restructure

infisical/fetch-secret/README.md

@@ -0,0 +1,34 @@
+# Fetch Secret from Infisical
+
+<!-- action-docs-description source="action.yml" -->
+## Description
+
+Fetches a single secret value from Infisical using a machine identity token
+<!-- action-docs-description source="action.yml" -->
+
+<!-- action-docs-inputs source="action.yml" -->
+## Inputs
+
+| name | description | required | default |
+| --- | --- | --- | --- |
+| `INFISICAL_TOKEN` | <p>Machine identity access token</p> | `true` | `""` |
+| `SECRET_NAME` | <p>The secret key to fetch</p> | `true` | `""` |
+| `INFISICAL_HOST` | <p>Infisical API base URL</p> | `false` | `https://infisical.pixelparasol.com` |
+| `WORKSPACE_ID` | <p>Infisical project UUID</p> | `false` | `""` |
+| `ENVIRONMENT` | <p>Infisical environment slug</p> | `false` | `prod` |
+| `SECRET_PATH` | <p>Folder path within the environment</p> | `false` | `/` |
+<!-- action-docs-inputs source="action.yml" -->
+
+<!-- action-docs-outputs source="action.yml" -->
+## Outputs
+
+| name | description |
+| --- | --- |
+| `value` | <p>The fetched secret value</p> |
+<!-- action-docs-outputs source="action.yml" -->
+
+<!-- action-docs-runs source="action.yml" -->
+## Runs
+
+This action is a `composite` action.
+<!-- action-docs-runs source="action.yml" -->

infisical/fetch-secret/action.yml

@@ -0,0 +1,68 @@
+name: Fetch Secret from Infisical
+description: Fetches a single secret value from Infisical using a machine identity token
+inputs:
+  INFISICAL_TOKEN:
+    description: "Machine identity access token"
+    required: true
+  SECRET_NAME:
+    description: "The secret key to fetch"
+    required: true
+  INFISICAL_HOST:
+    description: "Infisical API base URL"
+    required: false
+    default: "https://infisical.pixelparasol.com"
+  WORKSPACE_ID:
+    description: "Infisical project UUID"
+    required: true
+  ENVIRONMENT:
+    description: "Infisical environment slug"
+    required: false
+    default: "prod"
+  SECRET_PATH:
+    description: "Folder path within the environment"
+    required: false
+    default: "/"
+outputs:
+  value:
+    description: "The fetched secret value"
+    value: ${{ steps.fetch.outputs.value }}
+
+runs:
+  using: composite
+  steps:
+    - name: Fetch secret
+      id: fetch
+      shell: sh
+      run: |
+        if ! command -v jq >/dev/null 2>&1; then
+          apk add --no-cache jq 2>/dev/null \
+            || apt-get install -y -q --no-install-recommends jq 2>/dev/null \
+            || { echo "Error: jq not available and could not be installed" >&2; exit 1; }
+        fi
+
+        HTTP_STATUS=$(curl -s -o /tmp/_infisical_resp.json -w "%{http_code}" \
+          -H "Authorization: Bearer ${{ inputs.INFISICAL_TOKEN }}" \
+          "${{ inputs.INFISICAL_HOST }}/api/v3/secrets/raw/${{ inputs.SECRET_NAME }}?workspaceId=${{ inputs.WORKSPACE_ID }}&environment=${{ inputs.ENVIRONMENT }}&secretPath=${{ inputs.SECRET_PATH }}")
+
+        if [ "$HTTP_STATUS" != "200" ]; then
+          echo "Error: Infisical returned HTTP $HTTP_STATUS for secret '${{ inputs.SECRET_NAME }}'" >&2
+          echo "Response: $(cat /tmp/_infisical_resp.json)" >&2
+          rm -f /tmp/_infisical_resp.json
+          exit 1
+        fi
+
+        RESPONSE=$(cat /tmp/_infisical_resp.json)
+        rm -f /tmp/_infisical_resp.json
+
+        VALUE=$(echo "$RESPONSE" | jq -r '.secret.secretValue')
+
+        if [ -z "$VALUE" ] || [ "$VALUE" = "null" ]; then
+          echo "Error: secret '${{ inputs.SECRET_NAME }}' is empty or not found" >&2
+          exit 1
+        fi
+
+        DELIMITER="INFISICAL_EOF_$$"
+        echo "value<<${DELIMITER}" >> "$GITHUB_OUTPUT"
+        echo "$VALUE" >> "$GITHUB_OUTPUT"
+        echo "${DELIMITER}" >> "$GITHUB_OUTPUT"
+        echo "Successfully fetched secret '${{ inputs.SECRET_NAME }}'"