypt unlock | |
- name: Verify if the variables file is readable | |
run: cat variables | |
EOF |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment