xeiaso.net / site
The code and data behind xeiaso.net
5
fork

Configure Feed

Select the types of activity you want to include in your feed.

lume/nodes: recover github actions secrets

Signed-off-by: Xe Iaso <me@xeiaso.net>

Xe Iaso e9a5654d 6c735530

+76
+4
lume/src/notes/_data.yml
··· 1 + layout: blog.njk 2 + type: blog 3 + index: true 4 + is_note: true
+61
lume/src/notes/recover-github-action-secret.mdx
··· 1 + --- 2 + title: "How to recover a GitHub Actions secret" 3 + date: 2023-11-02 4 + tags: 5 + - github 6 + - actions 7 + - secrets 8 + - tailscale 9 + --- 10 + 11 + Sometimes you fuck up and lose your only copy of a GitHub secret that you can't replace easily, such as a [Cachix](https://www.cachix.org/) signing key. However you lucked out and that key is actually saved in GitHub Actions secrets...which won't let you read the contents of that secret for understandable security reasons. Here's how you work around that. 12 + 13 + First, make sure [Deno](https://deno.land) is installed and copy this program to `recover-secret.ts`. 14 + 15 + ```ts 16 + const port = 8080; 17 + 18 + const handler = async (req: Request): Promise<Response> => { 19 + const body = (await req.text()); 20 + console.log(body); 21 + 22 + return new Response() 23 + }; 24 + 25 + console.log(`HTTP server running. Access it at: http://localhost:${port}/`); 26 + Deno.serve({ port }, handler); 27 + ``` 28 + 29 + Run it with `deno run -A recover-secret.ts`. 30 + 31 + Next go to the [Tailscale admin console OAuth clients section](https://login.tailscale.com/admin/settings/oauth) and generate a new OAuth client that lets you create auth keys (you want the write on devices scope). Add a helpful description like "GitHub Actions secret recovery" and copy the client ID and secret to your password manager. Then add them as GitHub secrets named `TAILSCALE_CLIENT_ID` and `TAILSCALE_CLIENT_SECRET`. 32 + 33 + Now create a new GitHub Actions workflow with the following contents: 34 + 35 + ```yaml 36 + on: 37 + workflow_dispatch: 38 + 39 + jobs: 40 + recoversecret: 41 + runs-on: ubuntu-latest 42 + steps: 43 + - name: Tailscale 44 + uses: tailscale/github-action@v2 45 + with: 46 + oauth-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }} 47 + oauth-secret: ${{ secrets.TAILSCALE_CLIENT_SECRET }} 48 + tags: tag:ci 49 + version: 1.52.0 50 + - name: "Recover secret" 51 + run: | 52 + echo ${SECRET} > ./output.txt 53 + curl --data-binary @./output.txt ${TARGET} 54 + env: 55 + SECRET: ${{ secrets.CACHIX_SIGNING_KEY }} 56 + TARGET: "http://kaine.shark-harmonic.ts.net:8080" 57 + ``` 58 + 59 + Replace the contents of `TARGET` as facts and circumstances demand. 60 + 61 + Now you can recover your secret by hitting the "Run workflow" button on the Actions tab of your repo. The secret will be in your terminal, and you can copy it to your password manager as a note.
+11
scripts/recover-secret.ts
··· 1 + const port = 8080; 2 + 3 + const handler = async (req: Request): Promise<Response> => { 4 + const body = (await req.text()); 5 + console.log(body); 6 + 7 + return new Response() 8 + }; 9 + 10 + console.log(`HTTP server running. Access it at: http://localhost:${port}/`); 11 + Deno.serve({ port }, handler);