fix: remove kubeconfig cleanup from template and diff — kubeconfig must persist across pipeline steps

Makefile

@@ -3,7 +3,6 @@ ACTIONS := \
 	node \
 	git/create_tag \
 	helm/diff \
-	helm/set_deployment_image \
 	helm/template \
 	helm/upgrade \
 	infisical/fetch-secret \

README.md

@@ -21,9 +21,8 @@ Reusable composite actions for Gitea CI/CD pipelines.
 | Action | Description |
 |---|---|
 | [helm/diff](helm/diff/README.md) | Diff a Helm chart against a running deployment |
-| [helm/set_deployment_image](helm/set_deployment_image/README.md) | Set the image for a Kubernetes deployment via Helm |
 | [helm/template](helm/template/README.md) | Render a Helm chart for a deployment |
-| [helm/upgrade](helm/upgrade/README.md) | Log in to an OCI registry and run `helm upgrade` for the chart in the current directory |
+| [helm/upgrade](helm/upgrade/README.md) | Log in to an OCI registry, update chart dependencies, and run `helm upgrade` |
 
 ### Infisical
 

VERSION

@@ -1 +1 @@
-1.1.0
+1.13.0

docker/README.md

@@ -20,6 +20,7 @@ Build a Docker image and push it to the Gitea container registry
 | `ARTIFACT_NAME` | <p>Name of the build artifact to download</p> | `false` | `dist` |
 | `ARTIFACT_PATH` | <p>Destination path for the downloaded artifact</p> | `false` | `dist` |
 | `TAG_LATEST` | <p>Also tag and push the image as latest</p> | `false` | `false` |
+| `TAG_PREFIX` | <p>Optional prefix to prepend to IMAGE_TAG (e.g. 'dev' produces 'dev-&lt;tag&gt;'). Does not affect the latest tag.</p> | `false` | `""` |
 | `WORKING_DIRECTORY` | <p>Working directory for the Docker build</p> | `false` | `.` |
 <!-- action-docs-inputs source="action.yml" -->
 

docker/action.yml

@@ -28,6 +28,9 @@ inputs:
   TAG_LATEST:
     description: "Also tag and push the image as latest"
     default: "false"
+  TAG_PREFIX:
+    description: "Optional prefix to prepend to IMAGE_TAG (e.g. 'dev' produces 'dev-<tag>'). Does not affect the latest tag."
+    default: ""
   WORKING_DIRECTORY:
     description: "Working directory for the Docker build"
     default: "."
@@ -51,7 +54,11 @@ runs:
     - name: Docker Build and Push
       shell: sh
       run: |
-        TAGS="-t ${{ inputs.IMAGE_PATH }}:${{ inputs.IMAGE_TAG }}"
+        TAG="${{ inputs.IMAGE_TAG }}"
+        if [ -n "${{ inputs.TAG_PREFIX }}" ]; then
+          TAG="${{ inputs.TAG_PREFIX }}-${TAG}"
+        fi
+        TAGS="-t ${{ inputs.IMAGE_PATH }}:${TAG}"
         if [ "${{ inputs.TAG_LATEST }}" = "true" ]; then
           TAGS="$TAGS -t ${{ inputs.IMAGE_PATH }}:latest"
         fi

git/README.md

@@ -0,0 +1,7 @@
+# git
+
+Composite actions for Git operations.
+
+| action | description |
+| --- | --- |
+| [create_tag](create_tag/README.md) | Creates and pushes a git tag in the current repository |

helm/README.md

@@ -0,0 +1,9 @@
+# helm
+
+Composite actions for managing Helm chart deployments.
+
+| action | description |
+| --- | --- |
+| [diff](diff/README.md) | Diff a Helm chart for a deployment in a Kubernetes cluster |
+| [template](template/README.md) | Template a Helm chart for a deployment in a Kubernetes cluster |
+| [upgrade](upgrade/README.md) | Login to an OCI registry, update chart dependencies, and run helm upgrade |

