action.yml

name: 'decrypt-export-env-action'
description: 'Decrypt and export environment variables from a remote Gist or Repo (using Age), while masking sensitive information.'
author: 'singulcode'
branding:
  icon: 'activity'
  color: 'green'
inputs:
  repoUrl:
    description: 'Your repo url, example https://gist.github.com/f6281d95065d3b942f13a8436768669f.git'
    required: true
  path:
    description: 'Path to store repo files'
    required: false
    default: '.tmpsecrets'
  ageSecretKey:
    description: 'Secret key to decrypt Age files'
    required: true
  envFile:
    description: 'Path to .env files, separated by `|`'
    required: true
  excludeEnv:
    description: 'Regex to exclude specific variables matching the filter, separated by `|`'
    required: false
  maskEnv:
    description: 'Regex to mask specific variables matching the filter, separated by `|`'
    required: false
    default: 'MYSQL|KEY|TOKEN|PASSWORD|SECRET|SID|IDENTITY|AWS|GCP|CRYPTO|ENCRYPTION|ADDDRESS|IP|DATABASE|CERT'

runs:
  using: composite
  steps:
    - name: Setup age
      uses: AnimMouse/setup-age@v1

    - name: Clone secret repo
      run: |
        set -e

        echo "Repo: ${{ inputs.repoUrl }}"

        git clone ${{ inputs.repoUrl }} ${{ inputs.path }}

        if [ ! -d "${{ inputs.path }}" ]; then
          echo "Error: Couldn't clone ${{ inputs.repoUrl }}."
          exit 1
        fi
      shell: bash

    - name: Decrypt environments
      run: |
        set -e
        echo "source ${{ inputs.path }}/decrypt.sh ${{ inputs.ageSecretKey }}"
        source ${{ inputs.path }}/decrypt.sh ${{ inputs.ageSecretKey }}
        ls -la ${{ inputs.path }}
      shell: bash

    - name: Export secrets and environments to runner
      uses: datphan/export-env-action@master
      with:
        envFile: ${{ inputs.envFile }}
        filter: ${{ inputs.excludeEnv }}
        mask: ${{ inputs.maskEnv }}

    - name: Cleanup secrets
      run: |
        set -e
        rm -rf ${{ inputs.path }}
      shell: bash