-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathsetup-secrets.sh
More file actions
executable file
·179 lines (150 loc) · 5.12 KB
/
setup-secrets.sh
File metadata and controls
executable file
·179 lines (150 loc) · 5.12 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
#!/bin/bash
# GitHub Secrets Setup Script (Pure API - No CLI)
# Sets all required secrets for Cloudflare deployment using GitHub API
set -e
REPO="ciscoittech/binary-math-system"
GITHUB_API="https://api.github.com"
echo "🔐 GitHub Secrets Setup for Binary Math System"
echo "================================================"
echo ""
echo "This script will set 5 secrets in your GitHub repository."
echo "You'll be prompted to enter each value."
echo ""
# Check for required tools
if ! command -v curl &> /dev/null; then
echo "❌ curl is not installed."
exit 1
fi
if ! command -v python3 &> /dev/null; then
echo "❌ python3 is not installed."
exit 1
fi
# Check for PyNaCl (needed for encryption)
if ! python3 -c "import nacl" 2>/dev/null; then
echo "❌ PyNaCl not installed"
echo "Install with: pip install pynacl"
exit 1
fi
# Get GitHub token
if [ -z "$GITHUB_TOKEN" ]; then
echo "❌ GITHUB_TOKEN environment variable not set"
echo ""
echo "Set your token:"
echo " export GITHUB_TOKEN=ghp_xxxxxxxxxxxx"
echo ""
echo "Create token at: https://github.com/settings/tokens/new"
echo "Scopes needed: repo, admin:repo_hook"
exit 1
fi
echo "✅ Using GITHUB_TOKEN from environment"
echo ""
# Get public key from GitHub
echo "📍 Fetching encryption key from GitHub..."
PUBLIC_KEY_RESPONSE=$(curl -s -H "Authorization: Bearer $GITHUB_TOKEN" \
"$GITHUB_API/repos/$REPO/actions/secrets/public-key")
PUBLIC_KEY=$(echo "$PUBLIC_KEY_RESPONSE" | python3 -c "import sys, json; print(json.load(sys.stdin)['key'])" 2>/dev/null)
KEY_ID=$(echo "$PUBLIC_KEY_RESPONSE" | python3 -c "import sys, json; print(json.load(sys.stdin)['key_id'])" 2>/dev/null)
if [ -z "$PUBLIC_KEY" ] || [ -z "$KEY_ID" ]; then
echo "❌ Failed to get public key"
echo "Response: $PUBLIC_KEY_RESPONSE"
exit 1
fi
echo "✅ Got encryption key"
echo ""
echo "📝 Enter the following secrets:"
echo ""
# Python helper for encryption
ENCRYPT_SCRIPT=$(cat <<'EOF'
import sys
import base64
from nacl import public, utils
public_key_b64 = sys.argv[1]
secret_value = sys.argv[2]
try:
public_key = public.PublicKey(public_key_b64, encoder=public.Base64Encoder)
secret_bytes = secret_value.encode('utf-8')
encrypted = public.SealedBox(public_key).encrypt(secret_bytes)
print(base64.b64encode(encrypted.ciphertext).decode('utf-8'))
except Exception as e:
print(f"Error: {e}", file=sys.stderr)
sys.exit(1)
EOF
)
# Function to set a secret
set_secret() {
local secret_name=$1
local secret_value=$2
if [ -z "$secret_value" ]; then
return 1
fi
# Encrypt the value
encrypted=$(python3 -c "$ENCRYPT_SCRIPT" "$PUBLIC_KEY" "$secret_value" 2>/dev/null)
if [ -z "$encrypted" ]; then
echo "❌ Failed to encrypt $secret_name"
return 1
fi
# Send to GitHub API
response=$(curl -s -X PUT \
-H "Authorization: Bearer $GITHUB_TOKEN" \
-H "Content-Type: application/json" \
"$GITHUB_API/repos/$REPO/actions/secrets/$secret_name" \
-d "{\"encrypted_value\": \"$encrypted\", \"key_id\": \"$KEY_ID\"}")
# Check if successful (204 or 201 response code)
http_code=$(curl -s -o /dev/null -w "%{http_code}" -X PUT \
-H "Authorization: Bearer $GITHUB_TOKEN" \
-H "Content-Type: application/json" \
"$GITHUB_API/repos/$REPO/actions/secrets/$secret_name" \
-d "{\"encrypted_value\": \"$encrypted\", \"key_id\": \"$KEY_ID\"}")
if [[ "$http_code" =~ ^(201|204)$ ]]; then
echo "✅ Set $secret_name"
return 0
else
echo "❌ Failed to set $secret_name (HTTP $http_code)"
return 1
fi
}
# 1. Cloudflare API Token
echo "1️⃣ CLOUDFLARE_API_TOKEN"
echo " Get from: https://dash.cloudflare.com/profile/api-tokens"
echo " Create token with 'Edit Cloudflare Workers' permissions"
read -sp " Enter value: " value
echo ""
set_secret "CLOUDFLARE_API_TOKEN" "$value" || echo " ⏭️ Skipped"
# 2. Cloudflare Account ID
echo ""
echo "2️⃣ CLOUDFLARE_ACCOUNT_ID"
echo " Get from: https://dash.cloudflare.com (right sidebar)"
read -p " Enter value: " value
set_secret "CLOUDFLARE_ACCOUNT_ID" "$value" || echo " ⏭️ Skipped"
# 3. Turso URL
echo ""
echo "3️⃣ TURSO_URL"
echo " Get from: Turso dashboard"
read -p " Enter value: " value
set_secret "TURSO_URL" "$value" || echo " ⏭️ Skipped"
# 4. Turso Auth Token
echo ""
echo "4️⃣ TURSO_AUTH_TOKEN"
echo " Get from: Turso dashboard"
read -sp " Enter value: " value
echo ""
set_secret "TURSO_AUTH_TOKEN" "$value" || echo " ⏭️ Skipped"
# 5. OpenRouter API Key (Optional)
echo ""
echo "5️⃣ OPENROUTER_API_KEY (Optional - skip if not using AI)"
echo " Get from: https://openrouter.ai"
read -sp " Enter value (or press Enter to skip): " value
echo ""
if [ -n "$value" ]; then
set_secret "OPENROUTER_API_KEY" "$value" || echo " ⏭️ Skipped"
else
echo " ⏭️ Skipped (optional)"
fi
echo ""
echo "================================================"
echo "✅ All secrets configured successfully!"
echo ""
echo "Next steps:"
echo "1. Deploy: git push origin main"
echo "2. Monitor: https://github.com/$REPO/actions"
echo ""