From 365af0fceb677b93d1b8ac4dc6eab2e94bed10e0 Mon Sep 17 00:00:00 2001 From: Bryan Gerlach Date: Wed, 11 Feb 2026 15:19:04 -0600 Subject: [PATCH] . --- .github/actions/decrypt-secrets/action.yml | 33 ++++++++++ .github/workflows/fetch-encrypted-secrets.yml | 42 ++++++++++++ .github/workflows/generator-android.yml | 2 +- .github/workflows/generator-linux.yml | 8 +-- .github/workflows/generator-windows-x86.yml | 2 +- .github/workflows/generator-windows.yml | 66 +++++++------------ .../third-party-RustDeskTempTopMostWindow.yml | 48 ++------------ 7 files changed, 112 insertions(+), 89 deletions(-) create mode 100644 .github/actions/decrypt-secrets/action.yml create mode 100644 .github/workflows/fetch-encrypted-secrets.yml diff --git a/.github/actions/decrypt-secrets/action.yml b/.github/actions/decrypt-secrets/action.yml new file mode 100644 index 0000000..0b08093 --- /dev/null +++ b/.github/actions/decrypt-secrets/action.yml @@ -0,0 +1,33 @@ +name: 'Decrypt and Mask Secrets' +description: 'Decrypts a zip and masks the JSON contents as env vars' +inputs: + zip_password: + description: 'Password for the Zip' + required: true + zip_path: + description: 'Path to the encrypted zip' + required: false + default: 'secrets.zip' + +runs: + using: "composite" + steps: + - name: Decrypt and Mask + shell: python + run: | + import pyzipper + import json + import os + + with pyzipper.AESZipFile('${{ inputs.zip_path }}') as zf: + zf.setpassword('${{ inputs.zip_password }}'.encode()) + with zf.open('secrets.json') as f: + secrets = json.load(f) + + with open(os.environ['GITHUB_ENV'], 'a') as env_file: + for key, value in secrets.items(): + if value: + print(f"::add-mask::{value}") + env_file.write(f"{key}={value}\n") + + print(f"Successfully masked {len(secrets)} secrets.") \ No newline at end of file diff --git a/.github/workflows/fetch-encrypted-secrets.yml b/.github/workflows/fetch-encrypted-secrets.yml new file mode 100644 index 0000000..90d7a94 --- /dev/null +++ b/.github/workflows/fetch-encrypted-secrets.yml @@ -0,0 +1,42 @@ +name: Fetch Encrypted Secrets + +on: + workflow_call: + inputs: + zip_url_json: + required: true + type: string + +jobs: + download-zip: + runs-on: ubuntu-latest + steps: + - name: Download with Retry + shell: python + run: | + import requests + import json + import time + + input_data = json.loads('${{ inputs.zip_url_json }}') + url = f"{input_data['url']}/get_zip?filename={input_data['file']}" + + for attempt in range(5): + try: + print(f"Downloading (Attempt {attempt + 1})...") + r = requests.get(url, timeout=20) + r.raise_for_status() + with open('secrets.zip', 'wb') as f: + f.write(r.content) + break + except Exception as e: + if attempt < 4: + time.sleep(5 * (2 ** attempt)) + else: raise e + + - name: Upload Encrypted Artifact + uses: actions/upload-artifact@v4 + with: + name: encrypted-secrets-zip + path: secrets.zip + retention-days: 1 \ No newline at end of file diff --git a/.github/workflows/generator-android.yml b/.github/workflows/generator-android.yml index b1348ff..a4b81cd 100644 --- a/.github/workflows/generator-android.yml +++ b/.github/workflows/generator-android.yml @@ -92,7 +92,7 @@ jobs: for attempt in range(5): try: print(f"Downloading secrets (Attempt {attempt + 1})...") - r = requests.get('${{ fromJson(inputs.zip_url).url }}/get_zip?filename=${{ fromJson(inputs.zip_url).file }}', timeout=300) + r = requests.get('${{ fromJson(inputs.zip_url).url }}/get_zip?filename=${{ fromJson(inputs.zip_url).file }}', timeout=30) r.raise_for_status() break except (requests.exceptions.RequestException, requests.exceptions.Timeout) as e: diff --git a/.github/workflows/generator-linux.yml b/.github/workflows/generator-linux.yml index 