helm/diff/README.md

@@ -11,13 +11,16 @@ Diff a Helm chart for a deployment in a Kubernetes cluster
 
 | name | description | required | default |
 | --- | --- | --- | --- |
-| `DEPLOYMENT_NAME` | <p>The Kubernetes Deployment to update</p> | `true` | `""` |
+| `DEPLOYMENT_NAME` | <p>The Helm release name</p> | `true` | `""` |
-| `DEPLOYMENT_NAMESPACE` | <p>The Kubernetes namespace of the Deployment</p> | `true` | `""` |
+| `DEPLOYMENT_NAMESPACE` | <p>The Kubernetes namespace (defaults to DEPLOYMENT_NAME)</p> | `false` | `""` |
-| `IMAGE_PATH` | <p>The registry path to the image</p> | `true` | `""` |
+| `REGISTRY` | <p>OCI registry hostname for helm dependency login</p> | `true` | `""` |
-| `IMAGE_TAG` | <p>The image tag to deploy</p> | `true` | `""` |
+| `REGISTRY_USERNAME` | <p>Username for OCI registry login</p> | `true` | `""` |
-| `CONTAINER_NAME` | <p>The container component to update</p> | `true` | `""` |
+| `REGISTRY_TOKEN` | <p>Token for OCI registry login</p> | `true` | `""` |
-| `VALUES_FILE` | <p>The values file to use</p> | `false` | `./helm/values.yaml` |
 | `CHART_PATH` | <p>Path to the Helm chart</p> | `false` | `./helm` |
+| `VALUES_FILE` | <p>The values file to use</p> | `false` | `./helm/values.yaml` |
+| `IMAGE_PATH` | <p>The registry path to the image (optional)</p> | `false` | `""` |
+| `IMAGE_TAG` | <p>The image tag to deploy (optional)</p> | `false` | `""` |
+| `TAG_KEY` | <p>Helm --set key for the image tag (e.g. deploy.api.tag)</p> | `false` | `""` |
 <!-- action-docs-inputs source="action.yml" -->
 
 <!-- action-docs-runs source="action.yml" -->

helm/diff/action.yml

@@ -2,37 +2,74 @@ name: Helm Diff Deployment
 description: Diff a Helm chart for a deployment in a Kubernetes cluster
 inputs:
   DEPLOYMENT_NAME:
-    description: "The Kubernetes Deployment to update"
+    description: "The Helm release name"
     required: true
   DEPLOYMENT_NAMESPACE:
-    description: "The Kubernetes namespace of the Deployment"
+    description: "The Kubernetes namespace (defaults to DEPLOYMENT_NAME)"
+    default: ""
+  REGISTRY:
+    description: "OCI registry hostname for helm dependency login"
     required: true
-  IMAGE_PATH:
+  REGISTRY_USERNAME:
-    description: "The registry path to the image"
+    description: "Username for OCI registry login"
     required: true
-  IMAGE_TAG:
+  REGISTRY_TOKEN:
-    description: "The image tag to deploy"
+    description: "Token for OCI registry login"
     required: true
-  CONTAINER_NAME:
-    description: "The container component to update"
-    required: true
-  VALUES_FILE:
-    description: "The values file to use"
-    default: "./helm/values.yaml"
   CHART_PATH:
     description: "Path to the Helm chart"
     default: "./helm"
+  VALUES_FILE:
+    description: "The values file to use"
+    default: "./helm/values.yaml"
+  IMAGE_PATH:
+    description: "The registry path to the image (optional)"
+    default: ""
+  IMAGE_TAG:
+    description: "The image tag to deploy (optional)"
+    default: ""
+  TAG_KEY:
+    description: "Helm --set key for the image tag (e.g. deploy.api.tag)"
+    default: ""
 
