reset #18
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # .github/workflows/sops-onboard.yml | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| name: Refresh SOPS config | |
| on: | |
| push: | |
| paths: | |
| - "keys/*.asc" | |
| jobs: | |
| rebuild-secrets: | |
| runs-on: ubuntu-latest | |
| steps: | |
| # 1) Checkout the repo | |
| - uses: actions/checkout@v3 | |
| # 2) Install sops so the runner can run your script | |
| - name: Install sops | |
| run: | | |
| SOPS_VERSION=3.10.2 | |
| curl -fsSL \ | |
| -o sops \ | |
| https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.amd64 | |
| chmod +x sops | |
| sudo mv sops /usr/local/bin/ | |
| sops --version | |
| # 3) Ensure your update script is executable | |
| - name: Make update script executable | |
| run: chmod +x scripts/update-sops.sh | |
| # 4) Capture the runner's TTY for GPG | |
| - id: tty | |
| run: echo "::set-output name=tty::$(tty)" | |
| # 5) Import the CI GPG private key (no passphrase needed) | |
| - name: Import CI's GPG key | |
| env: | |
| GPG_TTY: ${{ steps.tty.outputs.tty }} | |
| run: | | |
| echo "${{ secrets.CI_GPG_PRIVATE }}" > ci.key.asc | |
| gpg --batch --import ci.key.asc | |
| - name: Import all teammates' public keys | |
| run: | | |
| for pub in keys/*.asc; do | |
| echo "🔑 Importing $pub" | |
| gpg --batch --import "$pub" | |
| done | |
| # 6) Rebuild .sops.yaml and re-encrypt .env → .env.enc | |
| - name: Rebuild SOPS config & re-encrypt | |
| run: | | |
| bash scripts/update-sops.sh | |
| # 7) Commit & push the changes back to main | |
| - name: Create Pull Request with updated env | |
| uses: peter-evans/create-pull-request@v5 | |
| with: | |
| # A descriptive branch name | |
| branch: sops/update-env-${{ github.sha }} | |
| # What base branch to target | |
| base: main | |
| title: "chore: re-encrypt env for new teammate" | |
| body: | | |
| This PR was auto-generated by the SOPS onboarding workflow. | |
| It updates `.sops.yaml` and re-encrypts `.env.enc` to include the new | |
| public key(s) under `keys/*.asc`. | |
| # You can auto-assign reviewers or labels if you like: | |
| reviewers: "lstsk" | |
| labels: "ci,sops" | |
| commit-message: "chore: re-encrypt env for new teammate" |