chore: Encryption and decryption in token

gbm25 · gbm25 · commit 699845f6e8d8 · 2025-01-29T18:35:12.000+01:00
diff --git a/.github/workflows/deploy-chatbot.yml b/.github/workflows/deploy-chatbot.yml
@@ -52,8 +52,8 @@ jobs:
     with:
       project: ${{ needs.parse-command.outputs.project }}
       environment: ${{ needs.parse-command.outputs.environment }}
-    secrets:
       zdctoken: ${{ needs.generate-token.outputs.zdctoken }}
+    secrets: inherit
 
   deploy-infra:
     needs: [parse-command, notify-user]
diff --git a/.github/workflows/deploy-project.yml b/.github/workflows/deploy-project.yml
@@ -9,18 +9,26 @@ on:
       environment:
         required: true
         type: string
-    secrets:
       zdctoken:
         required: true
+        type: string
 
 jobs:
   deploy_project_artifact:
     runs-on: ubuntu-latest
     steps:
+      - name: Decrypt ZDC Token
+        id: decrypt-token
+        run: |
+          ENCRYPTED_TOKEN="${{ secrets.zdctoken }}"
+          DECRYPTED_TOKEN=$(echo "$ENCRYPTED_TOKEN" | base64 -d | gpg --decrypt --quiet --batch --passphrase "${{ secrets.PASSPHRASE_ACTION_TOKEN }}")
+          echo "ZDCTOKEN=$DECRYPTED_TOKEN" >> $GITHUB_ENV
+          echo "::add-mask::$DECRYPTED_TOKEN"
+      
       - name: Trigger Deployment Workflow
         uses: actions/github-script@v7
         with:
-          github-token: ${{ secrets.zdctoken }}
+          github-token: ${{ env.ZDCTOKEN }}
           script: |
             const environment = `"${{ inputs.environment }}"`;
             const project     = `"${{ inputs.project }}"`;
diff --git a/.github/workflows/generate-token.yml b/.github/workflows/generate-token.yml
@@ -7,7 +7,7 @@ jobs:
   generate-token:
     runs-on: ubuntu-latest
     outputs:
-      zdctoken: ${{ steps.generate-zdc-token.outputs.token }}
+      zdctoken: ${{ steps.generate-zdc-token.outputs.encrypt-token }}
     steps:
       - name: Generate GitHub App Token
         uses: actions/create-github-app-token@v1
@@ -17,6 +17,9 @@ jobs:
           private-key: ${{ secrets.ZDC_AUTH_PRIVATE_KEY }}
           owner: ${{ github.repository_owner }}
 
-      - name: Debug Generated Token
+      - name: Encrypt and Encode Token
+        id: encrypt-token
         run: |
-            echo "Generated Token: ${{ steps.generate-zdc-token.outputs.token }}"
+          TOKEN="${{ steps.generate-zdc-token.outputs.token }}"
+          ENCRYPTED_TOKEN=$(echo -n "$TOKEN" | gpg --symmetric --quiet --batch --passphrase "${{ secrets.PASSPHRASE_ACTION_TOKEN }}" | base64 -w0)
+          echo "zdctoken=$ENCRYPTED_TOKEN" >> $GITHUB_OUTPUT
