feat(ci): add dual-mode secrets encryption (file/vars)

tobyhede · tobyhede · commit 46c3f4bbc289 · 2025-12-23T10:32:55.000+11:00
Support both whole-file encryption (--file, default) and individual
variable encryption (--vars) for CI secrets.

- encrypt-secrets.ts: add --file/--vars CLI flags
- decrypt-secrets.ts: auto-detect format from encrypted file structure
- Backwards compatible: existing file-mode encryption continues to work
diff --git a/.github/secrets.env.encrypted b/.github/secrets.env.encrypted
@@ -1,6 +1,6 @@
 {
   "k": "ct",
-  "c": "mBbKAoNc(qCyj1dv~cffmKx^812qC-mMd8i2N)OP5M3E)uk=Yn{4kUIe-v{dQ+cJ=D+$HeAONGotT3y<*<#>k_o$T{KS;Nz!;7fwmbuVYJ_hzcdybtS2&z(C1CSv%;uS__hclT8wUKkQW3GqR70E!W>MB+5zq@1F>rqBLmw(G!fK0Lhc7>=eiUA9BSOa>5{3AIvBpWg4&hw&OlC(uk&H%$h%>tZ`QG)sMah4!fB+ry_YC0lHb>b^T*n!!%YI&4~rZTc%6~TRETmlc<^FH!HhiK0>=bI6HV(V!&$m5-T=E$ziHSfEPSP5a1=eskcjrWx5@HRq@zmMkBB7dq*Wy+Ts-<oBJO|g^I{H)-$RQcM_RoE!=qRGbx$|IC#6}e_>4kCWHu&gN>rJ!Piwt=;u%;IAawIKXxxX1Z)nSV+|T<uJm<oPB9_+<rfjNUeJP#moM_=ilEn&xI#C!mb_#oGY15%r9O__UU1cguTi)rbwJXu2o<w`oX*Kms?R*ZY9l+{V6Xq`CD?I`1a)i_<`RdxgK)!(#(n2eOuq^<rUiGPCQ;4O`lLBlz1de7utIR0*Wo*_$MeVOy>_KB1}u>Y|Dkp}i32WPAW3$R|vRky(Vl;<$Vb4&CLI&JdW{MD=R$sT)#1g<G{}WL{OOOQ8hJNw>}Z5>+7*A;V3dZ}9Qy+Ghg{70uIo@$=pweSy;(DJHMlYjvP_T70n`BCq_hP9`n;<r4Al;gO<&&ihjdPw})wDpvqHwRR`@EfT4gr@Ya4R)yW!L1o&7ef=44;I-P2(^_{@gm8b4)^$1FFH(Z3o@aAJ-#>pph=Z4dD4%kfn)~z&M}}cbmJy8Sk!Tz)W8$Ju9T0v<B{}){MVblB0Oq-pT{&d{&{;dZ$G>44m$14hXjTM$<gO3;+chFH9`yS)s_5pI<Yn>B6O^ohdxKeUV(nvnmeni;#)m<6Veou9#DPak%mzbqA;tZ5Y2S2AOS@Lq97|$J$thFlY~`vY=6s=>>`pDg71Q_XSX{x~#5Ep;;-;)iId*3@SDNf|u)g&bf(P*Yjol+9l*gG%6bHj}T2f1IX0DXPAkYy0y^tZcM*Wcw_PHZQNC|ec!FFR-8TOPB@`E*k>ZNvJY;|SC5Hwu<&vtJ>^t3onC{{VkhX",
+  "c": "mBbKV<xz1b;lL$qXaZ1eEazgy12v{5BvnND87}b_mbG58wOs>0G4)-8UdG=fVK^Mgf0{+={6c)WxWPnZ(Cp1Iq=%3}nK4a)CGBx1bjZ=qv8EHV9gp30vQ`13OJxFK&vBuwpyEt$JE{*iks{9CMl@IGpcvQ8gA7RNsgU>j6~vXw+Ir0WKXxrDu|PrlDk@Z@tYC<k#21dU5I!B7JhCdj#Oah$5;B@;`J!gjCaT!(>11HTq*7Ufq{V_GxAc=rh+gkkDsiM%LjPyK-fvut?5Fwf*i8>YcD<c1kk(FP_6PM@GEq&lP0STP$!tjzkO6$$`4{%3v{sgVk+M~*j#Iic)1CkbkbIYoay}^IRAz!t<tG2uEdpeU*9F(1a9p3RcFU*5pxM?C&6}LH0u<=<>-HELZe^)cc$8aXF;l#4*srYmmdO$ydq-KxbwECzD%{l$#IQh90%*!8$=`lK`!aea=QOICK(5JGRkL1<_eHdY9z1_J8<51L=N29rCD=uup}QKsFs2>$S)|D9?w4r;l>ovY*rGAxmlR14{QFjmRFQP!4d#Q6k6p=#uO(tNpb(^yl7XC+h4xCXFq(gy*@DmrEK>}gF7fQx{^)m{aV4gA&KH|wO)rikb|jF_K@5|f+NpJ*%)`>xuKl=uSaMF4p!PA;EzE4?hdtPnd+5Y4Dk|UC7@wAs%G|M~f`LP3K*__-N~wag5|>u|aHGqB{mnyWcVLsKU&RUA*PLl#znp61^`!uKxq8~0fpsZi%tn;yFzj>-vHH*Zndd0d(|vjSN7XFO6f$aN3~2jD)GOi}6EHaE^o(dM0T6=5c!rBY7_9zJzpt74(wmd&;*o}70+0^HUc9)3GP7-s0il063@(-@;mcA;%pp%{`q+J}@ZQ>Y7i|Que0zv2o~nuk#%2pe^E0UN;J&qv)igfU!(!JHBVN`&s8VknlfK+YI`d6Ex(qIR)))}{j{8ZssNpWrUUpL%CGhk)6bjn`YMP@j&!4b)o5EHb&x(EwT5Re@jO4IK&ZSSQ50Gn`=uvGmBQ_N|c=l+SXHc{Mwe^hT_DK)zCcCW;$(YGqnzo9>AZz%W3Dp9wW9mjKd*NrGw;>G4_yU_>0^X1Ol6KHcL#1|MY;|SC5Hwu<&vtJ>^t3onC{{VkhX",
   "ob": null,
   "bf": null,
   "hm": null,
diff --git a/scripts/decrypt-secrets.ts b/scripts/decrypt-secrets.ts
@@ -7,6 +7,10 @@ const schema = csTable("ci_secrets", {
   value: csColumn("value"),
 });
 
