-
I am trying to add a “secret” via the API. I am using the sodium R package which provides support for libsodium. Below I outline my approach where “pub_key_gh” is the character value representing the public key mentioned in the API docs.
However, during the Action run the private key is marked as “invalid format”. Hence, most likely the pushed secret was not decoded correctly behind the scenes when being inserted in the run / was uploaded in the wrong format. Any help is appreciated - I am newbie when it comes to encryption so I can very well be that one of the steps outlined above does not make sense / is not needed. Manually adding the “private key” via the Github web interface works without problems so its really about how to encrypt the key correctly / upload it in the right format. |
Beta Was this translation helpful? Give feedback.
Replies: 3 comments
-
Although I am also an encryption-noob (who isn’t?), I just recently created a CLI that pushes secrets to GitHub using the API, so the information is fresh in my mind. I didn’t see nor use any private key in the process. The same documentation page you referenced has examples in several languages (not R unfortunately) further down the page. In general, the process as described is this (pseudocode):
And this is the example in Ruby:
In my development, I also tested that I can decrypt it back. For this you will need to use sodium to generate a public/private key pair (instead of the one you receive from GitHub), then follow the encryption steps as above, using the public key, and then decrypt it with the same sodium method, only this time using the private key - to verify the output is decrypting properly. If it will help, or if you are in need of a way to do it and are not married to doing it in R, I can share a link to my CLI (in Ruby). |
Beta Was this translation helpful? Give feedback.
-
Thanks @dannyben! Your post helped, thanks! I got it working now and I think I was already very close yesterday but did some mistakes on the public key side - but I can’t really recall. In the end, my solution looks like this. Here, we assume that the Github public key is already available via some external code.
|
Beta Was this translation helpful? Give feedback.
-
Is there a way to do this with only using the sodium package in R? Why do we have to decode the public key and encode the secret with base64 encoding? How do you know to use base64, are there other methods that can be used? |
Beta Was this translation helpful? Give feedback.
Thanks @dannyben!
Your post helped, thanks! I got it working now and I think I was already very close yesterday but did some mistakes on the public key side - but I can’t really recall.
In the end, my solution looks like this. Here, we assume that the Github public key is already available via some external code.