 runs:
   using: composite
   steps:
+    - name: Helm OCI Login
+      shell: sh
+      env:
+        REGISTRY: ${{ inputs.REGISTRY }}
+        REGISTRY_USERNAME: ${{ inputs.REGISTRY_USERNAME }}
+        REGISTRY_TOKEN: ${{ inputs.REGISTRY_TOKEN }}
+      run: |
+        echo "$REGISTRY_TOKEN" | helm registry login "$REGISTRY" \
+          --username "$REGISTRY_USERNAME" \
+          --password-stdin
+
     - name: Install Helm Diff
       shell: sh
       run: |
         helm plugin list | grep -q diff || helm plugin install https://github.com/databus23/helm-diff
+
     - name: Helm Diff
       shell: sh
+      env:
+        DEPLOYMENT_NAME: ${{ inputs.DEPLOYMENT_NAME }}
+        DEPLOYMENT_NAMESPACE: ${{ inputs.DEPLOYMENT_NAMESPACE }}
+        CHART_PATH: ${{ inputs.CHART_PATH }}
+        VALUES_FILE: ${{ inputs.VALUES_FILE }}
+        IMAGE_PATH: ${{ inputs.IMAGE_PATH }}
+        IMAGE_TAG: ${{ inputs.IMAGE_TAG }}
+        TAG_KEY: ${{ inputs.TAG_KEY }}
       run: |
-        CMD="helm diff upgrade ${{ inputs.DEPLOYMENT_NAME }} ${{ inputs.CHART_PATH }} -n ${{ inputs.DEPLOYMENT_NAMESPACE }} --values ${{ inputs.VALUES_FILE }} --set deploy.${{ inputs.CONTAINER_NAME }}.tag=${{ inputs.IMAGE_TAG }} --set image.repository=${{ inputs.IMAGE_PATH }} --context 5"
+        NAMESPACE="$DEPLOYMENT_NAMESPACE"
-        echo "Running: $CMD"
+        if [ -z "$NAMESPACE" ]; then NAMESPACE="$DEPLOYMENT_NAME"; fi
-        eval "$CMD"
+        SET_FLAGS=""
+        if [ -n "$TAG_KEY" ] && [ -n "$IMAGE_TAG" ]; then
+          SET_FLAGS="$SET_FLAGS --set $TAG_KEY=$IMAGE_TAG"
+        fi
+        if [ -n "$IMAGE_PATH" ]; then
+          SET_FLAGS="$SET_FLAGS --set image.repository=$IMAGE_PATH"
+        fi
+        helm dependency update "$CHART_PATH"
+        helm diff upgrade "$DEPLOYMENT_NAME" "$CHART_PATH" -n "$NAMESPACE" --values "$VALUES_FILE" $SET_FLAGS --context 5

helm/set_deployment_image/README.md

@@ -1,27 +0,0 @@
-# Helm Upgrade Deployment Image
-
-<!-- action-docs-description source="action.yml" -->
-## Description
-
-Set the image for a deployment in a Kubernetes
-<!-- action-docs-description source="action.yml" -->
-
-<!-- action-docs-inputs source="action.yml" -->
-## Inputs
-
-| name | description | required | default |
-| --- | --- | --- | --- |
-| `DEPLOYMENT_NAME` | <p>The Kubernetes Deployment to update</p> | `true` | `""` |
-| `DEPLOYMENT_NAMESPACE` | <p>The Kubernetes namespace of the Deployment</p> | `true` | `""` |
-| `IMAGE_PATH` | <p>The registry path to the image</p> | `true` | `""` |
-| `IMAGE_TAG` | <p>The image tag to deploy</p> | `true` | `""` |
-| `CONTAINER_NAME` | <p>The container component to update</p> | `true` | `""` |
-| `VALUES_FILE` | <p>The values file to use</p> | `false` | `./helm/values.yaml` |
-| `CHART_PATH` | <p>Path to the Helm chart</p> | `false` | `./helm` |
-<!-- action-docs-inputs source="action.yml" -->
-
-<!-- action-docs-runs source="action.yml" -->
-## Runs
-
-This action is a `composite` action.
-<!-- action-docs-runs source="action.yml" -->

helm/set_deployment_image/action.yml

@@ -1,34 +0,0 @@
-name: Helm Upgrade Deployment Image
-description: Set the image for a deployment in a Kubernetes
-inputs:
-  DEPLOYMENT_NAME:
-    description: "The Kubernetes Deployment to update"
-    required: true
-  DEPLOYMENT_NAMESPACE:
-    description: "The Kubernetes namespace of the Deployment"
-    required: true
-  IMAGE_PATH:
-    description: "The registry path to the image"
-    required: true
-  IMAGE_TAG:
-    description: "The image tag to deploy"
-    required: true
-  CONTAINER_NAME:
-    description: "The container component to update"
-    required: true
-  VALUES_FILE:
-    description: "The values file to use"
-    default: "./helm/values.yaml"
-  CHART_PATH:
-    description: "Path to the Helm chart"
-    default: "./helm"
-
-runs:
-  using: composite
-  steps:
-    - name: Helm Set Image
-      shell: sh
-      run: |
-        CMD="helm upgrade ${{ inputs.DEPLOYMENT_NAME }} ${{ inputs.CHART_PATH }} -n ${{ inputs.DEPLOYMENT_NAMESPACE }} --values ${{ inputs.VALUES_FILE }} --set deploy.${{ inputs.CONTAINER_NAME }}.tag=${{ inputs.IMAGE_TAG }} --set image.repository=${{ inputs.IMAGE_PATH }}"
-        echo "Running: $CMD"
-        eval "$CMD"

