Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Make git repository encrypted with generated GPG key which can be used by CI/CD to access the git repo when using GitHub Actions
# Make sure you are using gpg2
git config --global gpg.program gpg2
# Clone empty repository
git clone git@github.com:ruzickap/terraform-gitops.git
# Configure a repository to use git-crypt
cd terraform-gitops
git-crypt init
# Add user's GPG public key
# It's expected, that you previously created your own GPG key
git-crypt add-gpg-user petr.ruzicka@gmail.com
# Unlock repository with GPG key
git-crypt unlock
# Create some supersecret file
echo "my_supersecret_variable" > variables
# Configure git-crypt
cat > .gitattributes << EOF
# Files that are going to be encrypted
variables filter=git-crypt diff=git-crypt
# Making sure that .gitattributes is never encrypted. DON'T TOUCH THAT LINE AND ONE BELOW
.gitattributes !filter !diff
EOF
# Generate GPG key
export GNUPGHOME=/var/tmp/gnupg
mkdir ${GNUPGHOME} && chmod 0700 ${GNUPGHOME}
cat > ${GNUPGHOME}/my_gpg_key << EOF
%echo Generating a basic OpenPGP key
Key-Type: RSA
Key-Length: 2048
Subkey-Type: RSA
Subkey-Length: 2048
Name-Real: CICD User
Name-Comment: User for CI CD
Name-Email: cicd@example.com
Expire-Date: 0
%no-protection
%commit
EOF
# Create GPG key in .gnupg directory
gpg2 --verbose --batch --gen-key ${GNUPGHOME}/my_gpg_key
# List the GPG secret key
gpg2 --list-secret-keys
# Add newly generated key
git-crypt add-gpg-user cicd@example.com
git add .
git commit -m "Initial commit with git-crypt"
git push
# Export private GPG key
GITHUB_SECRETS_PRIVATE_GPG_KEY="$(gpg2 --export-secret-keys --armor)"
echo -e "This is the GPG private key which should be stored in GitHub as secret:\n$GITHUB_SECRETS_PRIVATE_GPG_KEY"
Put the private GPG key into "Settings" -> "Secrets" -> "Name / Value": GITHUB_SECRETS_PRIVATE_GPG_KEY
-> # Create GitHub Action file which will be able to decrypt the encrypted content
mkdir -pv .github/workflows
cat > .github/workflows/test.yml << \EOF
name: "test-decrypt"
on: push
jobs:
test-decrypt:
name: "Test - decrypt"
runs-on: ubuntu-18.04
steps:
- uses: actions/checkout@v1
- name: "Install git-crypt"
run: sudo apt install -y git-crypt gnupg2
- name: Import private GPG key from variable GITHUB_SECRETS_PRIVATE_GPG_KEY
run: echo "${{ secrets.GITHUB_SECRETS_PRIVATE_GPG_KEY }}" | gpg2 --import
- name: List all GPG keys
run: |
gpg2 --list-keys
gpg2 --list-secret-keys
- name: Unlock the git-crypted repository
run: git-crypt unlock
- name: Verify if the variables file is readable
run: cat variables
EOF
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.