Created
April 26, 2023 15:36
-
-
Save zevaverbach/85745043a417fcef2feb018deaac0cd9 to your computer and use it in GitHub Desktop.
some git hooks for encrypting and decrypting secret files automatically, from this blog post: https://zev.averba.ch/oops
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# ~/.githooks/post-checkout, identical to post-commit | |
set -o nounset | |
FILE_PATTERN="\\.bashrc\\|\\.env" | |
ENCRYPTED_PATTERN="\\$ANSIBLE_VAULT" | |
decrypt_if_needed() { | |
local file=$1 | |
if git show :"$file" | grep --quiet "^${ENCRYPTED_PATTERN}"; then | |
echo "Located a committed file that should be decrypted:\ | |
> ${file}\ | |
" | |
decrypt $file | |
fi | |
} | |
decrypt() { | |
local file=$1 | |
echo "$file"; | |
password_type=--ask-vault-password | |
if [ -f "$HOME/.vault_password" ] | |
then | |
password_type="--vault-password-file $HOME/.vault_password" | |
fi | |
ansible-vault decrypt $password_type $file | |
} | |
echo "Running post-commit checks..." | |
files=$(ls -a | grep "${FILE_PATTERN}") | |
for file in $files; do | |
echo $file | |
decrypt_if_needed $file | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# ~/.githooks/post-commit | |
set -o nounset | |
FILE_PATTERN="\\.bashrc\\|\\.env" | |
ENCRYPTED_PATTERN="\\$ANSIBLE_VAULT" | |
decrypt_if_needed() { | |
local file=$1 | |
if git show :"$file" | grep --quiet "^${ENCRYPTED_PATTERN}"; then | |
echo "Located a committed file that should be decrypted:\ | |
> ${file}\ | |
" | |
decrypt $file | |
fi | |
} | |
decrypt() { | |
local file=$1 | |
echo "$file"; | |
password_type=--ask-vault-password | |
if [ -f "$HOME/.vault_password" ] | |
then | |
password_type="--vault-password-file $HOME/.vault_password" | |
fi | |
ansible-vault decrypt $password_type $file | |
} | |
echo "Running post-commit checks..." | |
files=$(ls -a | grep "${FILE_PATTERN}") | |
for file in $files; do | |
echo $file | |
decrypt_if_needed $file | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# ~/.githooks/post-merge, identical to post-commit | |
set -o nounset | |
FILE_PATTERN="\\.bashrc\\|\\.env" | |
ENCRYPTED_PATTERN="\\$ANSIBLE_VAULT" | |
decrypt_if_needed() { | |
local file=$1 | |
if git show :"$file" | grep --quiet "^${ENCRYPTED_PATTERN}"; then | |
echo "Located a committed file that should be decrypted:\ | |
> ${file}\ | |
" | |
decrypt $file | |
fi | |
} | |
decrypt() { | |
local file=$1 | |
echo "$file"; | |
password_type=--ask-vault-password | |
if [ -f "$HOME/.vault_password" ] | |
then | |
password_type="--vault-password-file $HOME/.vault_password" | |
fi | |
ansible-vault decrypt $password_type $file | |
} | |
echo "Running post-commit checks..." | |
files=$(ls -a | grep "${FILE_PATTERN}") | |
for file in $files; do | |
echo $file | |
decrypt_if_needed $file | |
done |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
# ~/.githooks/pre-commit | |
set -o nounset | |
FILE_PATTERN="\\.bashrc\\|\\.env" # update this as needed for how you name your secrets-containing files | |
ENCRYPTED_PATTERN="\\$ANSIBLE_VAULT" | |
encrypt_if_needed_then_add() { | |
local file=$1 | |
if ! git show :"$file" | grep --quiet "^${ENCRYPTED_PATTERN}"; then | |
echo "Located a staged file that should be encrypted:\ | |
> ${file}\ | |
" | |
encrypt $file | |
git add $file | |
fi | |
} | |
encrypt() { | |
local file=$1 | |
echo "$file"; | |
password_type=--ask-vault-password | |
if [ -f "$HOME/.vault_password" ] | |
then | |
password_type="--vault-password-file $HOME/.vault_password" | |
fi | |
ansible-vault encrypt $password_type $file | |
} | |
echo "Running pre-commit checks..." | |
git diff --cached --name-only | grep "${FILE_PATTERN}" | while IFS= read -r line; do | |
encrypt_if_needed_then_add "${line}" | |
done |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
You have to install Ansible (
pip install ansible
) for the above to work, and you must be usinggit
2.9 or newer in order to install the hooks globally.Speaking of, to make sure these hooks are used globally you must run
git config --global core.hooksPath ~/.githooks
and make sure that directory exists.Finally, you need to put your desired
ansible-vault
password in~/.vault_password
.