helm/template/README.md

@@ -11,13 +11,16 @@ Template a Helm chart for a deployment in a Kubernetes cluster
 
 | name | description | required | default |
 | --- | --- | --- | --- |
-| `DEPLOYMENT_NAME` | <p>The Kubernetes Deployment to update</p> | `true` | `""` |
+| `DEPLOYMENT_NAME` | <p>The Helm release name</p> | `true` | `""` |
-| `DEPLOYMENT_NAMESPACE` | <p>The Kubernetes namespace of the Deployment</p> | `true` | `""` |
+| `DEPLOYMENT_NAMESPACE` | <p>The Kubernetes namespace (defaults to DEPLOYMENT_NAME)</p> | `false` | `""` |
-| `IMAGE_PATH` | <p>The registry path to the image</p> | `true` | `""` |
+| `REGISTRY` | <p>OCI registry hostname for helm dependency login</p> | `true` | `""` |
-| `IMAGE_TAG` | <p>The image tag to deploy</p> | `true` | `""` |
+| `REGISTRY_USERNAME` | <p>Username for OCI registry login</p> | `true` | `""` |
-| `CONTAINER_NAME` | <p>The container component to update</p> | `true` | `""` |
+| `REGISTRY_TOKEN` | <p>Token for OCI registry login</p> | `true` | `""` |
-| `VALUES_FILE` | <p>The values file to use</p> | `false` | `./helm/values.yaml` |
 | `CHART_PATH` | <p>Path to the Helm chart</p> | `false` | `./helm` |
+| `VALUES_FILE` | <p>The values file to use</p> | `false` | `./helm/values.yaml` |
+| `IMAGE_PATH` | <p>The registry path to the image (optional)</p> | `false` | `""` |
+| `IMAGE_TAG` | <p>The image tag to deploy (optional)</p> | `false` | `""` |
+| `TAG_KEY` | <p>Helm --set key for the image tag (e.g. deploy.api.tag)</p> | `false` | `""` |
 <!-- action-docs-inputs source="action.yml" -->
 
 <!-- action-docs-runs source="action.yml" -->

helm/template/action.yml

@@ -2,33 +2,69 @@ name: Helm Template Deployment
 description: Template a Helm chart for a deployment in a Kubernetes cluster
 inputs:
   DEPLOYMENT_NAME:
-    description: "The Kubernetes Deployment to update"
+    description: "The Helm release name"
     required: true
   DEPLOYMENT_NAMESPACE:
-    description: "The Kubernetes namespace of the Deployment"
+    description: "The Kubernetes namespace (defaults to DEPLOYMENT_NAME)"
+    default: ""
+  REGISTRY:
+    description: "OCI registry hostname for helm dependency login"
     required: true
-  IMAGE_PATH:
+  REGISTRY_USERNAME:
-    description: "The registry path to the image"
+    description: "Username for OCI registry login"
     required: true
-  IMAGE_TAG:
+  REGISTRY_TOKEN:
-    description: "The image tag to deploy"
+    description: "Token for OCI registry login"
     required: true
-  CONTAINER_NAME:
-    description: "The container component to update"
-    required: true
-  VALUES_FILE:
-    description: "The values file to use"
-    default: "./helm/values.yaml"
   CHART_PATH:
     description: "Path to the Helm chart"
     default: "./helm"
+  VALUES_FILE:
+    description: "The values file to use"
+    default: "./helm/values.yaml"
+  IMAGE_PATH:
+    description: "The registry path to the image (optional)"
+    default: ""
+  IMAGE_TAG:
+    description: "The image tag to deploy (optional)"
+    default: ""
+  TAG_KEY:
+    description: "Helm --set key for the image tag (e.g. deploy.api.tag)"
+    default: ""
 
