conditionally decrypt

balena-os · Sep 16, 2024 · 821c243 · 821c243
1 parent 07030c2
commit 821c243
Showing 1 changed file with 8 additions and 14 deletions.
diff --git a/.github/workflows/yocto-build-deploy.yml b/.github/workflows/yocto-build-deploy.yml
@@ -34,7 +34,7 @@ on:
         required: false
       PBDKF2_PASSPHRASE:
         description: "Passphrase used to encrypt/decrypt balenaOS assets at rest in GitHub."
-        required: true
+        required: false
 
     inputs:
       build-runs-on:
@@ -523,9 +523,7 @@ jobs:
           inputs.sign-image == true
         run: |
           for artifact in ${{ env.DEPLOY_PATH }}/image/balena.img ${{ env.DEPLOY_PATH }}/balena-image.docker; do
-              tmpfact="$(mktemp)"
-              cat <"${artifact}" | openssl enc -e -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in - -out - >"${tmpfact}"
-              cat <"${tmpfact}" >"${artifact}"
+              cat <"${artifact}" | openssl enc -e -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in - -out - >"${artifact}.enc"
           done
 
       # https://github.com/actions/upload-artifact
@@ -541,8 +539,8 @@ jobs:
           retention-days: 3
           compression-level: 7
           path: |
-            ${{ env.DEPLOY_PATH }}/image/balena.img
-            ${{ env.DEPLOY_PATH }}/balena-image.docker
+            ${{ env.DEPLOY_PATH }}/**/balena.{img,img.enc}
+            ${{ env.DEPLOY_PATH }}/**/balena-image.{docker,docker.enc}
 
       # Separate this evaluation into its own step + output, as we use this logic in several places and its easier to manage this way
       - name: Evaluate whether to finalize release
@@ -1136,15 +1134,11 @@ jobs:
 
       - name: Decrypt artifacts
         working-directory: ${{ env.WORKSPACE }}
-        if: |
-          github.event.repository.public &&
-          inputs.sign-image == true
         run: |
-          while IFS= read -r -d '' artifact; do
-              tmpfact="$(mktemp)"
-              cat <"${artifact}" | openssl enc -d -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in - -out - >"${tmpfact}"
-              cat <"${tmpfact}" >"${artifact}"
-          done < <(find . -type f \( -name balena.img -o -name balena-image.docker \) -print0)
+          # shellcheck disable=SC2038
+          find . -type f -name '*.enc' \
+            | xargs -I{} echo {} | sed 's/\.enc//g' \
+            | xargs -I{} openssl enc -d -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in {}.enc -out {}
 
       - name: Install gzip
         run: |