This tool creates libsodium compatible encrypted secrets for use with the Github CLI. It takes the repo public key information that can be obtained via
/repos/{owner}/{repo}/actions/secrets/public-key
which looks like
{
"key_id": "012345678912345678",
"key": "2Sg8iYjAxxmI2LvUXpJjkYrMxURPc8r+dB7TJyvv1234"
}
and a secret value provided via environment variable or standard input and creates the proper JSON
to be used with the Github CLI tool gh.
The required data looks like this:
{
"key_id":"012345678912345678"
"encrypted_value":"base64encoded_secret",
}
The tool prints the JSON object that can then be fed into gh like this:
ghsecret ENVVARNAME | gh api -XPUT /some/endpoint --input -
ENVVARNAME is the name of the environment variable that holds the secret string. In addition, the result from the "public-key" API call must to be provided as environment variables GH_KEY and GH_KEY_ID, respectively.
If ENVVARNAME is omitted, a value provided via stdin is used.
The names of these variables can be changed via command line arguments, if needed.
Here's a silly example:
$ GH_KEY="$(echo 'qwe' | base64)" GH_KEY_ID="123" ghsecret HOME
{"key_id":"123","encrypted_value":"bnwu9dXlXcFGYatcXsdpHR0MiiAE3115Mz6wkDrdNACQZSo+1JgPHrhaJCEEnbVpGF5YJMa3tJGGyeb2vqY="}
$Here's another example using the Gnome key-chain secret-tool. This looks up the password in the login key-chain of Gnome where the associated key/value pair is "dc01admin" and "secret":
$ export GH_KEY="$(echo 'qwe' | base64)"
$ export GH_KEY_ID="123"
$ secret-tool lookup dc01admin secret | ghsecret
{"key_id":"123","encrypted_value":"ymkvNcCZ3Bykk6OtOa3csCJNmpdt2J9JA/iTYIASHn9L35UyuN+bzQuE6XhYHQWH3vNMy+FrDg=="}
$Also see the secrets.sh script in this repo for a more elaborate example.
The tool does one thing and one thing only: provide the input data that is understood by the Github secrets API. To actually consume this data, other tools are needed:
- The
ghtool available from here. - The
jqtool available as part of your distribution or from here. - The Gnome
secret-toolto retrieve secrets from the Gnome key-chain.
For my particular workflow, I also combine this with tmux and ngrok to allow access to my local installation of a service for Github actions.
Here's some bash snippet that illustrates the actual / embedded use with a PyPI publish workflow:
REPO="rschmied/ghsecret"
# read the public github key for our repo
read -d' ' GH_KEY_ID GH_KEY <<< "$(gh api /repos/$REPO/actions/secrets/public-key | jq -r '.|.key_id, .key')"
# make them visible to the ghsecret tool
export GH_KEY GH_KEY_ID
# lookup the pypi token in the Gnome key-chain and set the it in the
# repository so that it can be consumed by a PyPI publish workflow.
secret-tool lookup token pypi | \
ghsecret | \
gh api -XPUT /repos/$REPO/actions/secrets/PYPI_API_TOKEN --input -Note: Using gh api -XDELETE /repos/$REPO/actions/secrets/PYPI_API_TOKEN allows you to remove the token from Github again.