feat(continuous-integratio): add support for build secrets

neilime · neilime · commit e7d9b432cc2f · 2025-10-28T14:00:22.000+01:00
Signed-off-by: Emilien Escalle &lt;emilien.escalle@escemi.com&gt;
diff --git a/.github/workflows/continuous-integration.yml b/.github/workflows/continuous-integration.yml
@@ -50,6 +50,18 @@ on:
         type: string
         required: false
         default: "."
+    secrets:
+      build-secrets:
+        description: |
+          Secrets to be used during the build step.
+          Must be a JSON object where keys are environment variable names and values are secret references.
+          Example:
+          ```json
+          {
+            "SECRET_EXAMPLE": "$\{{ secrets.SECRET_EXAMPLE }}"
+          }
+          ```
+        required: false
 
 permissions:
   contents: read
@@ -89,6 +101,7 @@ jobs:
       contents: read
       id-token: write
     outputs:
+      build-env: ${{ steps.build-variables.outputs.env }}
       build-commands: ${{ steps.build-variables.outputs.commands }}
       build-artifact: ${{ steps.build-variables.outputs.artifact }}
     steps:
@@ -122,6 +135,7 @@ jobs:
             const buildInput = `${{ inputs.build }}`.trim();
 
             let commands = [];
+            let env = {};
 
             // Build input can be json or string
             try {
@@ -130,6 +144,7 @@ jobs:
                 commands = build;
               } else {
                 commands = build.commands ?? ["build"];
+                env = build.env ?? {};
 
                 if (build.artifact) {
                   if(typeof build.artifact === 'string') {
@@ -159,6 +174,7 @@ jobs:
             }
 
             core.setOutput('commands', sanitizedCommands.join('\n'));
+            core.setOutput('env', JSON.stringify(env));
 
   lint:
     name: 👕 Lint
@@ -238,6 +254,39 @@ jobs:
             gatsby
             storybook
 
+      - if: needs.setup.outputs.build-commands
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          BUILD_ENV: ${{ needs.setup.outputs.build-env }}
+          BUILD_SECRETS: ${{ secrets.build-secrets }}
+        with:
+          script: |
+            const envInput = process.env.BUILD_ENV || '{}';
+
+            let buildEnv = {};
+
+            try {
+              buildEnv = JSON.parse(envInput);
+            } catch (e) {
+              core.setFailed(`Invalid build env JSON: ${e.message}`);
+            }
+
+            for (const [key, value] of Object.entries(buildEnv)) {
+              core.exportVariable(key, value);
+            }
+
+            const secretsInput = process.env.BUILD_SECRETS || '';
+            let buildSecrets = {};
+
+            try {
+              buildSecrets = JSON.parse(secretsInput);
+            } catch (e) {
+              core.setFailed(`Invalid build secrets JSON: ${e.message}`);
+            }
+
+            for (const [key, value] of Object.entries(buildSecrets)) {
+              core.exportVariable(key, value);
+            }
       - if: needs.setup.outputs.build-commands
         working-directory: ${{ inputs.working-directory }}
         run: |
