https://github.com/zgosalvez/github-actions-decrypt-secrets

A GitHub Action to decrypt secrets from a JSON file using gpg
https://github.com/zgosalvez/github-actions-decrypt-secrets

actions github github-actions gpg secrets

Last synced: 3 days ago
JSON representation

A GitHub Action to decrypt secrets from a JSON file using gpg

• Host: GitHub
• URL: https://github.com/zgosalvez/github-actions-decrypt-secrets
• Owner: zgosalvez
• License: mit
• Created: 2020-12-08T04:57:08.000Z (about 4 years ago)
• Default Branch: main
• Last Pushed: 2025-02-09T06:57:08.000Z (5 days ago)
• Last Synced: 2025-02-10T18:51:22.807Z (4 days ago)
• Topics: actions, github, github-actions, gpg, secrets
• Language: JavaScript
• Homepage: https://github.com/marketplace/actions/decrypt-secrets
• Size: 1.82 MB
• Stars: 4
• Watchers: 2
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.md
  • Security: SECURITY.md

Awesome Lists containing this project

README

        
# GitHub Action — Decrypt Secrets

This GitHub Action (written in JavaScript) allows you to leverage GitHub Actions to decrypt secrets from a JSON file using `gpg`. For more information, see the "[gpg manpage](https://www.gnupg.org/gph/de/manual/r1023.html)." Common workflows are:

* [A central secrets repository](#a-central-secrets-repository)

* [Environment based secrets](#environment-based-secrets)

*Note:* This currently does not support a JSON file that is more than one level deep.

## Usage

### Pre-requisites

Create a workflow `.yml` file in your `.github/workflows` directory. [Example workflows](#common-workflows) are available below. For more information, reference the GitHub Help Documentation for [Creating a workflow file](https://help.github.com/en/articles/configuring-a-workflow#creating-a-workflow-file).

### Inputs

All of these inputs are required. For more information on these inputs, see the [Workflow syntax for GitHub Actions](https://docs.github.com/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepswith)

- `secrets_file`: The `gpg` file. For example, `.github/workflows/secrets.json.gpg`

- `map`: Describes the map between the environment variables and secret keys. For example, `SECRET_PASSWORD=PASSWORD,PASSPHRASE=passphrase`

Additionally, you must set the `GPG_PASSPHRASE` environment variable to decrypt the JSON file.

### Outputs

None. The secrets are exported as environment variables through the `map` input. For more information, see the [Environment variables](https://docs.github.com/actions/reference/environment-variables) documentation

### Common workflows

On any workflow you will need to do the following:

1. Store your secrets in a JSON file. *Warning:* Do not commit this in your repository.

2. Encrypt your JSON file to `gpg` using a long alphanumeric passphrase. For example:

```shell

gpg --symmetric --cipher-algo AES256 secrets.json 

```

3. Place and commit the generated `gpg` file (e.g., `secrets.json.gpg`) in your repository. The recommended location is `.github/workflows/secrets.json.gpg` or `.github/workflows/secrets/beta.json.gpg`.

#### A central secrets repository

Instead of manually setting all of your secrets in GitHub's settings, you can simply store the passphrase you used when encrypting the JSON file using `gpg`. For example:

```json

{

    "PASSWORD": "cSHS4mE&vDRJqKaPO&Fi{g@JCyv3|#Y><>Mp{8KP2m<#H0DL*F",

    "passphrase": "7heGrecgc<7oYLURMR%y6y#)fEl2zWF%j%PiL$E5s$za4PtxlC",

}

```

```yaml

on: push

name: Continuous Integration

jobs:

  build:

    name: Example

    runs-on: ubuntu-latest

    steps:

      - name: Checkout code

        uses: actions/checkout@v2

      - name: Decrypt secrets

        uses: zgosalvez/github-actions-decrypt-secrets@v3

        with:

            secrets_file: .github/workflows/secrets.json.gpg

            map: 'SECRET_PASSWORD=PASSWORD,PASSPHRASE=passphrase'

        env:

            GPG_PASSPHRASE: ${{ secrets.SECRETS_PASSPHRASE }}

      - name: Test (Do not expose your actual secrets!)

        run: |

          echo $SECRET_PASSWORD

          echo $PASSPHRASE

```

#### Environment-based secrets

Another common scenario is when you need the same environment variable with a different value that depends on the environment. For example, you may have two JSON files: beta and production.

```yaml

on:

  push:

    - beta

    - production

name: Continuous Deployment

jobs:

  build:

    name: Example

    runs-on: ubuntu-latest

    steps:

      - name: Checkout code

        uses: actions/checkout@v2

      - name: Determine environment

        id: determine_environment

        run: echo "::set-output name=environment::${GITHUB_REF#refs/heads/}"

      - name: Decrypt ${{ steps.determine_environment.outputs.environment }} secrets

        uses: zgosalvez/github-actions-decrypt-secrets@v3

        with:

            secrets_file: .github/workflows/secrets/${{ steps.determine_environment.outputs.environment }}.json.gpg

            map: 'SECRET_PASSWORD=PASSWORD,PASSPHRASE=passphrase'

        env:

            GPG_PASSPHRASE: ${{ secrets.SECRETS_PASSPHRASE }}

      - name: Test (Do not expose your actual secrets!)

        run: |

          echo $SECRET_PASSWORD

          echo $PASSPHRASE

```

## License

The scripts and documentation in this project are released under the [MIT License](LICENSE.md)