mirror of
https://github.com/RWejlgaard/pez-infra.git
synced 2026-07-04 15:46:16 +00:00
The SOPS install + version, the decrypt loop, the OpenTofu version, and the Backblaze backend-credential extraction were copy-pasted across terraform.yml (twice), validate-terraform.yml, and _deploy-core.yml. A version bump meant editing the same string in up to four places and was easy to do partially. Pull them into three local composite actions so each is defined once: - setup-tofu (pins OpenTofu version) - sops-decrypt (installs SOPS, decrypts *.enc.* in place) - tofu-backend-creds (exports Backblaze S3 creds to GITHUB_ENV) Behaviour is unchanged; sops-decrypt also matches *.enc.env everywhere (previously only _deploy-core did), which is a no-op in terraform/.
31 lines
949 B
YAML
31 lines
949 B
YAML
name: SOPS decrypt
|
|
description: Install SOPS and decrypt all in-repo *.enc.* files in place (single source of truth for the SOPS version).
|
|
|
|
inputs:
|
|
age-key:
|
|
description: age private key for SOPS decryption (sets SOPS_AGE_KEY)
|
|
required: true
|
|
sops-version:
|
|
description: SOPS version to install
|
|
required: false
|
|
default: "3.9.4"
|
|
|
|
runs:
|
|
using: composite
|
|
steps:
|
|
- name: Install SOPS
|
|
shell: bash
|
|
run: |
|
|
wget -qO /tmp/sops.deb "https://github.com/getsops/sops/releases/download/v${{ inputs.sops-version }}/sops_${{ inputs.sops-version }}_amd64.deb"
|
|
sudo dpkg -i /tmp/sops.deb
|
|
|
|
- name: Decrypt secrets
|
|
shell: bash
|
|
env:
|
|
SOPS_AGE_KEY: ${{ inputs.age-key }}
|
|
run: |
|
|
find . -name '*.enc.yml' -o -name '*.enc.yaml' -o -name '*.enc.env' | while read f; do
|
|
out="${f/.enc/}"
|
|
sops -d "$f" > "$out"
|
|
echo "Decrypted: $f -> $out"
|
|
done
|