I'm trying to use Github Actions for CI. I've created some secrets in repository on GitHub and encrypt some files in sources with a git-secret tool. In the end, I wrote netx yml-script as action for github
build:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v2
- name: Configure GPG Key
uses: crazy-max/ghaction-import-gpg@v3
with:
gpg-private-key: ${{ secrets.GPG_SIGNING_KEY }}
passphrase: ${{ secrets.SECRET_PWD }}
git-user-signingkey: true
git-commit-gpgsign: true
- name: Reveal secrets
env:
SECRET_PWD: ${{ secrets.SECRET_PWD }}
run: |
sudo apt install git-secret
git secret tell [email protected]
git secret reveal -p $(echo $SECRET_PWD | sed 's/./& /g')
- name: Build images
run: docker-compose build
I suppose this described next pipeline:
- Checkout current branch
- Install required tools for gpg with a PK (gpg key?) and PWD
- Add user with email from PK to white list
- Decrypt .secret files
- And finally build docker images.
Am I right?
My problem is steps 3-4. I've got an error in logs
> Setting up git-secret (0.2.3-1) ...
> Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
> done. [email protected] added as someone who know(s) the secret.
> cleaning up...
> Error: Process completed with exit code 1.
I've checked my solution on local machine (linux) and it works like a charm. Well, maybe someone knows where is my mistake in yml-script?
I would guess that the problem is the "git secret tell" line. The "tell" step needs to be done in advance by someone else (you) who already has the authority to reveal the secrets. From the documentation:
It looks like the "git secret reveal" step failed. Did you re-encrypt and push the secret files after calling "git secret tell [email protected]" locally?
In the github action itself, you don't need to run the "tell" step again.