0

I'm trying to use Github Actions for CI. I've created some secrets in repository on GitHub and encrypt some files in sources with a git-secret tool. In the end, I wrote netx yml-script as action for github


    build:

        runs-on: ubuntu-latest

        steps:

            - name: Checkout sources
              uses: actions/checkout@v2

            - name: Configure GPG Key
              uses: crazy-max/ghaction-import-gpg@v3
              with:
                gpg-private-key: ${{ secrets.GPG_SIGNING_KEY }}
                passphrase: ${{ secrets.SECRET_PWD }}
                git-user-signingkey: true
                git-commit-gpgsign: true

            - name: Reveal secrets
              env:
                SECRET_PWD: ${{ secrets.SECRET_PWD }}
              run: |
                sudo apt install git-secret                     
                git secret tell my@email.com                
                git secret reveal -p $(echo $SECRET_PWD | sed 's/./& /g')
            - name: Build images
              run: docker-compose build

I suppose this described next pipeline:

  1. Checkout current branch
  2. Install required tools for gpg with a PK (gpg key?) and PWD
  3. Add user with email from PK to white list
  4. Decrypt .secret files
  5. And finally build docker images.

Am I right?

My problem is steps 3-4. I've got an error in logs

> Setting up git-secret (0.2.3-1) ...
> Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
> done. my@email.com added as someone who know(s) the secret.
> cleaning up...
> Error: Process completed with exit code 1.

I've checked my solution on local machine (linux) and it works like a charm. Well, maybe someone knows where is my mistake in yml-script?

Midas74
  • 13
  • 3

1 Answers1

0

I would guess that the problem is the "git secret tell" line. The "tell" step needs to be done in advance by someone else (you) who already has the authority to reveal the secrets. From the documentation:

Now add this person to your secrets repo by running git secret tell persons@email.id (this will be the email address associated with the public key)

The newly added user cannot yet read the encrypted files. Now, re-encrypt the files using git secret reveal; git secret hide -d, and then commit and push the newly encrypted files.

It looks like the "git secret reveal" step failed. Did you re-encrypt and push the secret files after calling "git secret tell my@email.com" locally?

In the github action itself, you don't need to run the "tell" step again.

chamer81
  • 1
  • Hi. Yep, it was totally my mistake. I connected to developers and we discussed the problem. First of all, they recommended use git-secret from source. In my case - I shouldn't call "git secret tell", only "git secret reveal -p ${{ secrets.SECRET_PWD }}". – Midas74 Apr 02 '21 at 17:26
  • I am wondering why files needs to be re-encrypted, whereas GPG supports adding new keys without need of touching the content. It's the symmetric key gets reencrypted: https://stackoverflow.com/a/597200/2263395 Does adding new keys have storage implications with git secret? – Tom Raganowicz Apr 05 '22 at 15:52