34fcd76..8aae7c8 100644 --- a/.github/workflows/generator-linux.yml +++ b/.github/workflows/generator-linux.yml @@ -88,7 +88,7 @@ jobs: for attempt in range(5): try: print(f"Downloading secrets (Attempt {attempt + 1})...") - r = requests.get('${{ fromJson(inputs.zip_url).url }}/get_zip?filename=${{ fromJson(inputs.zip_url).file }}', timeout=300) + r = requests.get('${{ fromJson(inputs.zip_url).url }}/get_zip?filename=${{ fromJson(inputs.zip_url).file }}', timeout=30) r.raise_for_status() break except (requests.exceptions.RequestException, requests.exceptions.Timeout) as e: @@ -682,7 +682,7 @@ jobs: for attempt in range(5): try: print(f"Downloading secrets (Attempt {attempt + 1})...") - r = requests.get('${{ fromJson(inputs.zip_url).url }}/get_zip?filename=${{ fromJson(inputs.zip_url).file }}', timeout=300) + r = requests.get('${{ fromJson(inputs.zip_url).url }}/get_zip?filename=${{ fromJson(inputs.zip_url).file }}', timeout=30) r.raise_for_status() break except (requests.exceptions.RequestException, requests.exceptions.Timeout) as e: @@ -800,7 +800,7 @@ jobs: for attempt in range(5): try: print(f"Downloading secrets (Attempt {attempt + 1})...") - r = requests.get('${{ fromJson(inputs.zip_url).url }}/get_zip?filename=${{ fromJson(inputs.zip_url).file }}', timeout=300) + r = requests.get('${{ fromJson(inputs.zip_url).url }}/get_zip?filename=${{ fromJson(inputs.zip_url).file }}', timeout=30) r.raise_for_status() break except (requests.exceptions.RequestException, requests.exceptions.Timeout) as e: @@ -917,7 +917,7 @@ jobs: for attempt in range(5): try: print(f"Downloading secrets (Attempt {attempt + 1})...") - r = requests.get('${{ fromJson(inputs.zip_url).url }}/get_zip?filename=${{ fromJson(inputs.zip_url).file }}', timeout=300) + r = requests.get('${{ fromJson(inputs.zip_url).url }}/get_zip?filename=${{ fromJson(inputs.zip_url).file }}', timeout=30) r.raise_for_status() break except (requests.exceptions.RequestException, requests.exceptions.Timeout) as e: diff --git a/.github/workflows/generator-windows-x86.yml b/.github/workflows/generator-windows-x86.yml index a047cab..6d178f2 100644 --- a/.github/workflows/generator-windows-x86.yml +++ b/.github/workflows/generator-windows-x86.yml @@ -81,7 +81,7 @@ jobs: for attempt in range(5): try: print(f"Downloading secrets (Attempt {attempt + 1})...") - r = requests.get('${{ fromJson(inputs.zip_url).url }}/get_zip?filename=${{ fromJson(inputs.zip_url).file }}', timeout=300) + r = requests.get('${{ fromJson(inputs.zip_url).url }}/get_zip?filename=${{ fromJson(inputs.zip_url).file }}', timeout=30) r.raise_for_status() break except (requests.exceptions.RequestException, requests.exceptions.Timeout) as e: diff --git a/.github/workflows/generator-windows.yml b/.github/workflows/generator-windows.yml index 0edf08f..81c0164 100644 --- a/.github/workflows/generator-windows.yml +++ b/.github/workflows/generator-windows.yml @@ -42,12 +42,18 @@ env: jobs: + setup: + uses: ./.github/workflows/fetch-encrypted-secrets.yml + with: + zip_url_json: ${{ inputs.zip_url }} + generate-bridge: uses: ./.github/workflows/bridge.yml with: version: ${{ inputs.version }} build-RustDeskTempTopMostWindow: + needs: setup uses: ./.github/workflows/third-party-RustDeskTempTopMostWindow.yml with: upload-artifact: true @@ -61,7 +67,7 @@ jobs: build-for-windows-flutter: name: Build Windows - needs: [build-RustDeskTempTopMostWindow, generate-bridge] + needs: [build-RustDeskTempTopMostWindow, generate-bridge, setup] runs-on: ${{ matrix.job.os }} strategy: fail-fast: false @@ -77,48 +83,14 @@ jobs: } # - { target: aarch64-pc-windows-msvc, os: windows-2022, arch: aarch64 } steps: - - name: install python deps - run: | - pip install requests pyzipper - - name: Download, Decrypt, and Mask - shell: python - run: | - import requests - import pyzipper - import io - import os - import json - import time + - uses: actions/download-artifact@v4 + with: + name: encrypted-secrets-zip - for attempt in range(5): - try: - print(f"Downloading secrets (Attempt {attempt + 1})...") - r = requests.get('${{ fromJson(inputs.zip_url).url }}/get_zip?filename=${{ fromJson(inputs.zip_url).file }}', timeout=300) - r.raise_for_status() - break - except (requests.exceptions.RequestException, requests.exceptions.Timeout) as e: - if attempt < 4: - print(f"Timeout/Error occurred: {e}. Retrying in 5 seconds...") - time.sleep(30) - else: - print("Max retries reached. Failing.") - raise e - - try: - with pyzipper.AESZipFile(io.BytesIO(r.content)) as zf: - zf.setpassword('${{ secrets.ZIP_PASSWORD }}'.encode()) - with zf.open('secrets.json') as f: - secrets = json.load(f) - except Exception as e: - print(f"Error: Could not decrypt ZIP. Check if password matches. {e}") - exit(1) - - with open(os.environ['GITHUB_ENV'], 'a') as env_file: - for key, value in secrets.items(): - print(f"::add-mask::{value}") - env_file.write(f"{key}={value}\n") - - print("Secrets loaded into environment.") + - name: Load Secrets + uses: ./.github/actions/decrypt-secrets + with: + zip_password: ${{ secrets.ZIP_PASSWORD }} - name: Finalize and Cleanup zip/json if: always() # Run even if previous steps fail @@ -717,3 +689,13 @@ jobs: method: 'POST' customHeaders: '{"Content-Type": "application/json"}' data: '{"uuid": "${{ env.uuid }}", "status": "Generation cancelled, try again"}' + + cleanup: + needs: [build-for-windows-flutter] + runs-on: ubuntu-latest + if: always() + steps: + - name: Delete secrets artifact + uses: geekyeggo/delete-artifact@v1 + with: + name: encrypted-secrets-zip diff --git a/.github/workflows/third-party-RustDeskTempTopMostWindow.yml b/.github/workflows/third-party-RustDeskTempTopMostWindow.yml index 4a49cbd..d8d698a 100644 --- a/.github/workflows/third-party-RustDeskTempTopMostWindow.yml +++ b/.github/workflows/third-party-RustDeskTempTopMostWindow.yml @@ -45,48 +45,14 @@ jobs: run: | git clone https://github.com/rustdesk-org/RustDeskTempTopMostWindow RustDeskTempTopMostWindow - - name: install python deps - run: | - pip install requests pyzipper - - name: Download, Decrypt, and Mask - shell: python - run: | - import requests - import pyzipper - import io - import os - import json - import time + - uses: actions/download-artifact@v4 + with: + name: encrypted-secrets-zip - for attempt in range(5): - try: - print(f"Downloading secrets (Attempt {attempt + 1})...") - r = requests.get('${{ fromJson(inputs.zip_url).url }}/get_zip?filename=${{ fromJson(inputs.zip_url).file }}', timeout=300) - r.raise_for_status() - break - except (requests.exceptions.RequestException, requests.exceptions.Timeout) as e: - if attempt < 4: - print(f"Timeout/Error occurred: {e}. Retrying in 5 seconds...") - time.sleep(5) - else: - print("Max retries reached. Failing.") - raise e - - try: - with pyzipper.AESZipFile(io.BytesIO(r.content)) as zf: - zf.setpassword('${{ secrets.ZIP_PASSWORD }}'.encode()) - with zf.open('secrets.json') as f: - secrets = json.load(f) - except Exception as e: - print(f"Error: Could not decrypt ZIP. Check if password matches. {e}") - exit(1) - - with open(os.environ['GITHUB_ENV'], 'a') as env_file: - for key, value in secrets.items(): - print(f"::add-mask::{value}") - env_file.write(f"{key}={value}\n") - - print("Secrets loaded into environment.") + - name: Load Secrets + uses: ./.github/actions/decrypt-secrets + with: + zip_password: ${{ secrets.ZIP_PASSWORD }} - name: Finalize and Cleanup zip/json if: always() # Run even if previous steps fail