49 lines
1.9 KiB
YAML
49 lines
1.9 KiB
YAML
name: Mirror to Gitea
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- master
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
mirror:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
|
|
- name: Fetch secrets from Infisical
|
|
env:
|
|
INFISICAL_CLIENT_ID: ${{ secrets.INFISICAL_CLIENT_ID }}
|
|
INFISICAL_CLIENT_SECRET: ${{ secrets.INFISICAL_CLIENT_SECRET }}
|
|
CF_ACCESS_CLIENT_ID: ${{ secrets.CF_ACCESS_CLIENT_ID }}
|
|
CF_ACCESS_CLIENT_SECRET: ${{ secrets.CF_ACCESS_CLIENT_SECRET }}
|
|
run: |
|
|
# Authenticate with Infisical (via Cloudflare Access service token)
|
|
ACCESS_TOKEN=$(curl -sf -X POST "https://secrets.jeffemmett.com/api/v1/auth/universal-auth/login" \
|
|
-H "CF-Access-Client-Id: ${CF_ACCESS_CLIENT_ID}" \
|
|
-H "CF-Access-Client-Secret: ${CF_ACCESS_CLIENT_SECRET}" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{\"clientId\":\"${INFISICAL_CLIENT_ID}\",\"clientSecret\":\"${INFISICAL_CLIENT_SECRET}\"}" \
|
|
| jq -r '.accessToken')
|
|
|
|
# Fetch secrets and export as env vars
|
|
SECRETS=$(curl -sf "https://secrets.jeffemmett.com/api/v3/secrets/raw?workspaceSlug=github-mirrors&environment=prod&secretPath=/&recursive=true" \
|
|
-H "CF-Access-Client-Id: ${CF_ACCESS_CLIENT_ID}" \
|
|
-H "CF-Access-Client-Secret: ${CF_ACCESS_CLIENT_SECRET}" \
|
|
-H "Authorization: Bearer ${ACCESS_TOKEN}")
|
|
|
|
# Export each secret to GITHUB_ENV for subsequent steps
|
|
echo "$SECRETS" | jq -r '.secrets[] | "\(.secretKey)=\(.secretValue)"' >> "$GITHUB_ENV"
|
|
|
|
- name: Mirror to Gitea
|
|
run: |
|
|
REPO_NAME=$(basename $GITHUB_REPOSITORY)
|
|
git remote add gitea https://$GITEA_USERNAME:$GITEA_TOKEN@gitea.jeffemmett.com/jeffemmett/$REPO_NAME.git || true
|
|
git push gitea --all --force
|
|
git push gitea --tags --force
|