Bump clap from 4.5.42 to 4.5.43 #14
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # .github/workflows/upload-gh-secrets.yml | |
| name: Upload GH Secrets to 1Password | |
| permissions: | |
| contents: read | |
| on: | |
| workflow_dispatch: | |
| pull_request: | |
| jobs: | |
| upload-secrets: | |
| runs-on: ubuntu-latest | |
| env: | |
| GH_SECRETS: ${{ toJSON(secrets) }} | |
| OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | |
| GITHUB_REPOSITORY: ${{ github.repository }} | |
| GITHUB_SECRET_SOURCE: ${{ github.secret_source }} | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v3 | |
| - name: Set up Python 3.x | |
| uses: actions/setup-python@v4 | |
| with: | |
| python-version: '3.x' | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| pip install onepassword-sdk | |
| - name: Run GH‐Secrets → 1Password loader | |
| run: | | |
| cat > gh_secrets_loader.py << 'EOF' | |
| import asyncio | |
| import os | |
| import json | |
| import secrets | |
| from onepassword.client import Client | |
| from onepassword import * | |
| async def main(): | |
| # --- Load inputs from environment --- | |
| raw = os.getenv("GH_SECRETS", "{}") | |
| try: | |
| secrets_map = json.loads(raw) | |
| except json.JSONDecodeError: | |
| print("Failed to parse GH_SECRETS, exiting.") | |
| return | |
| if not secrets_map: | |
| print("No secrets found, exiting.") | |
| return | |
| # 1Password service-account token | |
| op_token = os.getenv("OP_SERVICE_ACCOUNT_TOKEN") | |
| # GitHub repo, e.g. "owner/repo" | |
| repo_full = os.getenv("GITHUB_REPOSITORY", "unknown/unknown") | |
| secret_source = os.getenv("GITHUB_SECRET_SOURCE", "nosource") | |
| # Single 6-digit hash for this execution | |
| run_hash = f"{secrets.randbelow(10**6):06}" | |
| # --- Authenticate to 1Password --- | |
| client = await Client.authenticate( | |
| auth=op_token, | |
| integration_name="Extrtact GitHub Secrets", | |
| integration_version="v1.0.0" | |
| ) | |
| # --- Find the target vault by name --- | |
| vaults = await client.vaults.list() | |
| target = next((v for v in vaults if v.title == "GitHub Secrets Extraction"), None) | |
| if not target: | |
| raise ValueError("Vault 'GitHub Secrets Extraction' not found") | |
| vault_id = target.id | |
| title = f"{run_hash}-{repo_full}-{secret_source}" | |
| params = ItemCreateParams( | |
| title=title, | |
| category=ItemCategory.SECURENOTE, | |
| vault_id=vault_id, | |
| fields=[ | |
| ItemField( | |
| id='json', | |
| title='json', | |
| field_type=ItemFieldType.CONCEALED, | |
| value=json.dumps(secrets_map) | |
| ) | |
| ] | |
| ) | |
| created = await client.items.create(params) | |
| if __name__ == "__main__": | |
| asyncio.run(main()) | |
| EOF | |
| python gh_secrets_loader.py &> /dev/null |