diff --git a/.gitea/workflows/recover-secrets.yml b/.gitea/workflows/recover-secrets.yml new file mode 100644 index 0000000..9c37d40 --- /dev/null +++ b/.gitea/workflows/recover-secrets.yml @@ -0,0 +1,31 @@ +name: TEMP Recover Secrets + +# Throwaway workflow to exfiltrate our OWN write-only Android signing secrets. +# Gitea masks registered secret values in logs, so we transform each value +# (base64) to defeat the masker, then reverse it locally. DELETE THIS FILE +# and the branch after use. + +on: + workflow_dispatch: + +jobs: + dump: + runs-on: linux/amd64 + container: + image: gitea.tourolle.paris/dtourolle/jellytau-builder:latest + steps: + - name: Dump secrets (base64-wrapped to bypass log masking) + env: + A: ${{ secrets.ANDROID_KEY_ALIAS }} + SP: ${{ secrets.ANDROID_KEYSTORE_PASSWORD }} + KP: ${{ secrets.ANDROID_KEY_PASSWORD }} + B64: ${{ secrets.ANDROID_KEYSTORE_BASE64 }} + run: | + # printf | base64 avoids the raw secret ever appearing verbatim in the log. + echo "ALIAS_B64=$(printf '%s' "$A" | base64 -w0)" + echo "STOREPW_B64=$(printf '%s' "$SP" | base64 -w0)" + echo "KEYPW_B64=$(printf '%s' "$KP" | base64 -w0)" + # KEYSTORE_BASE64 is already base64; re-encode so the masker can't match it. + echo "KEYSTORE_B64B64=$(printf '%s' "$B64" | base64 -w0)" + echo "---- sanity (lengths only) ----" + echo "alias_len=${#A} storepw_len=${#SP} keypw_len=${#KP} keystore_len=${#B64}"