 runs:
   using: composite
   steps:
+    - name: Helm OCI Login
+      shell: sh
+      env:
+        REGISTRY: ${{ inputs.REGISTRY }}
+        REGISTRY_USERNAME: ${{ inputs.REGISTRY_USERNAME }}
+        REGISTRY_TOKEN: ${{ inputs.REGISTRY_TOKEN }}
+      run: |
+        echo "$REGISTRY_TOKEN" | helm registry login "$REGISTRY" \
+          --username "$REGISTRY_USERNAME" \
+          --password-stdin
+
     - name: Helm Template
       shell: sh
+      env:
+        DEPLOYMENT_NAME: ${{ inputs.DEPLOYMENT_NAME }}
+        DEPLOYMENT_NAMESPACE: ${{ inputs.DEPLOYMENT_NAMESPACE }}
+        CHART_PATH: ${{ inputs.CHART_PATH }}
+        VALUES_FILE: ${{ inputs.VALUES_FILE }}
+        IMAGE_PATH: ${{ inputs.IMAGE_PATH }}
+        IMAGE_TAG: ${{ inputs.IMAGE_TAG }}
+        TAG_KEY: ${{ inputs.TAG_KEY }}
       run: |
-        CMD="helm template ${{ inputs.DEPLOYMENT_NAME }} ${{ inputs.CHART_PATH }} -n ${{ inputs.DEPLOYMENT_NAMESPACE }} --values ${{ inputs.VALUES_FILE }} --set deploy.${{ inputs.CONTAINER_NAME }}.tag=${{ inputs.IMAGE_TAG }} --set image.repository=${{ inputs.IMAGE_PATH }}"
+        NAMESPACE="$DEPLOYMENT_NAMESPACE"
-        echo "Running: $CMD"
+        if [ -z "$NAMESPACE" ]; then NAMESPACE="$DEPLOYMENT_NAME"; fi
-        eval "$CMD"
+        SET_FLAGS=""
+        if [ -n "$TAG_KEY" ] && [ -n "$IMAGE_TAG" ]; then
+          SET_FLAGS="$SET_FLAGS --set $TAG_KEY=$IMAGE_TAG"
+        fi
+        if [ -n "$IMAGE_PATH" ]; then
+          SET_FLAGS="$SET_FLAGS --set image.repository=$IMAGE_PATH"
+        fi
+        helm dependency update "$CHART_PATH"
+        helm template "$DEPLOYMENT_NAME" "$CHART_PATH" -n "$NAMESPACE" --values "$VALUES_FILE" $SET_FLAGS

helm/upgrade/README.md

@@ -3,7 +3,7 @@
 <!-- action-docs-description source="action.yml" -->
 ## Description
 
-Login to an OCI registry, update chart dependencies, and run helm upgrade for the chart in the current directory
+Login to an OCI registry, update chart dependencies, and run helm upgrade
 <!-- action-docs-description source="action.yml" -->
 
 <!-- action-docs-inputs source="action.yml" -->
@@ -11,12 +11,16 @@ Login to an OCI registry, update chart dependencies, and run helm upgrade for th
 
 | name | description | required | default |
 | --- | --- | --- | --- |
-| `DEPLOYMENT_NAME` | <p>The Helm release name and target namespace</p> | `true` | `""` |
+| `DEPLOYMENT_NAME` | <p>The Helm release name</p> | `true` | `""` |
+| `DEPLOYMENT_NAMESPACE` | <p>The Kubernetes namespace (defaults to DEPLOYMENT_NAME)</p> | `false` | `""` |
 | `REGISTRY` | <p>OCI registry hostname for helm dependency login</p> | `true` | `""` |
 | `REGISTRY_USERNAME` | <p>Username for OCI registry login</p> | `true` | `""` |
 | `REGISTRY_TOKEN` | <p>Token for OCI registry login</p> | `true` | `""` |
 | `CHART_PATH` | <p>Path to the Helm chart</p> | `false` | `./helm` |
 | `VALUES_FILE` | <p>The values file to use</p> | `false` | `./helm/values.yaml` |
+| `IMAGE_PATH` | <p>The registry path to the image (optional)</p> | `false` | `""` |
+| `IMAGE_TAG` | <p>The image tag to deploy (optional)</p> | `false` | `""` |
+| `TAG_KEY` | <p>Helm --set key for the image tag (e.g. deploy.api.tag)</p> | `false` | `""` |
 <!-- action-docs-inputs source="action.yml" -->
 
