sliteteam / github-action-git-crypt-unlock Goto Github PK

View Code? Open in Web Editor NEW

46.0 7.0 23.0 23 KB

Github Action to unlock git-crypt secrets

License: MIT License

Dockerfile 26.18% Shell 73.82%

github-actions git-crypt

github-action-git-crypt-unlock's Introduction

Github Action running git-crypt unlock

Usage

Example Workflow file

jobs:
  deploy:
    name: Test git-crypt-unlock
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - name: Unlock secrets
        uses: sliteteam/[email protected]
        env:
          GIT_CRYPT_KEY: ${{ secrets.GIT_CRYPT_KEY }}

Secrets

GIT_CRYPT_KEY Required Base64 encoded git-crypt key file.
- Get it from an unlocked git-crypt env with:
```
git-crypt export-key ./tmp-key && cat ./tmp-key | base64 | pbcopy && rm ./tmp-key
```

Run Directory

You can run the git-crypt unlock command from a different directory besides GITHUB_WORKSPACE by setting a RUN_DIR env var.

Running tests

./test/entrypoint_test.sh

github-action-git-crypt-unlock's People

Contributors

Stargazers

Watchers

github-action-git-crypt-unlock's Issues

Speed up action installation

It currently takes 1m 30s on my build to install this action. Is there a way to speed this up, maybe by caching the docker build?

Marketplace has outdated version number

https://github.com/marketplace/actions/github-action-to-unlock-git-crypt-secrets
( has version number 1.0.2 )
I was using that thinking that it was the latest stable release only to find out later that issues I was having trouble with (like slowness and base64 couldn't handle newlines) were fixed in later releases 😄

If you could update that marketplace page that would be great !

Handle Base64 strings that include new lines

The current bash script in entrypoint.sh doesn't cope with Base64 strings including new line characters. Unfortunately, these are often included by default when you pipe to base64.

Supplying a string with new lines causes this action to fail with base64: invalid input. I can replicate the problem locally with the following two lines:

$ export GIT_CRYPT_KEY=$(cat ./original.key | base64)
$ echo $GIT_CRYPT_KEY | base64 --decode > ./copy.key
base64: invalid input

It looks like a simple fix - if we quote the environment variable properly then decoding works correctly. I'll raise a PR.

Does not work with a git-crypt key file

Steps to reproduce:

Create the key file locally, using git-crypt export-key git-crypt-key
Stash this key in an S3 bucket or other remote location of choice

This works:

steps:
  - ...
  - name: git-crypt unlock
    run: |
      git clone https://github.com/AGWA/git-crypt.git
      cd git-crypt
      make
      sudo make install
      cd ..
      rm -rf git-crypt
      git-crypt unlock git-crypt-key

This does not work

steps:
  - name: Set git-crypt key
    id: ref
    run: echo "::set-output name=git_crypt_key::$(base64 git-crypt-key)"  # or cat git-crypt-key | base64
  - name: decrypt
    uses: sliteteam/[email protected]
    env:
      GIT_CRYPT_KEY: ${{ steps.ref.outputs.git_crypt_key }}

jessie-updates InRelease: The following signatures were invalid: KEYEXPIRED

Hi there,
our github workflow has ben failing since yesterday due what seems to be an expired gpg key. I reckon your repository has not been updated in a couple of years so we suspect the error is originating from here.

Can you please take a look into it? Our implementation is identical to the one in your readme, and we have not encountered this issue in the 2+ years we've been using github-action-git-crypt-unlock

Step 10/15 : RUN apt-get update && apt-get install -y   bash   curl   git   g++   make   openssl   libssl-dev
   ---> Running in d3bd053a489a
  Ign http://deb.debian.org/ jessie InRelease
  Get:1 http://deb.debian.org jessie-updates InRelease [16.3 kB]
  Get:2 http://security.debian.org jessie/updates InRelease [44.9 kB]
  Get:3 http://deb.debian.org jessie Release.gpg [1652 B]
  Get:4 http://deb.debian.org jessie Release [77.3 kB]
  Ign http://deb.debian.org jessie-updates InRelease
  Get:5 http://deb.debian.org jessie-updates/main amd[64](https://github.com/Springworks/starlight/actions/runs/3522657002/jobs/5905886249#step:2:64) Packages [20 B]
  Ign http://deb.debian.org/ jessie Release
  Get:6 http://deb.debian.org jessie/main amd64 Packages [9098 kB]
  Get:7 http://security.debian.org/ jessie/updates/main amd64 Packages [992 kB]
  Fetched 10.2 MB in 7s (1367 kB/s)
  Reading package lists...
  W: GPG error: http://deb.debian.org jessie-updates InRelease: The following signatures were invalid: KEYEXPIRED 1[66](https://github.com/Springworks/starlight/actions/runs/3522657002/jobs/5905886249#step:2:66)8891673
  W: GPG error: http://deb.debian.org/ jessie Release: The following signatures were invalid: KEYEXPIRED 1668891[67](https://github.com/Springworks/starlight/actions/runs/3522657002/jobs/5905886249#step:2:67)3

Runner is stuck

We found that the task is always stuck in fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz step,
no idea if it is related to the gliderlabs/docker-alpine#386.

No way to commit once unlocked

Once the repo is unlocked, any attempt to commit from the GH Action will result in an error:

"git-crypt" clean: 1: git-crypt: not found
error: external filter '"git-crypt" clean' failed 127
error: external filter '"git-crypt" clean' failed