diff --git a/README.md b/README.md index e4fd7c2..0e57a58 100644 --- a/README.md +++ b/README.md @@ -6,8 +6,9 @@ The actions are used by Elysium to run CI/CD tasks and this repo will be archive The actions available are: - [S3 Backup](https://gitea.dunemask.dev/elysium/elysium-actions/src/branch/s3-backup/action.yml) -- [Oasis Deploy](https://gitea.dunemask.dev/elysium/elysium-actions/src/branch/oasis-deploy/action.yml) +- [Oasis Auto Setup](https://gitea.dunemask.dev/elysium/elysium-actions/src/branch/oasis-setup-auto/action.yml) - [Infisical Env](https://gitea.dunemask.dev/elysium/elysium-actions/src/branch/infisical-env/action.yml) +- [Oasis Advanced Setup](https://gitea.dunemask.dev/elysium/elysium-actions/src/branch/oasis-setup-advanced/action.yml) - [Elysium CI/CD](https://gitea.dunemask.dev/elysium/elysium-actions/src/branch/elysium-ci-cd/action.yml) ## Workflow Template diff --git a/action.yml b/action.yml new file mode 100644 index 0000000..39bc399 --- /dev/null +++ b/action.yml @@ -0,0 +1,65 @@ +name: "Elysium Infisical Secrets" +description: "Fetch secrets from Infisical and add them to the env" +inputs: + infisical-token: + description: "Infisical API Token" + required: true + project-id: + description: "Project to retrieve secrets from using token" + required: true + secret-envs: + description: "The environments to fetch secrets for (Example: ci or ci,prod,edge )" + required: true + secret-paths: + description: "Secret paths for the secrets (Must match the order of envs! Example: /main or /main,/alt-main)" + required: true + api-url: + description: "Infisical API URL (defaults to https://infisical.dunemask.dev/api)" + required: false + default: "https://infisical.dunemask.dev/api" +runs: + using: "composite" + steps: + - name: Infisical CLI install + shell: bash + run: | + [ -z "${{ inputs.project-id }}" ] && echo "ProjectID was not supplied!" && exit 1 + [ -z "${{ inputs.infisical-token }}" ] && echo "Inficial token was not supplied!" && exit 1 + + # Install Infisical Binary + echo "Installing Infisical!" + curl -s -L https://github.com/Infisical/infisical/releases/download/infisical-cli%2Fv0.28.5/infisical_0.28.5_linux_amd64.tar.gz | tar xvzf - infisical + + # Install yq + echo "Installing yq" + curl -s -L https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 >> yq + chmod +x yq + + # Get paths and envs into list + paths="${{ inputs.secret-paths }}" + envs="${{ inputs.secret-envs }}" + + path_list=( $(echo $paths | sed "s/,/ /g") ) + env_list=( $(echo $envs | sed "s/,/ /g") ) + path_len=${#path_list[@]} + env_len=${#env_list[@]} + + # Ensure lengths match + if [ "$path_len" != "$env_len" ]; + then + echo "Each path must specify it's environment!" + exit 1; + fi + + echo "Will execute ./infisical export --domain ${{ inputs.api-url }} --projectId ${{ inputs.project-id }} --token TOKEN --env ENV --path PATH" + + # For each environment + for i in "${!path_list[@]}"; + do echo "Getting secrets from path '${path_list[i]}' from '${env_list[i]}'" + ./infisical export --domain ${{ inputs.api-url }} --projectId ${{ inputs.project-id }} --token ${{ inputs.infisical-token }} --env "${env_list[i]}" --path "${path_list[i]}" --format yaml | tee >(./yq -r 'to_entries[] | .key + "=" +.value' >> $GITHUB_ENV) | ./yq -r 'to_entries[] | "echo ::add-mask::\"" + .value + "\""' >> mask.sh + chmod +x mask.sh + ./mask.sh + rm mask.sh + done + - shell: bash + run: echo "Secrets added to environment!"