name: Fetch Secret from Infisical
description: Fetches a single secret value from Infisical using a machine identity token
inputs:
  INFISICAL_TOKEN:
    description: "Machine identity access token"
    required: true
  SECRET_NAME:
    description: "The secret key to fetch"
    required: true
  INFISICAL_HOST:
    description: "Infisical API base URL"
    required: false
    default: "https://infisical.pixelparasol.com"
  WORKSPACE_ID:
    description: "Infisical project UUID"
    required: true
  ENVIRONMENT:
    description: "Infisical environment slug"
    required: false
    default: "prod"
  SECRET_PATH:
    description: "Folder path within the environment"
    required: false
    default: "/"
outputs:
  value:
    description: "The fetched secret value (base64-encoded)"
    value: ${{ steps.fetch.outputs.value }}

runs:
  using: composite
  steps:
    - name: Fetch secret
      id: fetch
      shell: sh
      run: |
        if ! command -v jq >/dev/null 2>&1; then
          apk add --no-cache jq 2>/dev/null \
            || apt-get install -y -q --no-install-recommends jq 2>/dev/null \
            || { echo "Error: jq not available and could not be installed" >&2; exit 1; }
        fi

        HTTP_STATUS=$(curl -s -o /tmp/_infisical_resp.json -w "%{http_code}" \
          -H "Authorization: Bearer ${{ inputs.INFISICAL_TOKEN }}" \
          "${{ inputs.INFISICAL_HOST }}/api/v3/secrets/raw/${{ inputs.SECRET_NAME }}?workspaceId=${{ inputs.WORKSPACE_ID }}&environment=${{ inputs.ENVIRONMENT }}&secretPath=${{ inputs.SECRET_PATH }}")

        if [ "$HTTP_STATUS" != "200" ]; then
          echo "Error: Infisical returned HTTP $HTTP_STATUS for secret '${{ inputs.SECRET_NAME }}'" >&2
          echo "Response: $(cat /tmp/_infisical_resp.json)" >&2
          rm -f /tmp/_infisical_resp.json
          exit 1
        fi

        RESPONSE=$(cat /tmp/_infisical_resp.json)
        rm -f /tmp/_infisical_resp.json

        VALUE=$(echo "$RESPONSE" | jq -r '.secret.secretValue')

        if [ -z "$VALUE" ] || [ "$VALUE" = "null" ]; then
          echo "Error: secret '${{ inputs.SECRET_NAME }}' is empty or not found" >&2
          exit 1
        fi

        B64=$(printf '%s' "$VALUE" | base64 | tr -d '\n')
        echo "::add-mask::$B64"

        DELIMITER="INFISICAL_EOF_$$"
        echo "value<<${DELIMITER}" >> "$GITHUB_OUTPUT"
        printf '%s\n' "$B64" >> "$GITHUB_OUTPUT"
        echo "${DELIMITER}" >> "$GITHUB_OUTPUT"
        echo "Successfully fetched secret '${{ inputs.SECRET_NAME }}'"