pixel-parasol-public/gitea-actions
1
0
Fork 0
Code Actions Releases 4 Activity
Files
1ffe0c23cba422f54208105882892040327397f7
gitea-actions/infisical/fetch-secret/action.yml
T
deac 1ffe0c23cb restructure
2026-05-29 11:16:00 -04:00

69 lines
2.4 KiB
YAML
Raw Blame History

name: Fetch Secret from Infisical
description: Fetches a single secret value from Infisical using a machine identity token
inputs:
INFISICAL_TOKEN:
description: "Machine identity access token"
required: true
SECRET_NAME:
description: "The secret key to fetch"
required: true
INFISICAL_HOST:
description: "Infisical API base URL"
required: false
default: "https://infisical.pixelparasol.com"
WORKSPACE_ID:
description: "Infisical project UUID"
required: true
ENVIRONMENT:
description: "Infisical environment slug"
required: false
default: "prod"
SECRET_PATH:
description: "Folder path within the environment"
required: false
default: "/"
outputs:
value:
description: "The fetched secret value"
value: ${{ steps.fetch.outputs.value }}
runs:
using: composite
steps:
- name: Fetch secret
id: fetch
shell: sh
run: |
if ! command -v jq >/dev/null 2>&1; then
apk add --no-cache jq 2>/dev/null \
|| apt-get install -y -q --no-install-recommends jq 2>/dev/null \
|| { echo "Error: jq not available and could not be installed" >&2; exit 1; }
fi
HTTP_STATUS=$(curl -s -o /tmp/_infisical_resp.json -w "%{http_code}" \
-H "Authorization: Bearer ${{ inputs.INFISICAL_TOKEN }}" \
"${{ inputs.INFISICAL_HOST }}/api/v3/secrets/raw/${{ inputs.SECRET_NAME }}?workspaceId=${{ inputs.WORKSPACE_ID }}&environment=${{ inputs.ENVIRONMENT }}&secretPath=${{ inputs.SECRET_PATH }}")
if [ "$HTTP_STATUS" != "200" ]; then
echo "Error: Infisical returned HTTP $HTTP_STATUS for secret '${{ inputs.SECRET_NAME }}'" >&2
echo "Response: $(cat /tmp/_infisical_resp.json)" >&2
rm -f /tmp/_infisical_resp.json
exit 1
fi
RESPONSE=$(cat /tmp/_infisical_resp.json)
rm -f /tmp/_infisical_resp.json
VALUE=$(echo "$RESPONSE" | jq -r '.secret.secretValue')
if [ -z "$VALUE" ] || [ "$VALUE" = "null" ]; then
echo "Error: secret '${{ inputs.SECRET_NAME }}' is empty or not found" >&2
exit 1
fi
DELIMITER="INFISICAL_EOF_$$"
echo "value<<${DELIMITER}" >> "$GITHUB_OUTPUT"
echo "$VALUE" >> "$GITHUB_OUTPUT"
echo "${DELIMITER}" >> "$GITHUB_OUTPUT"
echo "Successfully fetched secret '${{ inputs.SECRET_NAME }}'"
View Git Blame Copy Permalink