egullickson/motovaultpro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c88fbcdc4ed5bfe3a313fbe2801de1813bdbe732
motovaultpro/scripts/inject-secrets.sh
Eric Gullickson 254bed18d0 fix: add Stripe secrets to CI/CD and build configuration (refs #55) 
- Add VITE_STRIPE_PUBLISHABLE_KEY to frontend Dockerfile build args
- Add VITE_STRIPE_PUBLISHABLE_KEY to docker-compose.yml build args
- Add :ro flag to backend Stripe secret volume mounts for consistency
- Update inject-secrets.sh with STRIPE_SECRET_KEY and STRIPE_WEBHOOK_SECRET
- Add Stripe secrets to staging.yaml workflow (build arg + inject step)
- Add Stripe secrets to production.yaml workflow (inject step)

Requires STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET secrets and
VITE_STRIPE_PUBLISHABLE_KEY variable to be configured in Gitea.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-18 19:20:29 -06:00

119 lines
3.6 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# inject-secrets.sh
# Writes secrets to the secrets directory for K8s-style secret mounting
#
# Supports two modes:
# 1. GitLab CI: File variables provide PATH to temp file
# 2. Gitea Actions: Environment variables contain the secret value directly
#
# Required environment variables:
# - POSTGRES_PASSWORD
# - AUTH0_CLIENT_SECRET
# - AUTH0_MANAGEMENT_CLIENT_ID
# - AUTH0_MANAGEMENT_CLIENT_SECRET
# - GOOGLE_MAPS_API_KEY
# - GOOGLE_MAPS_MAP_ID
# - CF_DNS_API_TOKEN
# - RESEND_API_KEY
# - STRIPE_SECRET_KEY
# - STRIPE_WEBHOOK_SECRET
set -euo pipefail
# Configuration
DEPLOY_PATH="${DEPLOY_PATH:-/opt/motovaultpro}"
SECRETS_DIR="${SECRETS_DIR:-${DEPLOY_PATH}/secrets/app}"
# List of all secret files (must match docker-compose volume mounts)
SECRET_FILES=(
"postgres-password.txt"
"auth0-client-secret.txt"
"auth0-management-client-id.txt"
"auth0-management-client-secret.txt"
"google-maps-api-key.txt"
"google-maps-map-id.txt"
"cloudflare-dns-token.txt"
"resend-api-key.txt"
"stripe-secret-key.txt"
"stripe-webhook-secret.txt"
)
echo "Injecting secrets..."
echo " Deploy path: $DEPLOY_PATH"
echo " Secrets dir: $SECRETS_DIR"
# Step 1: Clean up any incorrectly created directories
# Docker creates directories when bind-mounting files that don't exist
echo ""
echo "Cleaning up any corrupted secret paths..."
for file in "${SECRET_FILES[@]}"; do
target_path="${SECRETS_DIR}/${file}"
if [ -d "$target_path" ]; then
echo " Removing directory: $file"
rm -rf "$target_path"
fi
done
# Step 2: Ensure secrets directory exists
if [ -e "$SECRETS_DIR" ] && [ ! -d "$SECRETS_DIR" ]; then
echo " Removing invalid secrets path..."
rm -rf "$SECRETS_DIR"
fi
mkdir -p "$SECRETS_DIR"
chmod 700 "$SECRETS_DIR"
# Function to inject a secret
# Supports both:
# - Direct value (Gitea Actions): VAR contains the secret
# - File path (GitLab CI): VAR contains path to file with secret
inject_secret() {
local var_name="$1"
local file_name="$2"
local target_path="${SECRETS_DIR}/${file_name}"
local source_value="${!var_name:-}"
if [ -z "$source_value" ]; then
echo " ERROR: Variable $var_name is not set"
return 1
fi
# Check if it's a file path (GitLab CI File variable)
if [[ "$source_value" =~ ^/ ]] && [ -f "$source_value" ]; then
# GitLab mode: copy from file
cp "$source_value" "$target_path"
echo " OK: $file_name (from file)"
else
# Gitea mode: write value directly
echo -n "$source_value" > "$target_path"
echo " OK: $file_name (from env)"
fi
chmod 644 "$target_path"
}
# Inject all secrets
FAILED=0
inject_secret "POSTGRES_PASSWORD" "postgres-password.txt" || FAILED=1
inject_secret "AUTH0_CLIENT_SECRET" "auth0-client-secret.txt" || FAILED=1
inject_secret "AUTH0_MANAGEMENT_CLIENT_ID" "auth0-management-client-id.txt" || FAILED=1
inject_secret "AUTH0_MANAGEMENT_CLIENT_SECRET" "auth0-management-client-secret.txt" || FAILED=1
inject_secret "GOOGLE_MAPS_API_KEY" "google-maps-api-key.txt" || FAILED=1
inject_secret "GOOGLE_MAPS_MAP_ID" "google-maps-map-id.txt" || FAILED=1
inject_secret "CF_DNS_API_TOKEN" "cloudflare-dns-token.txt" || FAILED=1
inject_secret "RESEND_API_KEY" "resend-api-key.txt" || FAILED=1
inject_secret "STRIPE_SECRET_KEY" "stripe-secret-key.txt" || FAILED=1
inject_secret "STRIPE_WEBHOOK_SECRET" "stripe-webhook-secret.txt" || FAILED=1
if [ $FAILED -eq 1 ]; then
echo ""
echo "ERROR: One or more secrets failed to inject"
exit 1
fi
echo ""
echo "Secrets injected successfully"
echo "Files created in $SECRETS_DIR:"
ls -la "$SECRETS_DIR"
Reference in New Issue View Git Blame Copy Permalink