From 5ef4fdef6448878b6a579260abffd06cb126c145 Mon Sep 17 00:00:00 2001 From: Conrad Kramer Date: Sun, 7 Jun 2026 12:13:20 -0700 Subject: [PATCH] Remove Python dependency from secret decrypt --- .../actions/decrypt-release-secrets/action.yml | 15 +++++++++++++-- ...se-infrastructure-and-store-upload-pipeline.md | 3 ++- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/.forgejo/actions/decrypt-release-secrets/action.yml b/.forgejo/actions/decrypt-release-secrets/action.yml index cdf17ab..f9b8590 100644 --- a/.forgejo/actions/decrypt-release-secrets/action.yml +++ b/.forgejo/actions/decrypt-release-secrets/action.yml @@ -191,9 +191,20 @@ runs: } >> "$GITHUB_ENV" } + decode_base64_stream() { + if command -v base64 >/dev/null 2>&1; then + base64 -d 2>/dev/null || base64 -D + elif command -v openssl >/dev/null 2>&1; then + openssl base64 -d -A + else + echo "::error ::base64 or openssl is required to decode release secrets." >&2 + return 127 + fi + } + decode_base64_to_file() { local output="$1" - python3 -c 'import base64, pathlib, sys; pathlib.Path(sys.argv[1]).write_bytes(base64.b64decode(sys.stdin.buffer.read()))' "$output" + decode_base64_stream > "$output" } decrypt_appstore_connect() { @@ -259,7 +270,7 @@ runs: cert_base64="${APPLE_SIGNING_CERTIFICATE_BASE64:-${APPLE_DISTRIBUTION_CERTIFICATE_BASE64:-}}" cert_password="${APPLE_SIGNING_CERTIFICATE_PASSWORD:-${APPLE_DISTRIBUTION_CERTIFICATE_PASSWORD:-}}" if [[ -z "$cert_password" && -n "${APPLE_SIGNING_CERTIFICATE_PASSWORD_BASE64:-}" ]]; then - cert_password="$(printf '%s' "$APPLE_SIGNING_CERTIFICATE_PASSWORD_BASE64" | python3 -c 'import base64,sys; print(base64.b64decode(sys.stdin.buffer.read()).decode(), end="")')" + cert_password="$(printf '%s' "$APPLE_SIGNING_CERTIFICATE_PASSWORD_BASE64" | decode_base64_stream)" fi if [[ -z "$cert_base64" || -z "$cert_password" ]]; then echo "::error ::${file} must define APPLE_SIGNING_CERTIFICATE_BASE64 and APPLE_SIGNING_CERTIFICATE_PASSWORD." >&2 diff --git a/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md b/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md index 1bbbe26..7dfe85d 100644 --- a/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md +++ b/evolution/proposals/BEP-0009-release-infrastructure-and-store-upload-pipeline.md @@ -79,7 +79,8 @@ The same change also makes the forge itself the release authority: release tags bootstrap step. Linux Namespace signing jobs install Nix at runtime, so the bootstrap writes Nix profile directories to `GITHUB_PATH`, the decrypt action resolves Nix from those profile paths, and the action builds `.#age` before - falling back to `.#agenix`. + falling back to `.#agenix`. The decrypt step must not require Python before + the Nix CI shell is active. - Produce unsigned Apple validation artifacts when signing is absent, but require signing for an App Store requested iOS release and for a Sparkle tester release. Uploadable artifacts are produced only after provisioning profiles can be synced from App Store Connect credentials and the relevant Apple certificate is proven to match the selected Google KMS key. - Resolve release credentials through age/agenix before signed Apple lanes run. Forgejo secrets should carry only the runner age identity fallback and the Authentik WIF client secret until OpenBao can mint the runner token directly. App Store Connect keys and signing certificates live as sealed files under `secrets/`. - Persist the forge runner SSH key as `/var/lib/forgejo-runner-agent/age_keystore` and export `BURROW_RUNNER_AGE_IDENTITY_PATH` so jobs can resolve agenix identities without embedding long-lived material in every workflow.