-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathprocess.sh
More file actions
executable file
·43 lines (38 loc) · 1.14 KB
/
process.sh
File metadata and controls
executable file
·43 lines (38 loc) · 1.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/usr/bin/env bash
set -euo pipefail
# OpenSSL cipher used for all operations.
CIPHER="aes-256-cbc"
if [[ -z "${JSO_INPUT:-}" ]]; then
echo "::error::Input 'in' must not be empty."
exit 1
fi
if [[ -z "${JSO_SECRET:-}" ]]; then
echo "::error::Input 'secret' must not be empty."
exit 1
fi
case "${JSO_MODE}" in
encrypt)
# Encrypt plaintext -> base64-encoded ciphertext (single line).
result=$(printf '%s' "$JSO_INPUT" \
| openssl enc -"$CIPHER" -a -A -salt -pbkdf2 -pass pass:"$JSO_SECRET")
;;
decrypt)
# Decode base64 ciphertext -> plaintext.
result=$(printf '%s' "$JSO_INPUT" \
| openssl enc -"$CIPHER" -a -A -d -salt -pbkdf2 -pass pass:"$JSO_SECRET")
# Mask the result only when decrypting - the plaintext is sensitive.
echo "::add-mask::${result}"
;;
*)
echo "::error::Input 'mode' must be 'encrypt' or 'decrypt'. Got '${JSO_MODE}'."
exit 1
;;
esac
# Write to the step output.
# Use a delimiter to safely handle multi-line or special-character values.
delimiter="JSO_EOF_$(openssl rand -hex 8)"
{
echo "out<<${delimiter}"
echo "$result"
echo "${delimiter}"
} >> "$GITHUB_OUTPUT"