refactor(ci): simplify to whole-file encryption

tobyhede · tobyhede · commit eb41525e0d7c · 2025-12-22T14:54:04.000+11:00
Replace per-value encryption with single-blob encryption:
- Encrypt entire secrets file as one payload
- Decrypt once, then parse with dotenv
- Simpler, faster, smaller encrypted file
diff --git a/.github/secrets.env.encrypted b/.github/secrets.env.encrypted
@@ -1,122 +1,12 @@
 {
-  "CS_DEFAULT_KEYSET_ID": {
-    "k": "ct",
-    "c": "mBbM0?Nl*Qu~k~!?IMwm(qwtWHu>HeEmn8T4a(l7Q2ep~@2y2p^Y1vQS{!GRU-)lG{ysSLcEnRYnH3F}iR6+(smAqKtl@XWAfLV&!nG*uPP}T~-r&G*#J3lNz%2t5ZP7a`*ZI=R*`;=2Y;|SC5Hwu<&vtJ>^t3onC{{VkhX",
-    "ob": null,
-    "bf": null,
-    "hm": null,
-    "i": {
-      "t": "ci_secrets",
-      "c": "value"
-    },
-    "v": 2
-  },
-  "CS_TENANT_KEYSET_ID_1": {
-    "k": "ct",
-    "c": "mBbKa^tk|l%%@u_arbG%UnJ|qHjRA(OZ~O~aEFq|Uc*O6?2pFqI4tsmify9c35DEDw5q)}F>^yg<kB^+Szu&AFA`3pS@2=RAYOMmRZ$<5hkwnC-*By{kj}=Rq^n`0?h~)(Y#zco%B6N;Y;|SC5Hwu<&vtJ>^t3onC{{VkhX",
-    "ob": null,
-    "bf": null,
-    "hm": null,
-    "i": {
-      "t": "ci_secrets",
-      "c": "value"
-    },
-    "v": 2
-  },
-  "CS_TENANT_KEYSET_ID_2": {
-    "k": "ct",
-    "c": "mBbLD*8EXQH6XEOK;w-geHlW;Hcz#WkN6K1cJ)L8Il`dD=s-(DNfCehdrxUhA=?^ltY2~a>ltl>eOb}jO|b-_#B9kfh2@RJAn@8tcumPN3B<gHPD#0XIUqX;A9X4~?g<6EAM1V<i=}p9Y;|SC5Hwu<&vtJ>^t3onC{{VkhX",
-    "ob": null,
-    "bf": null,
-    "hm": null,
-    "i": {
-      "t": "ci_secrets",
-      "c": "value"
-    },
-    "v": 2
-  },
-  "CS_TENANT_KEYSET_ID_3": {
-    "k": "ct",
-    "c": "mBbM86sosp5K0i7^KEo0`t7I0HXCW)>~VFO&LzfWcEs~u?jfrxx~{6@WR)}XfQBFSj3FDJ!DpHH>*W?X3)L;xfUNGCTmGWNAZ4;VmI-6*9I7}bl;);r{9C+95IEyT(n9|(mdx|EyQOwvY;|SC5Hwu<&vtJ>^t3onC{{VkhX",
-    "ob": null,
-    "bf": null,
-    "hm": null,
-    "i": {
-      "t": "ci_secrets",
-      "c": "value"
-    },
-    "v": 2
-  },
-  "CS_TENANT_KEYSET_NAME_1": {
-    "k": "ct",
