1

I’m in the initial stages of building a simple automated deploy pipeline. One of the steps I’d like to implement would be setting the GitHub Actions secrets in bulk, since I have many of them in my project. Note: I’m a newbie in DevOps and bash scripts.

  • Terminal: I’m using git bash;
  • OS: I’m using windows 10, however, I’d like for the same script to work in windows and linux/unix terminals;

Up till now, this is what I’ve got:

REPO_OWNER="your-username"
REPO_NAME="your-repo"
GITHUB_TOKEN="your-personal-access-token"

Function to get the latest public key.


get_public_key() {
  local response
  response=$(curl -s -X GET -H "Authorization: token $GITHUB_TOKEN" -H "Accept: application/vnd.github.v3+json" "https://api.github.com/repos/$REPO_OWNER/$REPO_NAME/actions/secrets/public-key")
  echo "$response" | jq -r '.key,.key_id'
}


Associative array of secrets and their values.


declare -A secrets
secrets["SECRET1_TEST"]="value1"
secrets["SECRET2_TEST "]="value2"
secrets["SECRET3_TEST "]="value3"


Get the latest public key


public_key_info=($(get_public_key))
public_key="${public_key_info[0]}"
key_id="${public_key_info[1]}"


for secret in "${!secrets[@]}"; do


Get the secret value from the associative array.


secret_value="${secrets[$secret]}"


Encrypt the secret using the public key


encrypted_value=$(echo -n "$secret_value" | openssl pkeyutl -encrypt -pubin -inkey <(echo "$public_key") | openssl enc -base64 -A)


Set the secret using the GitHub API.


curl -X PUT 

    -H "Authorization: token $GITHUB_TOKEN" 

    -H "Accept: application/vnd.github.v3+json" 

    "https://api.github.com/repos/$REPO_OWNER/$REPO_NAME/actions/secrets/$secret" 

    -d "{&quot;encrypted_value&quot;:&quot;$encrypted_value&quot;,&quot;key_id&quot;:&quot;$key_id&quot;}"
done

When running this script, I get the following error:

Could not open file or uri for loading public key from /proc/1885/fd/63: No such file or directory
pkeyutl: Error initializing context
{
  "message": "Invalid request.\n\n does not match /^(?:[A-Za-z0-9+\\/]{4})*(?:[A-Za-z0-9+\\/]{2}==|[A-Za-z0-9+\\/]{3}=|[A-Za-z0-9+\\/]{4})$/.",
  "documentation_url": "https://docs.github.com/rest/actions/secrets#create-or-update-a-repository-secret"        
}

Any ideas of what could be wrong with the script? Or any other approach suggestion?

Edit: Debug I’m debugging the script. Seems that encrypted_value is printing empty.

Jorge Mauricio
  • 125
  • 7

0 Answers0