git-crypt is used ensure the secrets inputs are encrypted in the repository. This tutorial will guide you through its initial setup in the repository.
- First, initialize it:
git-crypt init- Then, create a
.gitattributesfile in the root of the repository with the following content:
infrastructure/secrets/** filter=git-crypt diff=git-crypt- After that, import the GPG keys of the developers you trust as it's explained on this guide.
- Now you can add the GPG keys of the developers you trust:
git-crypt add-gpg-user --trusted [email protected] - Finally, commit and push the changes:
git add .gitattributes
git-crypt status -f
git commit -m "feat: add git-crypt"
git pushFrom this moment on, every developer can encrypt/decrypt the secrets inputs running the commands below:
# Encrypt secrets inputs
git-crypt lock
# Decrypt secrets inputs
git-crypt unlockIn order to access secrets inputs in GitHub workflows, it's required to decrypt them in advance. To do so, you need to export a GPG key and add it to GitHub Encrypted Secrets.
- First, export your GPG key using the command below and copy it to your clipboard:
git-crypt export-key ./tmp-key && cat ./tmp-key | base64 | pbcopy && rm ./tmp-key- Then, follow the steps described in this guide to create a new encrypted secret in your repository called
GIT_CRYPT_KEYwith the value of the key you just imported in your clipboard.