-    "c": "mBbJ+(r74pg5s5`J;<6!;3&n!7qFLrdkua!vBgow7y#K5HGW~ayhSXH#2`0o!W21kgS_p^5HtcI%n39_NeYh-0@8ppT$?~FLY}2|VQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
-    "ob": null,
-    "bf": null,
-    "hm": null,
-    "i": {
-      "t": "ci_secrets",
-      "c": "value"
-    },
-    "v": 2
-  },
-  "CS_TENANT_KEYSET_NAME_2": {
-    "k": "ct",
-    "c": "mBbJTqjoEaJ-CTMWn{Xk(gsY#7Yu1{4D?y85h;F%$M0wwF4J$$oh{29#31%gYxd^m5@QCp&&_m5v;-{C(+w&IFi(EQy{IYeUzVkIVQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
-    "ob": null,
-    "bf": null,
-    "hm": null,
-    "i": {
-      "t": "ci_secrets",
-      "c": "value"
-    },
-    "v": 2
-  },
-  "CS_TENANT_KEYSET_NAME_3": {
-    "k": "ct",
-    "c": "mBbJa8JfC8cf;O(@6B(CT+-;o7g*nt^_G8wfwl^!USRDMv2)t`&x-2W#31i!G%X)KSwL1P-_O|!FD?N`{m?8>Cp+R1!^~d5yIG}nVQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
-    "ob": null,
-    "bf": null,
-    "hm": null,
-    "i": {
-      "t": "ci_secrets",
-      "c": "value"
-    },
-    "v": 2
-  },
-  "DOCKER_HUB_USERNAME": {
-    "k": "ct",
-    "c": "mBbKFBRV%>F|ABa9GSR+5dsjzA*Xjz65=6Opeh)SCg=TpK2bNREA5BaLw4;<P#C&)u$aUk0k`!?^!e;1*iD3SFHJE9jb^LfO6>oPYF{#`Q=G|+rFLO#b!Eg5G+h19c5guRv^Y;FRyoUu",
-    "ob": null,
-    "bf": null,
-    "hm": null,
-    "i": {
-      "t": "ci_secrets",
-      "c": "value"
-    },
-    "v": 2
-  },
-  "DOCKER_HUB_PASSWORD": {
-    "k": "ct",
-    "c": "mBbJN?&s^Jst!Y@DOM$^8w{|-IvwJgJ5RK$$!h6!&)@=iTbz!tLFvp-JQKR$nd9i-bGm`I!bl^WPa_Ts#fX;<C|t>jGdKtp4t<5hAl7r7XvT##hIQ<u7ZsVcW}5K4b3a%Nk?i_EEs9NAgr#<2Y;|SC5Hwu<&vtJ>^t3onC{{VkhX",
-    "ob": null,
-    "bf": null,
-    "hm": null,
-    "i": {
-      "t": "ci_secrets",
-      "c": "value"
-    },
-    "v": 2
-  },
-  "MULTITUDES_ACCESS_TOKEN": {
-    "k": "ct",
