From 805967d867e5f4de8fe940391552ee1f5b011fbd Mon Sep 17 00:00:00 2001 From: Anton Belodedenko <2033996+ab77@users.noreply.github.com> Date: Mon, 16 Sep 2024 12:22:23 -0700 Subject: [PATCH] conditionally decrypt --- .github/workflows/yocto-build-deploy.yml | 24 +++++++++--------------- 1 file changed, 9 insertions(+), 15 deletions(-) diff --git a/.github/workflows/yocto-build-deploy.yml b/.github/workflows/yocto-build-deploy.yml index 2f97e86a5..925460ef4 100644 --- a/.github/workflows/yocto-build-deploy.yml +++ b/.github/workflows/yocto-build-deploy.yml @@ -34,7 +34,7 @@ on: required: false PBDKF2_PASSPHRASE: description: "Passphrase used to encrypt/decrypt balenaOS assets at rest in GitHub." - required: true + required: false inputs: build-runs-on: @@ -520,12 +520,10 @@ jobs: id: encrypt if: | github.event.repository.public && - inputs.sign-image == true + (inputs.sign-image == true || steps.balena-lib.outputs.is_private == 'true') run: | for artifact in ${{ env.DEPLOY_PATH }}/image/balena.img ${{ env.DEPLOY_PATH }}/balena-image.docker; do - tmpfact="$(mktemp)" - cat <"${artifact}" | openssl enc -e -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in - -out - >"${tmpfact}" - cat <"${tmpfact}" >"${artifact}" + cat <"${artifact}" | openssl enc -e -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in - -out - >"${artifact}.enc" done # https://github.com/actions/upload-artifact @@ -541,8 +539,8 @@ jobs: retention-days: 3 compression-level: 7 path: | - ${{ env.DEPLOY_PATH }}/image/balena.img - ${{ env.DEPLOY_PATH }}/balena-image.docker + ${{ env.DEPLOY_PATH }}/**/balena.{img,img.enc} + ${{ env.DEPLOY_PATH }}/**/balena-image.{docker,docker.enc} # Separate this evaluation into its own step + output, as we use this logic in several places and its easier to manage this way - name: Evaluate whether to finalize release @@ -1136,15 +1134,11 @@ jobs: - name: Decrypt artifacts working-directory: ${{ env.WORKSPACE }} - if: | - github.event.repository.public && - inputs.sign-image == true run: | - while IFS= read -r -d '' artifact; do - tmpfact="$(mktemp)" - cat <"${artifact}" | openssl enc -d -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in - -out - >"${tmpfact}" - cat <"${tmpfact}" >"${artifact}" - done < <(find . -type f \( -name balena.img -o -name balena-image.docker \) -print0) + # shellcheck disable=SC2038 + find . -type f -name '*.enc' \ + | xargs -I{} echo {} | sed 's/\.enc//g' \ + | xargs -I{} openssl enc -d -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in {}.enc -out {} - name: Install gzip run: |