pez-infra/.github/actions/sops-decrypt/action.yml
Rasmus "Pez" Wejlgaard 87439d47b8
Some checks failed
Terraform / Plan (push) Has been cancelled
Terraform / Apply (push) Has been cancelled
ci: extract shared SOPS/tofu steps into composite actions (#135)
The SOPS install + version, the decrypt loop, the OpenTofu version, and
the Backblaze backend-credential extraction were copy-pasted across
terraform.yml (twice), validate-terraform.yml, and _deploy-core.yml.
A version bump meant editing the same string in up to four places and
was easy to do partially.

Pull them into three local composite actions so each is defined once:
  - setup-tofu          (pins OpenTofu version)
  - sops-decrypt        (installs SOPS, decrypts *.enc.* in place)
  - tofu-backend-creds  (exports Backblaze S3 creds to GITHUB_ENV)

Behaviour is unchanged; sops-decrypt also matches *.enc.env everywhere
(previously only _deploy-core did), which is a no-op in terraform/.
2026-06-18 20:27:54 +01:00

31 lines
949 B
YAML

name: SOPS decrypt
description: Install SOPS and decrypt all in-repo *.enc.* files in place (single source of truth for the SOPS version).
inputs:
age-key:
description: age private key for SOPS decryption (sets SOPS_AGE_KEY)
required: true
sops-version:
description: SOPS version to install
required: false
default: "3.9.4"
runs:
using: composite
steps:
- name: Install SOPS
shell: bash
run: |
wget -qO /tmp/sops.deb "https://github.com/getsops/sops/releases/download/v${{ inputs.sops-version }}/sops_${{ inputs.sops-version }}_amd64.deb"
sudo dpkg -i /tmp/sops.deb
- name: Decrypt secrets
shell: bash
env:
SOPS_AGE_KEY: ${{ inputs.age-key }}
run: |
find . -name '*.enc.yml' -o -name '*.enc.yaml' -o -name '*.enc.env' | while read f; do
out="${f/.enc/}"
sops -d "$f" > "$out"
echo "Decrypted: $f -> $out"
done