I am trying to add a “secret” via the API.
I am using the sodium R package which provides support for libsodium.
Below I outline my approach where “pub_key_gh” is the character value representing the public key mentioned in the API docs.
Serialize the private key which should be encrypted
Decode the public key from Github
Encrypt the serialized private key using the public key
Encode the encrypted private key again because only base64 encoded strings can be pushed via the API
private_key = sodium::hash(charToRaw(private_key))
pub_key_gh_dec = base64enc::base64decode(pub_key_gh)
private_key_encr = sodium::simple_encrypt(private_key, pub_key_gh_dec)
private_key_encr = base64enc::base64encode(private_key_encr)
However, during the Action run the private key is marked as “invalid format”. Hence, most likely the pushed secret was not decoded correctly behind the scenes when being inserted in the run / was uploaded in the wrong format.
Any help is appreciated - I am newbie when it comes to encryption so I can very well be that one of the steps outlined above does not make sense / is not needed.
Manually adding the “private key” via the Github web interface works without problems so its really about how to encrypt the key correctly / upload it in the right format.