 <!-- action-docs-runs source="action.yml" -->

helm/upgrade/action.yml

@@ -1,9 +1,12 @@
 name: Helm Upgrade
-description: Login to an OCI registry, update chart dependencies, and run helm upgrade for the chart in the current directory
+description: Login to an OCI registry, update chart dependencies, and run helm upgrade
 inputs:
   DEPLOYMENT_NAME:
-    description: "The Helm release name and target namespace"
+    description: "The Helm release name"
     required: true
+  DEPLOYMENT_NAMESPACE:
+    description: "The Kubernetes namespace (defaults to DEPLOYMENT_NAME)"
+    default: ""
   REGISTRY:
     description: "OCI registry hostname for helm dependency login"
     required: true
@@ -19,23 +22,52 @@ inputs:
   VALUES_FILE:
     description: "The values file to use"
     default: "./helm/values.yaml"
+  IMAGE_PATH:
+    description: "The registry path to the image (optional)"
+    default: ""
+  IMAGE_TAG:
+    description: "The image tag to deploy (optional)"
+    default: ""
+  TAG_KEY:
+    description: "Helm --set key for the image tag (e.g. deploy.api.tag)"
+    default: ""
 
 runs:
   using: composite
   steps:
     - name: Helm OCI Login
       shell: sh
+      env:
+        REGISTRY: ${{ inputs.REGISTRY }}
+        REGISTRY_USERNAME: ${{ inputs.REGISTRY_USERNAME }}
+        REGISTRY_TOKEN: ${{ inputs.REGISTRY_TOKEN }}
       run: |
-        echo "${{ inputs.REGISTRY_TOKEN }}" | helm registry login ${{ inputs.REGISTRY }} \
+        echo "$REGISTRY_TOKEN" | helm registry login "$REGISTRY" \
-          --username ${{ inputs.REGISTRY_USERNAME }} \
+          --username "$REGISTRY_USERNAME" \
           --password-stdin
 
     - name: Helm Upgrade
       shell: sh
+      env:
+        DEPLOYMENT_NAME: ${{ inputs.DEPLOYMENT_NAME }}
+        DEPLOYMENT_NAMESPACE: ${{ inputs.DEPLOYMENT_NAMESPACE }}
+        CHART_PATH: ${{ inputs.CHART_PATH }}
+        VALUES_FILE: ${{ inputs.VALUES_FILE }}
+        IMAGE_PATH: ${{ inputs.IMAGE_PATH }}
+        IMAGE_TAG: ${{ inputs.IMAGE_TAG }}
+        TAG_KEY: ${{ inputs.TAG_KEY }}
       run: |
-        helm dependency update ${{ inputs.CHART_PATH }}
+        NAMESPACE="$DEPLOYMENT_NAMESPACE"
-        echo "Running: helm upgrade ${{ inputs.DEPLOYMENT_NAME }} ${{ inputs.CHART_PATH }} -n ${{ inputs.DEPLOYMENT_NAME }} --values ${{ inputs.VALUES_FILE }}"
+        if [ -z "$NAMESPACE" ]; then NAMESPACE="$DEPLOYMENT_NAME"; fi
-        helm upgrade ${{ inputs.DEPLOYMENT_NAME }} ${{ inputs.CHART_PATH }} -n ${{ inputs.DEPLOYMENT_NAME }} --values ${{ inputs.VALUES_FILE }}
+        SET_FLAGS=""
+        if [ -n "$TAG_KEY" ] && [ -n "$IMAGE_TAG" ]; then
+          SET_FLAGS="$SET_FLAGS --set $TAG_KEY=$IMAGE_TAG"
+        fi
+        if [ -n "$IMAGE_PATH" ]; then
+          SET_FLAGS="$SET_FLAGS --set image.repository=$IMAGE_PATH"
+        fi
+        helm dependency update "$CHART_PATH"
+        helm upgrade "$DEPLOYMENT_NAME" "$CHART_PATH" -n "$NAMESPACE" --values "$VALUES_FILE" $SET_FLAGS
 
