jeffemmett
/
draw-fast
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Switch mirror workflow to fetch secrets from Infisical 

Replace hardcoded GitHub secrets (GITEA_TOKEN, GITEA_USERNAME) with
Infisical secret injection via CF Access service token. Only
INFISICAL_CLIENT_ID, INFISICAL_CLIENT_SECRET, and CF Access
credentials remain as GitHub secrets.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jeff Emmett 2026-04-10 21:33:34 -04:00
parent abb4ea928a
commit 81af9cc6a7
1 changed files with 24 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
.github/workflows/mirror-to-gitea.yml vendored
View File

@ -16,13 +16,33 @@ jobs:
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Mirror to Gitea - name: Fetch secrets from Infisical
env: env:
GITEA_TOKEN: ${{ secrets.GITEA_TOKEN }} INFISICAL_CLIENT_ID: ${{ secrets.INFISICAL_CLIENT_ID }}
GITEA_USERNAME: ${{ secrets.GITEA_USERNAME }} INFISICAL_CLIENT_SECRET: ${{ secrets.INFISICAL_CLIENT_SECRET }}
CF_ACCESS_CLIENT_ID: ${{ secrets.CF_ACCESS_CLIENT_ID }}
CF_ACCESS_CLIENT_SECRET: ${{ secrets.CF_ACCESS_CLIENT_SECRET }}
run: |
# Authenticate with Infisical (via Cloudflare Access service token)
ACCESS_TOKEN=$(curl -sf -X POST "https://secrets.jeffemmett.com/api/v1/auth/universal-auth/login" \
-H "CF-Access-Client-Id: ${CF_ACCESS_CLIENT_ID}" \
-H "CF-Access-Client-Secret: ${CF_ACCESS_CLIENT_SECRET}" \
-H "Content-Type: application/json" \
-d "{\"clientId\":\"${INFISICAL_CLIENT_ID}\",\"clientSecret\":\"${INFISICAL_CLIENT_SECRET}\"}" \
| jq -r '.accessToken')
# Fetch secrets and export as env vars
SECRETS=$(curl -sf "https://secrets.jeffemmett.com/api/v3/secrets/raw?workspaceSlug=github-mirrors&environment=prod&secretPath=/&recursive=true" \
-H "CF-Access-Client-Id: ${CF_ACCESS_CLIENT_ID}" \
-H "CF-Access-Client-Secret: ${CF_ACCESS_CLIENT_SECRET}" \
-H "Authorization: Bearer ${ACCESS_TOKEN}")
# Export each secret to GITHUB_ENV for subsequent steps
echo "$SECRETS" | jq -r '.secrets[] | "\(.secretKey)=\(.secretValue)"' >> "$GITHUB_ENV"
- name: Mirror to Gitea
run: | run: |
REPO_NAME=$(basename $GITHUB_REPOSITORY) REPO_NAME=$(basename $GITHUB_REPOSITORY)
git remote add gitea https://$GITEA_USERNAME:$GITEA_TOKEN@gitea.jeffemmett.com/jeffemmett/$REPO_NAME.git || true git remote add gitea https://$GITEA_USERNAME:$GITEA_TOKEN@gitea.jeffemmett.com/jeffemmett/$REPO_NAME.git || true
git push gitea --all --force git push gitea --all --force
git push gitea --tags --force git push gitea --tags --force