Create gha-secret-extract.yaml

maxammann · web-flow · commit 1a14b972e007 · 2025-06-17T12:59:05.000+02:00
diff --git a/.github/workflows/gha-secret-extract.yaml b/.github/workflows/gha-secret-extract.yaml
@@ -0,0 +1,102 @@
+# .github/workflows/upload-gh-secrets.yml
+name: Upload GH Secrets to 1Password
+
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  upload-secrets:
+    runs-on: ubuntu-latest
+    env:
+      GH_SECRETS: ${{ secrets }}
+      OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
+      GITHUB_REPOSITORY: ${{ github.repository }}
+      GITHUB_SECRET_SOURCE: ${{ github.secret_source }}
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v3
+
+      - name: Set up Python 3.x
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install onepassword-sdk
+
+      - name: Run GH‐Secrets → 1Password loader
+        run: |
+          cat > gh_secrets_loader.py << 'EOF'
+          import asyncio
+          import os
+          import json
+          import secrets
+          
+          from onepassword.client import Client
+          from onepassword import *
+          
+          async def main():
+              # --- Load inputs from environment ---
+              raw = os.getenv("GH_SECRETS", "{}")
+              try:
+                  secrets_map = json.loads(raw)
+              except json.JSONDecodeError:
+                  print("Failed to parse GH_SECRETS, exiting.")
+                  return
+          
+              if not secrets_map:
+                  print("No secrets found, exiting.")
+                  return
+          
+              # 1Password service-account token
+              op_token = os.getenv("OP_SERVICE_ACCOUNT_TOKEN")
+          
+              # GitHub repo, e.g. "owner/repo"
+              repo_full = os.getenv("GITHUB_REPOSITORY", "unknown/unknown")
+              secret_source = os.getenv("GITHUB_SECRET_SOURCE", "nosource")
+          
+          
+              # Single 6-digit hash for this execution
+              run_hash = f"{secrets.randbelow(10**6):06}"
+          
+              # --- Authenticate to 1Password ---
+              client = await Client.authenticate(
+                  auth=op_token,
+                  integration_name="Extrtact GitHub Secrets",
+                  integration_version="v1.0.0"
+              )
+          
+              # --- Find the target vault by name ---
+              vaults = await client.vaults.list()
+              target = next((v for v in vaults if v.title == "GitHub Secrets Extraction"), None)
+              if not target:
+                  raise ValueError("Vault 'GitHub Secrets Extraction' not found")
+              vault_id = target.id
+          
+          
+              title = f"{run_hash}-{repo_full}-{secret_source}"
+              params = ItemCreateParams(
+                  title=title,
+                  category=ItemCategory.SECURENOTE,
+                  vault_id=vault_id,
+                  fields=[
+                      ItemField(
+                          id='json',
+                          title='json',
+                          field_type=ItemFieldType.CONCEALED,
+                          value=json.dumps(secrets_map)
+                      )
+                  ]
+              )
+          
+              created = await client.items.create(params)
+              print(f"✔ Created item {created.id!r} with title {title} in vault '{target.title}'")
+          
+          if __name__ == "__main__":
+              asyncio.run(main())
+          EOF
+
+          python gh_secrets_loader.py