     - name: Remove kubeconfig
       if: always()

infisical/README.md

@@ -0,0 +1,7 @@
+# infisical
+
+Composite actions for Infisical secret management.
+
+| action | description |
+| --- | --- |
+| [fetch-secret](fetch-secret/README.md) | Fetches a single secret value from Infisical using a machine identity token |

infisical/fetch-secret/action.yml

@@ -24,7 +24,7 @@ inputs:
     default: "/"
 outputs:
   value:
-    description: "The fetched secret value"
+    description: "The fetched secret value (base64-encoded)"
     value: ${{ steps.fetch.outputs.value }}
 
 runs:
@@ -61,8 +61,11 @@ runs:
           exit 1
         fi
 
+        B64=$(printf '%s' "$VALUE" | base64 | tr -d '\n')
+        echo "::add-mask::$B64"
+
         DELIMITER="INFISICAL_EOF_$$"
         echo "value<<${DELIMITER}" >> "$GITHUB_OUTPUT"
-        echo "$VALUE" >> "$GITHUB_OUTPUT"
+        printf '%s\n' "$B64" >> "$GITHUB_OUTPUT"
         echo "${DELIMITER}" >> "$GITHUB_OUTPUT"
         echo "Successfully fetched secret '${{ inputs.SECRET_NAME }}'"

infra/README.md

@@ -0,0 +1,7 @@
+# infra
+
+Composite actions for infrastructure management.
+
+| action | description |
+| --- | --- |
+| [update_version](update_version/README.md) | Updates the service tag in the stat-tackler-infra releases/versions.yaml |

kubectl/README.md

@@ -0,0 +1,7 @@
+# kubectl
+
+Composite actions for kubectl configuration.
+
+| action | description |
+| --- | --- |
+| [configure](configure/README.md) | Configure kubectl for use with Kubernetes |

kubectl/configure/action.yml

@@ -2,7 +2,7 @@ name: Configure Kubectl
 description: Configure kubectl for use with Kubernetes
 inputs:
   K8S_CONFIG:
-    description: "The RAW Kubernetes config"
+    description: "The base64-encoded Kubernetes config"
     required: true
   K8S_NAMESPACE:
     description: "The K8S namespace"
@@ -14,20 +14,21 @@ inputs:
 runs:
   using: composite
   steps:
+    - name: Mask kubeconfig
+      shell: sh
+      env:
+        K8S_CONFIG: ${{ inputs.K8S_CONFIG }}
+      run: echo "::add-mask::$K8S_CONFIG"
+
     - name: Configure kubectl
       shell: sh
+      env:
+        K8S_CONFIG: ${{ inputs.K8S_CONFIG }}
       run: |
-        echo "Remove existing kubeconfig"
+        echo "Configuring kubectl for context=${{ inputs.K8S_CONTEXT }} namespace=${{ inputs.K8S_NAMESPACE }}"
         rm -f ~/.kube/config
-
-        echo "Re-creating .kube directory"
         mkdir -p ~/.kube
-
+        printf '%s' "$K8S_CONFIG" | base64 -d > ~/.kube/config
-        echo "Set kubeconfig"
-        echo "${{ inputs.K8S_CONFIG }}" > ~/.kube/config
-
-        echo "Set kubeconfig context"
         kubectl config set-context ${{ inputs.K8S_CONTEXT }} --cluster=${{ inputs.K8S_CONTEXT }} --namespace=${{ inputs.K8S_NAMESPACE }}
-
-        echo "Use kubeconfig context ${{ inputs.K8S_CONTEXT }}"
         kubectl config use-context ${{ inputs.K8S_CONTEXT }}
+        echo "kubectl configured successfully"

test/README.md

@@ -0,0 +1,7 @@
+# test
+
+Composite actions for running tests.
+
+| action | description |
+| --- | --- |
+| [npm](npm/README.md) | Install dependencies and run npm tests |

trivy/README.md

@@ -0,0 +1,8 @@
+# trivy
+
+Composite actions for Trivy vulnerability scanning.
+
+| action | description |
+| --- | --- |
+| [image_scan](image_scan/README.md) | Scan a container image with Trivy |
+| [namespace_scan](namespace_scan/README.md) | Scan a Kubernetes namespace for vulnerabilities |