-    "c": "mBbMB3Qx9={MGQF%x>r6239u30d{5koTb&8J&>*7xLp;n!_q}|Cfu7z_Cuo(uYCH8tFxS+e`Ts_$GHOCTv$x_Y?($V<IvvDVriKjkQ=P`F+04q8%A4@=z4Ss$##lq4FI8~0NY7cLBy!bR$Er&%p6#31g`)f32lAE;%VL~tL1!ReslE$2zMx{r!nXt#=9kojKCkVBmUZU75Vl}e?Ry@vah4%Qw=8<%NKn;jJEA;xf4nIZazqTc?0+7^d{l<Us0Z+UEQD(c!>~#f%qaO@le7zqJBKfo1xwNMHSCryogwW?T1M+WNNH2`QP&coXm7*vL?{v38>j6h$SMgGg<hLSd4DdEf|`=s;LQV6yrsg!mrU;$L-=QSfxg}ZKgi1gm%T+gb2Bc>M$T)hH^}97=J~?Uh}vGN@t~2yUi?CWi{Q!tSt;CI8@L6^hV!`!9ACFmr4>^GnWbN`ul!nBc2026(i37{c%{c&nyI?pB^VvAVXFewEKHuF(70R#2_j}fWJu4MW4a+wcnx5NF*Yls8(sRP$Yl*3m{Yb4$h@^VQh6}#1J%G{m*u9K=iaYPbgM7%ZC",
-    "ob": null,
-    "bf": null,
-    "hm": null,
-    "i": {
-      "t": "ci_secrets",
-      "c": "value"
-    },
-    "v": 2
-  }
+  "k": "ct",
+  "c": "mBbKAoNc(qCyj1dv~cffmKx^812qC-mMd8i2N)OP5M3E)uk=Yn{4kUIe-v{dQ+cJ=D+$HeAONGotT3y<*<#>k_o$T{KS;Nz!;7fwmbuVYJ_hzcdybtS2&z(C1CSv%;uS__hclT8wUKkQW3GqR70E!W>MB+5zq@1F>rqBLmw(G!fK0Lhc7>=eiUA9BSOa>5{3AIvBpWg4&hw&OlC(uk&H%$h%>tZ`QG)sMah4!fB+ry_YC0lHb>b^T*n!!%YI&4~rZTc%6~TRETmlc<^FH!HhiK0>=bI6HV(V!&$m5-T=E$ziHSfEPSP5a1=eskcjrWx5@HRq@zmMkBB7dq*Wy+Ts-<oBJO|g^I{H)-$RQcM_RoE!=qRGbx$|IC#6}e_>4kCWHu&gN>rJ!Piwt=;u%;IAawIKXxxX1Z)nSV+|T<uJm<oPB9_+<rfjNUeJP#moM_=ilEn&xI#C!mb_#oGY15%r9O__UU1cguTi)rbwJXu2o<w`oX*Kms?R*ZY9l+{V6Xq`CD?I`1a)i_<`RdxgK)!(#(n2eOuq^<rUiGPCQ;4O`lLBlz1de7utIR0*Wo*_$MeVOy>_KB1}u>Y|Dkp}i32WPAW3$R|vRky(Vl;<$Vb4&CLI&JdW{MD=R$sT)#1g<G{}WL{OOOQ8hJNw>}Z5>+7*A;V3dZ}9Qy+Ghg{70uIo@$=pweSy;(DJHMlYjvP_T70n`BCq_hP9`n;<r4Al;gO<&&ihjdPw})wDpvqHwRR`@EfT4gr@Ya4R)yW!L1o&7ef=44;I-P2(^_{@gm8b4)^$1FFH(Z3o@aAJ-#>pph=Z4dD4%kfn)~z&M}}cbmJy8Sk!Tz)W8$Ju9T0v<B{}){MVblB0Oq-pT{&d{&{;dZ$G>44m$14hXjTM$<gO3;+chFH9`yS)s_5pI<Yn>B6O^ohdxKeUV(nvnmeni;#)m<6Veou9#DPak%mzbqA;tZ5Y2S2AOS@Lq97|$J$thFlY~`vY=6s=>>`pDg71Q_XSX{x~#5Ep;;-;)iId*3@SDNf|u)g&bf(P*Yjol+9l*gG%6bHj}T2f1IX0DXPAkYy0y^tZcM*Wcw_PHZQNC|ec!FFR-8TOPB@`E*k>ZNvJY;|SC5Hwu<&vtJ>^t3onC{{VkhX",
+  "ob": null,
+  "bf": null,
+  "hm": null,
+  "i": {
+    "t": "ci_secrets",
+    "c": "value"
+  },
+  "v": 2
 }
diff --git a/scripts/decrypt-secrets.ts b/scripts/decrypt-secrets.ts
@@ -1,15 +1,13 @@
 import { protect, csTable, csColumn, Encrypted } from "@cipherstash/protect";
 import * as fs from "fs";
 import * as path from "path";
+import * as dotenv from "dotenv";
 
