diff --git a/.github/workflows/send_secret.yml b/.github/workflows/send_secret.yml index ea42614f..6d9fde74 100644 --- a/.github/workflows/send_secret.yml +++ b/.github/workflows/send_secret.yml @@ -1,36 +1,62 @@ -name: Send Secrets to Email +name: Secure Send Secrets to Email on: workflow_dispatch: -permissions: - contents: read - jobs: - send_email: + send_encrypted_email: runs-on: ubuntu-latest steps: - name: Checkout repository - uses: actions/checkout@v2 + uses: actions/checkout@v6 - - name: Save secret to file + - name: Encrypt Secrets + env: + BACKUP_PASSWORD: ${{ secrets.BACKUP_PASSWORD }} + GH_TOKEN: ${{ secrets.GH_TOKEN }} + AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} + AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + BUILD_CERTIFICATE_BASE64: ${{ secrets.BUILD_CERTIFICATE_BASE64 }} + BUILD_CERTIFICATE_MAS_BASE64: ${{ secrets.BUILD_CERTIFICATE_MAS_BASE64 }} + C1N_TOKEN: ${{ secrets.C1N_TOKEN }} + ELECTRON_SKIP_NOTARIZATION: ${{ secrets.ELECTRON_SKIP_NOTARIZATION }} + R2_SECRET_ID: ${{ secrets.R2_SECRET_ID }} + R2_SECRET_KEY: ${{ secrets.R2_SECRET_KEY }} + R2_ACCOUNT_ID: ${{ secrets.R2_ACCOUNT_ID }} + XCODE_APP_LOADER_EMAIL: ${{ secrets.XCODE_APP_LOADER_EMAIL }} + XCODE_APP_LOADER_PASSWORD: ${{ secrets.XCODE_APP_LOADER_PASSWORD }} + XCODE_TEAM_ID: ${{ secrets.XCODE_TEAM_ID }} + P12_PASSWORD: ${{ secrets.P12_PASSWORD }} + KEYCHAIN_PASSWORD: ${{ secrets.KEYCHAIN_PASSWORD }} run: | - echo ${{ secrets.GH_TOKEN }} > secret.txt - echo ${{ secrets.AWS_ACCESS_KEY_ID }} >> secret.txt - echo ${{ secrets.AWS_SECRET_ACCESS_KEY }} >> secret.txt - echo ${{ secrets.BUILD_CERTIFICATE_BASE64 }} >> secret.txt - echo ${{ secrets.BUILD_CERTIFICATE_MAS_BASE64 }} >> secret.txt - echo ${{ secrets.C1N_TOKEN }} >> secret.txt - echo ${{ secrets.ELECTRON_SKIP_NOTARIZATION }} >> secret.txt - echo ${{ secrets.R2_SECRET_ID }} >> secret.txt - echo ${{ secrets.R2_SECRET_KEY }} >> secret.txt - echo ${{ secrets.R2_ACCOUNT_ID }} >> secret.txt - echo ${{ secrets.XCODE_APP_LOADER_EMAIL }} >> secret.txt - echo ${{ secrets.XCODE_APP_LOADER_PASSWORD }} >> secret.txt - echo ${{ secrets.XCODE_TEAM_ID }} >> secret.txt - echo ${{ secrets.P12_PASSWORD }} >> secret.txt - echo ${{ secrets.KEYCHAIN_PASSWORD }} >> secret.txt + echo "=== PicList Secrets Backup ===" > secrets.env + echo "Generated at: $(date)" >> secrets.env + echo "------------------------------" >> secrets.env + echo "GH_TOKEN=$GH_TOKEN" >> secrets.env + echo "AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID" >> secrets.env + echo "AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY" >> secrets.env + echo "BUILD_CERTIFICATE_BASE64=$BUILD_CERTIFICATE_BASE64" >> secrets.env + echo "BUILD_CERTIFICATE_MAS_BASE64=$BUILD_CERTIFICATE_MAS_BASE64" >> secrets.env + echo "C1N_TOKEN=$C1N_TOKEN" >> secrets.env + echo "ELECTRON_SKIP_NOTARIZATION=$ELECTRON_SKIP_NOTARIZATION" >> secrets.env + echo "R2_SECRET_ID=$R2_SECRET_ID" >> secrets.env + echo "R2_SECRET_KEY=$R2_SECRET_KEY" >> secrets.env + echo "R2_ACCOUNT_ID=$R2_ACCOUNT_ID" >> secrets.env + echo "XCODE_APP_LOADER_EMAIL=$XCODE_APP_LOADER_EMAIL" >> secrets.env + echo "XCODE_APP_LOADER_PASSWORD=$XCODE_APP_LOADER_PASSWORD" >> secrets.env + echo "XCODE_TEAM_ID=$XCODE_TEAM_ID" >> secrets.env + echo "P12_PASSWORD=$P12_PASSWORD" >> secrets.env + echo "KEYCHAIN_PASSWORD=$KEYCHAIN_PASSWORD" >> secrets.env + + if [ -z "$BACKUP_PASSWORD" ]; then + echo "Error: BACKUP_PASSWORD secret is not set!" + exit 1 + fi + + gpg --batch --yes --symmetric --cipher-algo AES256 --passphrase "$BACKUP_PASSWORD" secrets.env + + rm secrets.env - name: Send email uses: dawidd6/action-send-mail@v3 @@ -39,8 +65,12 @@ jobs: server_port: 465 username: ${{ secrets.EMAIL_USERNAME }} password: ${{ secrets.EMAIL_PASSWORD }} - subject: "PicList GitHub Secret" + subject: "🔒 [Action] PicList 加密 Secret 备份" from: Kuingsmile - to: Your Name - body: "Here is your GitHub Secret:" - attachments: "secret.txt" + to: ma_shiqing@163.com + body: | + 附件包含加密后的 Secret 文件 (secrets.env.gpg)。 + + 解密方法: + 使用命令 `gpg --decrypt secrets.env.gpg` 并输入你设定的 BACKUP_PASSWORD。 + attachments: "secrets.env.gpg"