try secrets

Northeastern-Electric-Racing · Mar 16, 2024 · 63e26db · 63e26db
1 parent 3694c9e
commit 63e26db
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 1 deletion.
diff --git a/.github/workflows/build_image.yml b/.github/workflows/build_image.yml
@@ -38,6 +38,17 @@ jobs:
         uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Encrypt and inject passwords
+        shell: bash
+        with:
+            context: ./odysseus
+        env:
+            - ODY_AP_ROOT_PASSWORD: ${{ secrets.ODY_AP_ROOT_PASSWORD }}
+            - ODY_TPU_ROOT_PASSWORD: ${{ secrets.ODY_TPU_ROOT_PASSWORD }}
+            - ODY_IROH_ROOT_PASSWORD: ${{ secrets.ODY_IROH_ROOT_PASSWORD }}
+            - MASTER_PASSWORD: ${{ secrets.ODY_MASTER_PASSWORD }}
+        run:  for i in ODY_AP_ROOT_PASSWORD  ODY_TPU_ROOT_PASSWORD ODY_IROH_ROOT_PASSWORD; do echo "$i=${!i}" >> PASSWORDS.env; done && gpg --symmetric --passphrase "$MASTER_PASSWORD" --cipher-algo AES256 PASSWORDS.env
       # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
       # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see "[Usage](https://github.com/docker/build-push-action#usage)" in the README of the `docker/build-push-action` repository.
       # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.

diff --git a/odysseus/Dockerfile b/odysseus/Dockerfile
@@ -44,4 +44,6 @@ WORKDIR /home/odysseus/outputs/
 COPY ./docker_scripts /home/odysseus/scripts
 RUN echo "source /home/odysseus/scripts/setup_env.sh" >> ~/.bashrc
 
+COPY ./PASSWORDS.env.gpg /home/odysseus/
+
 ENTRYPOINT "/bin/bash"
diff --git a/odysseus/compose.yml b/odysseus/compose.yml
@@ -2,9 +2,11 @@ version: "3.8"
 services:
     odysseus:
         build: .
+        image: ghcr.io/northeastern-electric-racing/odysseus:52-root-secrets
         command: /bin/bash
         privileged: true
         tty: true
+        stdin_open: true
         # for fakeroot failure
         ulimits:
           nofile:
@@ -23,4 +25,3 @@ volumes:
         labels:
             com.northeastern_electric_racing.description: "Shared output between buildroot runs"
 
-