Skip to content

Update SOPS keys

Update SOPS keys #2880

---
name: Update SOPS keys
on:
workflow_dispatch: {}
schedule:
- cron: 0 * * * *
push:
paths:
- .sops.yaml
jobs:
update-sops-keys:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
nix_path: nixpkgs=channel:nixos-unstable
extra_nix_config: |
access-tokens = github.com=${{ secrets.GITHUB_TOKEN }}
- uses: workflow/nix-shell-action@v3.4.0
with:
packages: sops,findutils
script: |
export SOPS_AGE_KEY=${{ secrets.SOPS_AGE_KEY }}
find . -type f -name \*.sops.yaml ! -name .sops.yaml -exec sops updatekeys --yes {} \;
- name: Generate token
uses: tibdex/github-app-token@v2
id: generate-token
with:
app_id: ${{ secrets.BOT_APP_ID }}
private_key: ${{ secrets.BOT_APP_PRIVATE_KEY }}
- name: Create Pull Request
id: cpr
uses: peter-evans/create-pull-request@v7
with:
token: ${{ steps.generate-token.outputs.token }}
title: "chore(sops): update sops secrets with new public keys"
commit-message: "chore(deps): update sops secrets with new public keys"
delete-branch: true
committer: budimanjojo-bot <111944664+budimanjojo-bot[bot]@users.noreply.github.com>
author: budimanjojo-bot <111944664+budimanjojo-bot[bot]@users.noreply.github.com>
- name: Automerge
if: steps.cpr.outputs.pull-request-operation == 'created'
uses: peter-evans/enable-pull-request-automerge@v3
with:
token: ${{ steps.generate-token.outputs.token }}
pull-request-number: ${{ steps.cpr.outputs.pull-request-number }}
merge-method: squash