James Keys #30
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # .github/workflows/sops-onboard.yml | |
| permissions: | |
| contents: write # needed to push changes back to the PR branch | |
| name: Refresh SOPS config (in-PR) | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize] | |
| paths: | |
| - "keys/*.asc" | |
| jobs: | |
| rebuild-secrets: | |
| runs-on: ubuntu-latest | |
| # only run on PRs from this repo (not untrusted forks) | |
| if: github.event.pull_request.head.repo.full_name == github.repository | |
| steps: | |
| # 1) Check out the contributor’s branch with write access | |
| - name: Checkout PR branch | |
| uses: actions/checkout@v3 | |
| with: | |
| ref: ${{ github.event.pull_request.head.ref }} | |
| persist-credentials: true | |
| # 2) Install sops so the runner can run your script | |
| - name: Install sops | |
| run: | | |
| SOPS_VERSION=3.10.2 | |
| curl -fsSL \ | |
| -o sops \ | |
| https://github.com/mozilla/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.amd64 | |
| chmod +x sops | |
| sudo mv sops /usr/local/bin/ | |
| sops --version | |
| # 3) Capture the runner's TTY for GPG | |
| - id: tty | |
| run: echo "tty=$(tty)" >> $GITHUB_OUTPUT | |
| # 4) Import the CI GPG private key (no passphrase needed) | |
| - name: Import CI's GPG key | |
| env: | |
| GPG_TTY: ${{ steps.tty.outputs.tty }} | |
| run: | | |
| echo "${{ secrets.CI_GPG_PRIVATE }}" \ | |
| | gpg --batch --import | |
| # 5) Import all teammates' public keys | |
| - name: Import all teammates' public keys | |
| shell: bash | |
| run: | | |
| shopt -s nullglob | |
| key_files=(keys/*.asc) | |
| if [ ${#key_files[@]} -eq 0 ]; then | |
| echo "⚠️ No public keys found in keys/*.asc — skipping import." | |
| exit 0 | |
| fi | |
| for pub in "${key_files[@]}"; do | |
| echo "🔑 Importing $pub" | |
| gpg --batch --import "$pub" | |
| done | |
| # 6) Rebuild .sops.yaml and re-encrypt .env → .env.enc | |
| - name: Rebuild SOPS config & re-encrypt | |
| run: | | |
| bash scripts/update-sops.sh | |
| # 7) Commit & push the updates back into the PR branch | |
| - name: Commit & push changes | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| git add .sops.yaml $(find . -type f -name '.env.enc') | |
| if git diff --cached --quiet; then | |
| echo "✅ No changes to commit" | |
| else | |
| git commit -m "ci: refresh SOPS config & re-encrypt" | |
| git push origin HEAD:${{ github.event.pull_request.head.ref }} | |
| fi |