+function isFileMode(data: unknown): data is Encrypted {
+  return data !== null && typeof data === "object" && "k" in data && "c" in data;
+}
+
 async function main(): Promise<void> {
   const repoRoot = path.resolve(import.meta.dirname, "..");
   const encryptedPath = path.join(repoRoot, ".github", "secrets.env.encrypted");
@@ -17,17 +21,35 @@ async function main(): Promise<void> {
   }
 
   const client = await protect({ schemas: [schema] });
-  const encrypted: Encrypted = JSON.parse(
+  const encrypted: unknown = JSON.parse(
     fs.readFileSync(encryptedPath, "utf-8")
   );
 
-  const result = await client.decrypt(encrypted);
-  if (result.failure) {
-    console.error(`Failed to decrypt: ${result.failure.message}`);
-    process.exit(1);
-  }
+  let env: Record<string, string>;
 
-  const env = dotenv.parse(String(result.data));
+  if (isFileMode(encrypted)) {
+    // File mode: decrypt single blob, parse as .env
+    const result = await client.decrypt(encrypted);
+    if (result.failure) {
+      console.error(`Failed to decrypt: ${result.failure.message}`);
+      process.exit(1);
+    }
+    env = dotenv.parse(String(result.data));
+    console.error("Detected file mode encryption");
+  } else {
+    // Vars mode: decrypt each variable individually
+    env = {};
+    const encryptedVars = encrypted as Record<string, Encrypted>;
+    for (const [key, payload] of Object.entries(encryptedVars)) {
+      const result = await client.decrypt(payload);
+      if (result.failure) {
+        console.error(`Failed to decrypt ${key}: ${result.failure.message}`);
+        process.exit(1);
+      }
+      env[key] = String(result.data);
+    }
+    console.error(`Detected vars mode encryption (${Object.keys(env).length} variables)`);
+  }
   const githubEnvPath = process.env.GITHUB_ENV;
   const isCI = !!githubEnvPath;
 
