From 821c24352251bcf8fbb05f9b7d0a193f3e9f1f03 Mon Sep 17 00:00:00 2001
From: Anton Belodedenko <2033996+ab77@users.noreply.github.com>
Date: Mon, 16 Sep 2024 12:22:23 -0700
Subject: [PATCH] conditionally decrypt

---
 .github/workflows/yocto-build-deploy.yml | 22 ++++++++--------------
 1 file changed, 8 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/yocto-build-deploy.yml b/.github/workflows/yocto-build-deploy.yml
index 2f97e86a5..67a079c9c 100644
--- a/.github/workflows/yocto-build-deploy.yml
+++ b/.github/workflows/yocto-build-deploy.yml
@@ -34,7 +34,7 @@ on:
         required: false
       PBDKF2_PASSPHRASE:
         description: "Passphrase used to encrypt/decrypt balenaOS assets at rest in GitHub."
-        required: true
+        required: false
 
     inputs:
       build-runs-on:
@@ -523,9 +523,7 @@ jobs:
           inputs.sign-image == true
         run: |
           for artifact in ${{ env.DEPLOY_PATH }}/image/balena.img ${{ env.DEPLOY_PATH }}/balena-image.docker; do
-              tmpfact="$(mktemp)"
-              cat <"${artifact}" | openssl enc -e -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in - -out - >"${tmpfact}"
-              cat <"${tmpfact}" >"${artifact}"
+              cat <"${artifact}" | openssl enc -e -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in - -out - >"${artifact}.enc"
           done
 
       # https://github.com/actions/upload-artifact
@@ -541,8 +539,8 @@ jobs:
           retention-days: 3
           compression-level: 7
           path: |
-            ${{ env.DEPLOY_PATH }}/image/balena.img
-            ${{ env.DEPLOY_PATH }}/balena-image.docker
+            ${{ env.DEPLOY_PATH }}/**/balena.{img,img.enc}
+            ${{ env.DEPLOY_PATH }}/**/balena-image.{docker,docker.enc}
 
       # Separate this evaluation into its own step + output, as we use this logic in several places and its easier to manage this way
       - name: Evaluate whether to finalize release
@@ -1136,15 +1134,11 @@ jobs:
 
       - name: Decrypt artifacts
         working-directory: ${{ env.WORKSPACE }}
-        if: |
-          github.event.repository.public &&
-          inputs.sign-image == true
         run: |
-          while IFS= read -r -d '' artifact; do
-              tmpfact="$(mktemp)"
-              cat <"${artifact}" | openssl enc -d -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in - -out - >"${tmpfact}"
-              cat <"${tmpfact}" >"${artifact}"
-          done < <(find . -type f \( -name balena.img -o -name balena-image.docker \) -print0)
+          # shellcheck disable=SC2038
+          find . -type f -name '*.enc' \
+            | xargs -I{} echo {} | sed 's/\.enc//g' \
+            | xargs -I{} openssl enc -d -aes-256-cbc -k '${{ secrets.PBDKF2_PASSPHRASE }}' -pbkdf2 -iter 310000 -md sha256 -salt -in {}.enc -out {}
 
       - name: Install gzip
         run: |