name: "Elysium Infisical Secrets"
description: "Fetch secrets from Infisical and add them to the env"
inputs:
  infisical-token:
    description: "Infisical API Token"
    required: true
  secret-envs:
    description: "The environments to fetch secrets for (Example: ci or ci,prod,edge )"
    required: true
  secret-paths:
    description: "Secret paths for the secrets (Must match the order of envs! Example: /main or /main,/alt-main)"
    required: true
  project-id:
    description: "Infisical Secrets Project"
    required: true
  api-url:
    description: "Infisical API URL (defaults to https://infisical.dunemask.dev/api)"
    required: false
    default: "https://infisical.dunemask.dev/api"
runs:
  using: "composite"
  steps:
    - name: Infisical CLI install
      shell: bash
      run: |
        # Install Infisical Binary
        echo "Installing Infisical!"
        curl -s -L https://github.com/Infisical/infisical/releases/download/infisical-cli%2Fv0.28.5/infisical_0.28.5_linux_amd64.tar.gz | tar xvzf - infisical

        # Install yq
        echo "Installing yq"
        curl -s -L https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 >> yq
        chmod +x yq

        # Get paths and envs into list
        paths="${{ inputs.secret-paths }}"
        envs="${{ inputs.secret-envs }}"

        path_list=( $(echo $paths | sed "s/,/ /g") )
        env_list=( $(echo $envs | sed "s/,/ /g") )
        path_len=${#path_list[@]}
        env_len=${#env_list[@]} 

        # Ensure lengths match
        if [ "$path_len" != "$env_len" ];
        then
          echo "Each path must specify it's environment!"
          exit 1;
        fi

        echo "Will execute ./infisical export --domain ${{ inputs.api-url }} --projectId ${{ inputs.project-id }} --token TOKEN --env ENV --path PATH"

        # For each environment
        for i in "${!path_list[@]}";
        do echo "Getting secrets from path '${path_list[i]}' from '${env_list[i]}'"
          ./infisical export --domain ${{ inputs.api-url }} --projectId ${{ inputs.project-id }} --token ${{ inputs.infisical-token }} --env "${env_list[i]}" --path "${path_list[i]}" --format yaml | tee >(./yq -r 'to_entries[] | .key + "=" +.value' >> $GITHUB_ENV) | ./yq -r 'to_entries[] | "echo ::add-mask::\"" + .value + "\""' >> mask.sh
          chmod +x mask.sh
          ./mask.sh
          rm mask.sh
        done
    - shell: bash
      run: echo "Secrets added to environment!"