diff --git a/scripts/encrypt-secrets.ts b/scripts/encrypt-secrets.ts
@@ -1,12 +1,23 @@
 import { protect, csTable, csColumn } from "@cipherstash/protect";
 import * as fs from "fs";
 import * as path from "path";
+import * as dotenv from "dotenv";
+
+type Mode = "file" | "vars";
+
+function parseArgs(): Mode {
+  const args = process.argv.slice(2);
+  if (args.includes("--vars")) return "vars";
+  if (args.includes("--file")) return "file";
+  return "file"; // default
+}
 
 const schema = csTable("ci_secrets", {
   value: csColumn("value"),
 });
 
 async function main(): Promise<void> {
+  const mode = parseArgs();
   const repoRoot = path.resolve(import.meta.dirname, "..");
   const plaintextPath = path.join(repoRoot, ".github", "secrets.env.plaintext");
   const encryptedPath = path.join(repoRoot, ".github", "secrets.env.encrypted");
@@ -19,18 +30,43 @@ async function main(): Promise<void> {
   const fileContent = fs.readFileSync(plaintextPath, "utf-8");
   const client = await protect({ schemas: [schema] });
 
-  const result = await client.encrypt(fileContent, {
-    table: schema,
-    column: schema.value,
-  });
+  if (mode === "file") {
+    // File mode: encrypt entire file content as single blob
+    const result = await client.encrypt(fileContent, {
+      table: schema,
+      column: schema.value,
+    });
 
-  if (result.failure) {
-    console.error(`Failed to encrypt: ${result.failure.message}`);
-    process.exit(1);
-  }
+    if (result.failure) {
+      console.error(`Failed to encrypt: ${result.failure.message}`);
+      process.exit(1);
+    }
 
-  fs.writeFileSync(encryptedPath, JSON.stringify(result.data, null, 2) + "\n");
-  console.error(`Encrypted secrets file to ${encryptedPath}`);
+    fs.writeFileSync(encryptedPath, JSON.stringify(result.data, null, 2) + "\n");
+    console.error(`Encrypted secrets file to ${encryptedPath} (file mode)`);
+  } else {
+    // Vars mode: encrypt each variable individually
+    const env = dotenv.parse(fileContent);
+    const encrypted: Record<string, unknown> = {};
+
+    for (const [key, value] of Object.entries(env)) {
+      const result = await client.encrypt(value, {
+        table: schema,
+        column: schema.value,
+      });
+
+      if (result.failure) {
+        console.error(`Failed to encrypt ${key}: ${result.failure.message}`);
+        process.exit(1);
+      }
+
+      encrypted[key] = result.data;
+      console.error(`Encrypted: ${key}`);
+    }
+
+    fs.writeFileSync(encryptedPath, JSON.stringify(encrypted, null, 2) + "\n");
+    console.error(`Encrypted ${Object.keys(encrypted).length} secrets to ${encryptedPath} (vars mode)`);
+  }
 }
 