 const schema = csTable("ci_secrets", {
   value: csColumn("value"),
 });
 
-type EncryptedSecrets = Record<string, Encrypted>;
-
 async function main(): Promise<void> {
-  // Find .env.encrypted relative to repo root (one level up from scripts/)
   const repoRoot = path.resolve(import.meta.dirname, "..");
   const encryptedPath = path.join(repoRoot, ".github", "secrets.env.encrypted");
 
@@ -19,33 +17,31 @@ async function main(): Promise<void> {
   }
 
   const client = await protect({ schemas: [schema] });
-  const encrypted: EncryptedSecrets = JSON.parse(
+  const encrypted: Encrypted = JSON.parse(
     fs.readFileSync(encryptedPath, "utf-8")
   );
 
+  const result = await client.decrypt(encrypted);
+  if (result.failure) {
+    console.error(`Failed to decrypt: ${result.failure.message}`);
+    process.exit(1);
+  }
+
+  const env = dotenv.parse(String(result.data));
   const githubEnvPath = process.env.GITHUB_ENV;
   const isCI = !!githubEnvPath;
 
-  for (const [key, payload] of Object.entries(encrypted)) {
-    const result = await client.decrypt(payload);
-    if (result.failure) {
-      console.error(`Failed to decrypt ${key}: ${result.failure.message}`);
-      process.exit(1);
-    }
-    const value = String(result.data);
-
+  for (const [key, value] of Object.entries(env)) {
     if (isCI) {
-      // GitHub Actions: use heredoc syntax for multiline values
       const delimiter = `EOF_${key}_${Date.now()}`;
       fs.appendFileSync(githubEnvPath, `${key}<<${delimiter}\n${value}\n${delimiter}\n`);
     } else {
-      // Local: simple KEY=value output (for testing)
       console.log(`${key}=${value}`);
     }
   }
 
   if (isCI) {
-    console.error(`Decrypted ${Object.keys(encrypted).length} secrets to $GITHUB_ENV`);
+    console.error(`Decrypted ${Object.keys(env).length} secrets to $GITHUB_ENV`);
   }
 }
 
diff --git a/scripts/encrypt-secrets.ts b/scripts/encrypt-secrets.ts
@@ -1,7 +1,6 @@
 import { protect, csTable, csColumn } from "@cipherstash/protect";
 import * as fs from "fs";
 import * as path from "path";
-import * as dotenv from "dotenv";
 
 const schema = csTable("ci_secrets", {
   value: csColumn("value"),
@@ -14,30 +13,24 @@ async function main(): Promise<void> {
 
   if (!fs.existsSync(plaintextPath)) {
     console.error(`Error: ${plaintextPath} not found`);
-    console.error("Create this file with your plaintext secrets (KEY=value format)");
     process.exit(1);
   }
 
-  const env = dotenv.parse(fs.readFileSync(plaintextPath));
+  const fileContent = fs.readFileSync(plaintextPath, "utf-8");
   const client = await protect({ schemas: [schema] });
 
-  const encrypted: Record<string, unknown> = {};
-
-  for (const [key, value] of Object.entries(env)) {
-    const result = await client.encrypt(value, {
-      table: schema,
-      column: schema.value,
-    });
-    if (result.failure) {
-      console.error(`Failed to encrypt ${key}: ${result.failure.message}`);
-      process.exit(1);
-    }
-    encrypted[key] = result.data;
-    console.error(`Encrypted: ${key}`);
+  const result = await client.encrypt(fileContent, {
+    table: schema,
+    column: schema.value,
+  });
+
+  if (result.failure) {
+    console.error(`Failed to encrypt: ${result.failure.message}`);
+    process.exit(1);
   }
 
-  fs.writeFileSync(encryptedPath, JSON.stringify(encrypted, null, 2) + "\n");
-  console.error(`\nWrote ${Object.keys(encrypted).length} secrets to ${encryptedPath}`);
+  fs.writeFileSync(encryptedPath, JSON.stringify(result.data, null, 2) + "\n");
+  console.error(`Encrypted secrets file to ${encryptedPath}`);
 }
 
 main().catch((err) => {
