Skip to content

feat: add decryption passphrase for encrypted artifacts #762

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
alesancor1 wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat: add decryption passphrase for encrypted artifacts #762

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a73e65a
feat: add decryption passphrase for encrypted artifacts
alesancor1 Feb 11, 2026
8432611
fix: call action using repo ref
alesancor1 Feb 11, 2026
cd018d4
fix: set archive extension correctly
alesancor1 Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions .github/actions/upload-rock/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ inputs:
description: "The id of the workflow run where the desired download artifact was uploaded from."
github-token:
description: "The github token needed for downloading the artifact from a different repository or workflow run."
decrypt-passphrase:
description: "The passphrase for the artifact if it is encrypted."
outputs:
digest:
description: "The digest of the uploaded image"
Expand All @@ -41,6 +43,14 @@ runs:
name: ${{ inputs.artifact_name }}
run-id: ${{ inputs.run-id }}
github-token: ${{ inputs.github-token }}

- name: Decrypt Rock
if: ${{ inputs.decrypt-passphrase }}
uses: canonical/oci-factory/.github/actions/crypt-artifact@main
with:
mode: decrypt
input-path: ${{ inputs.artifact_name }}.gpg
Copy link
Collaborator

@cjdcordeiro cjdcordeiro Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not just about this PR, but this other occurrence of a name assumption is making me nervous. Why couldn't we just have the crypt-artifact action output the name of the encrypted artifact (in previous workflows), and that would be the {{ inputs.artifcat_name}} passed across multiple workflows?

Copy link
Member Author

@alesancor1 alesancor1 Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What you are suggesting is not really about crypt-artifact action, but about our logic for Build.yaml:

The artifact name is given as an input to Build.yaml, so even if crypt-artifact outputs the name of the encrypted file (which could also be a directory, in which case the output wouldn't be a single .gpg file) you would then need to make Build.yaml output that name so it can get passed down to Test.yaml and this upload-artifact.

This would cause a big regression and impact any workflow using Build.yaml. If we want to do this, we should then first tag our workflows.

Copy link
Collaborator

@cjdcordeiro cjdcordeiro Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't crypt-artifact the one taking in a file name, adding .gpg to it, and then creating the encrypted file? if so, it would be the action's job to tell the step what files it has created.

the challenge here is that the action supports a dir as an input path, thus making the outputs a bit hard to read. i'm ok merging this as is, but IMO it's adding technical depth and I'd like to spend some minutes on it just in case there's an easy solution

Copy link
Member Author

@alesancor1 alesancor1 Feb 12, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The uploaded artifact name does not necessarily need to be the name of the file to be decrypted, mainly because such artifact can be an entire directory (this is the case for single arch rocks in Build.yaml).

So artifact-name and input-path are two separate things: We could download artifact-name to /foo/bar and the file(s) to be decrypted would be /foo/bar/{artifact-name}.gpg, so the input-path for the script would be /foo/bar.

The real problem and reason why we have to make the assumption that it ends in .gpg is because the encryption happens in a separate workflow (Build.yaml) and the name of the file (the one ended in .gpg) is not outputted by it.

This also happens in Test.yaml:

oci-factory/.github/workflows/Test-Rock.yaml

Line 113 in 5876dfa

input-path: ${{ inputs.oci-archive-name }}.gpg

The correct solution here would be to have Build.yaml set the output of what is the name of the artifact that was uploaded (if it's a directory, it would remain the same, if it's a single file it would contain .gpg) so you can pass that name to the other workflows. Having crypt-artifact output the name of the encrypted file/dir is just a step towards this.

Copy link
Collaborator

@cjdcordeiro cjdcordeiro Feb 12, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I need a live walkthrough of this. can u pls schedule one?

In the meantime, let's start by looking at

oci-factory/.github/workflows/Build-Rock.yaml

Lines 323 to 336 in 5876dfa

- name: Encrypting Multi Arch Rock Artifact
if: ${{ needs.configure-build.outputs.pro-build == 'true' }}
uses: ./.github/actions/crypt-artifact
with:
mode: encrypt
input-path: ${{ inputs.oci-archive-name }}
passphrase: ${{ secrets.pro-artifact-passphrase }}
- name: Uploading Multi Arch rock
uses: actions/upload-artifact@v4
with:
name: ${{ inputs.oci-archive-name }}
path: ${{ inputs.oci-archive-name }}*
if-no-files-found: error

  1. you pass ${{ inputs.oci-archive-name }} into the action, to be encrypted
  2. the action, afaiu, creates a ${{ inputs.oci-archive-name }}.gpg files and deletes the original ${{ inputs.oci-archive-name }}
  3. the final "upload" step tries to upload ${{ inputs.oci-archive-name }} , but hasn't this been deleted? ${{ inputs.oci-archive-name }}*

Then:

oci-factory/.github/workflows/Image.yaml

Line 192 in 5876dfa

oci-archive-name: "${{ matrix.name }}_${{ matrix.commit }}_${{ matrix.dir_identifier }}"

as you say, here you could use needs.build-rock.outputs.oci-archive-name

Copy link
Member Author

@alesancor1 alesancor1 Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note the glob path: ${{ inputs.oci-archive-name }}* - that would take both .gpg and non .gpg files. This comes from #706 (comment)

Copy link
Member Author

@alesancor1 alesancor1 Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If crypt-artifact set the .gpg as the output, then we'd use that for upload, but we'd find trouble afterwards in other jobs Test, upload-rock when internally downloading and decrypting the artifact

passphrase: ${{ inputs.decrypt-passphrase }}

- name: Get Metadata
id: meta
Expand Down
Loading