 main().catch((err) => {

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"k": "ct",`
`3`		- "c": "mBbKAoNc(qCyj1dv~cffmKx^812qC-mMd8i2N)OP5M3E)uk=Yn{4kUIe-v{dQ+cJ=D+$HeAONGotT3y<<#>k_o$T{KS;Nz!;7fwmbuVYJ_hzcdybtS2&z(C1CSv%;uS__hclT8wUKkQW3GqR70E!W>MB+5zq@1F>rqBLmw(G!fK0Lhc7>=eiUA9BSOa>5{3AIvBpWg4&hw&OlC(uk&H%$h%>tZ`QG)sMah4!fB+ry_YC0lHb>b^Tn!!%YI&4~rZTc%6~TRETmlc<^FH!HhiK0>=bI6HV(V!&$m5-T=E$ziHSfEPSP5a1=eskcjrWx5@HRq@zmMkBB7dqWy+Ts-<oBJO\|g^I{H)-$RQcM_RoE!=qRGbx$\|IC#6}e_>4kCWHu&gN>rJ!Piwt=;u%;IAawIKXxxX1Z)nSV+\|T<uJm<oPB9_+<rfjNUeJP#moM_=ilEn&xI#C!mb_#oGY15%r9O__UU1cguTi)rbwJXu2o<w`oXKms?RZY9l+{V6Xq`CD?I`1a)i_<`RdxgK)!(#(n2eOuq^<rUiGPCQ;4O`lLBlz1de7utIR0Wo_$MeVOy>_KB1}u>Y\|Dkp}i32WPAW3$R\|vRky(Vl;<$Vb4&CLI&JdW{MD=R$sT)#1g<G{}WL{OOOQ8hJNw>}Z5>+7A;V3dZ}9Qy+Ghg{70uIo@$=pweSy;(DJHMlYjvP_T70n`BCq_hP9`n;<r4Al;gO<&&ihjdPw})wDpvqHwRR`@EfT4gr@Ya4R)yW!L1o&7ef=44;I-P2(^_{@gm8b4)^$1FFH(Z3o@aAJ-#>pph=Z4dD4%kfn)~z&M}}cbmJy8Sk!Tz)W8$Ju9T0v<B{}){MVblB0Oq-pT{&d{&{;dZ$G>44m$14hXjTM$<gO3;+chFH9`yS)s_5pI<Yn>B6O^ohdxKeUV(nvnmeni;#)m<6Veou9#DPak%mzbqA;tZ5Y2S2AOS@Lq97\|$J$thFlY~`vY=6s=>>`pDg71Q_XSX{x~#5Ep;;-;)iId3@SDNf\|u)g&bf(PYjol+9lgG%6bHj}T2f1IX0DXPAkYy0y^tZcMWcw_PHZQNC\|ec!FFR-8TOPB@`E*k>ZNvJY;\|SC5Hwu<&vtJ>^t3onC{{VkhX",
	`3`	+ "c": "mBbKV<xz1b;lL$qXaZ1eEazgy12v{5BvnND87}b_mbG58wOs>0G4)-8UdG=fVK^Mgf0{+={6c)WxWPnZ(Cp1Iq=%3}nK4a)CGBx1bjZ=qv8EHV9gp30vQ`13OJxFK&vBuwpyEt$JE{iks{9CMl@IGpcvQ8gA7RNsgU>j6~vXw+Ir0WKXxrDu\|PrlDk@Z@tYC<k#21dU5I!B7JhCdj#Oah$5;B@;`J!gjCaT!(>11HTq7Ufq{V_GxAc=rh+gkkDsiM%LjPyK-fvut?5Fwfi8>YcD<c1kk(FP_6PM@GEq&lP0STP$!tjzkO6$$`4{%3v{sgVk+M~j#Iic)1CkbkbIYoay}^IRAz!t<tG2uEdpeU9F(1a9p3RcFU5pxM?C&6}LH0u<=<>-HELZe^)cc$8aXF;l#4srYmmdO$ydq-KxbwECzD%{l$#IQh90%!8$=`lK`!aea=QOICK(5JGRkL1<_eHdY9z1_J8<51L=N29rCD=uup}QKsFs2>$S)\|D9?w4r;l>ovYrGAxmlR14{QFjmRFQP!4d#Q6k6p=#uO(tNpb(^yl7XC+h4xCXFq(gy@DmrEK>}gF7fQx{^)m{aV4gA&KH\|wO)rikb\|jF_K@5\|f+NpJ%)`>xuKl=uSaMF4p!PA;EzE4?hdtPnd+5Y4Dk\|UC7@wAs%G\|M~f`LP3K__-N~wag5\|>u\|aHGqB{mnyWcVLsKU&RUAPLl#znp61^`!uKxq8~0fpsZi%tn;yFzj>-vHHZndd0d(\|vjSN7XFO6f$aN3~2jD)GOi}6EHaE^o(dM0T6=5c!rBY7_9zJzpt74(wmd&;o}70+0^HUc9)3GP7-s0il063@(-@;mcA;%pp%{`q+J}@ZQ>Y7i\|Que0zv2o~nuk#%2pe^E0UN;J&qv)igfU!(!JHBVN`&s8VknlfK+YI`d6Ex(qIR)))}{j{8ZssNpWrUUpL%CGhk)6bjn`YMP@j&!4b)o5EHb&x(EwT5Re@jO4IK&ZSSQ50Gn`=uvGmBQ_N\|c=l+SXHc{Mwe^hT_DK)zCcCW;$(YGqnzo9>AZz%W3Dp9wW9mjKdNrGw;>G4_yU_>0^X1Ol6KHcL#1\|MY;\|SC5Hwu<&vtJ>^t3onC{{VkhX",
`4`	`4`	`"ob": null,`
`5`	`5`	`"bf": null,`
`6`	`6`	`"hm": null,`