-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathGitHubSecretService.ps1
More file actions
53 lines (44 loc) · 2.11 KB
/
GitHubSecretService.ps1
File metadata and controls
53 lines (44 loc) · 2.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
# 1) You would want to save this as a secret.
$secretName = 'MY_SUPER_SECRET'
$secret = 'Hello world!'
# 2a) You have to request a public key from GitHub.
# GitHub creates a key pair and stores it.
$GitHubSecretStore = @{} # The secret store where the secrets are stored.
$GitHubKeyPairStore = @{} # The key pair store would be a separate store to temporarily hold keys until secrets are created.
$keyPair = New-SodiumKeyPair
$id = [guid]::NewGuid().ToString() -replace '-'
$GitHubKeyPairStore[$id] = [pscustomobject]@{
PrivateKey = $keyPair.PrivateKey
PublicKey = $keyPair.PublicKey # May or may not be stored?
}
# 2b) GitHub sends you the public key and ID.
$userInfo = @{
PublicKey = $keyPair.PublicKey
ID = $id
}
# 3a) You encrypt the secret with the public key.
$encryptedSecret = ConvertTo-SodiumSealedBox -Message $secret -PublicKey $userInfo.PublicKey
# 3b) You send the encrypted secret to GitHub with the name of the secret and the ID GitHub sent you.
$secretInfo = @{
SecretName = $secretName
EncryptedSecret = $encryptedSecret
ID = $userInfo.ID
}
# 4) GitHub likely stores the encrypted secret using its name as the key.
# It also stores the private and public key fetched from the KeyPairStore using the ID you provided.
# They likely also run a quick test to see that they can decrypt the secret using the private key.
$GitHubSecretStore[$secretInfo.SecretName] = [pscustomobject]@{
Secret = $secretInfo.EncryptedSecret
PrivateKey = $GitHubKeyPairStore[$secretInfo.ID].PrivateKey
PublicKey = $GitHubKeyPairStore[$secretInfo.ID].PublicKey
}
# 5) When used in GitHub Actions, the GitHub Secret Service likely ONLY trusts the 'GitHub Actions' App,
# and retrieves the secret by its name.
$actionParams = @{
SealedBox = $GitHubSecretStore[$secretName].Secret
PublicKey = $GitHubSecretStore[$secretName].PublicKey
PrivateKey = $GitHubSecretStore[$secretName].PrivateKey
}
$decryptedString = ConvertFrom-SodiumSealedBox @actionParams
# 6) The decrypted secret is now available for use in the GitHub Action.
Write-Warning $decryptedString