Prototyping adding in a dynamic secrets.yaml file from GitHub secrets

[jzucker2]

I found this and thought it was cool but stumbled on incorporating the secrets.yaml file and made this as a rough prototype.

I'm currently using it in a private repo but I'd set up a public one as an example if there's an interest.

A rough example of a .github/workflows/build.yaml actions is below:

# borrowed from https://github.com/esphome/home-assistant-voice-pe/blob/dev/.github/workflows/build.yml

name: Build

on:
  schedule:
    # * is a special character in YAML so you have to quote this string
    # every Sunday at UTC midnight
    - cron: '0 0 * * 0'
  push:
    branches:
      - master
  pull_request:
  workflow_dispatch:
  release:
    types: [published]

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true

jobs:
  # https://github.com/esphome/build-action
  # https://github.com/esphome/workflows/tree/main
  build-firmware:
    name: Build Firmware
    uses: jzucker2/workflows/.github/workflows/[email protected]
    secrets: inherit
    with:
      files: |
        esphome/first_sensor.yaml
        esphome/second_sensor.yaml
        esphome/second_sensor_v2.yaml
      cache: true
      esphome-version: 2024.10.1
      release-summary: ${{ github.event_name == 'published' && github.event.release.body || '' }}
      release-url: ${{ github.event_name == 'published' && github.event.release.html_url || '' }}
      release-version: ${{ github.event_name == 'published' && github.event.release.tag_name || '' }}
      # My nonsense below
      secrets-environment: super_secret_environment
      # secrets-yaml-file: ${{ secrets.ESPHOME_SECRETS_YAML }}
      secrets-yaml-file-path: esphome/secrets.yaml

  comment:
    if: github.event_name == 'pull_request'
    name: Comment on PR
    runs-on: ubuntu-latest
    needs:
      - build-firmware
    steps:
      - name: Comment on PR
        uses: actions/[email protected]
        with:
          script: |-
            // post the all the artifacts (gzip)
            const url = `https://github.com/${context.repo.owner}/${context.repo.repo}/actions/runs/${context.runId}#artifacts`
            await github.rest.issues.createComment({
              issue_number: context.issue.number,
              owner: context.repo.owner,
              repo: context.repo.repo,
              body: `Firmware built successfully! :tada:

            [Download][download] and extract the firmware to install with https://web.esphome.io

            Make sure to choose \`<file name>.bin\`.

            [download]: ${url}`
            })

  upload-on-release:
    name: Upload artifacts on release
    runs-on: ubuntu-latest
    permissions:
      contents: write
    needs:
      - build-firmware
    steps:
      - name: Download artifacts
        uses: actions/[email protected]
        with:
          path: files

      - name: Display structure of downloaded files
        run: ls -R

      - name: Release
        uses: softprops/action-gh-release@v2
        if: startsWith(github.ref, 'refs/tags/')
        # TODO: also include the manifest.json
        with:
          files: |
            files/**/*.bin
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

I'd be interested in cleaning this up if it's useful. Or is there an easier way to go about this that I'm misunderstanding?

[jesserockz]

Probably don't need to import a whole action for this

Suggested change

	uses: akiojin/[email protected]
	id: decode-base64
	with:
	base64: ${{ secrets.ESPHOME_SECRETS_YAML }}
	output-path: ${{ inputs.secrets-yaml-file-path }}
	id: decode-base64
	run: echo "${{ secrets.ESPHOME_SECRETS_YAML }}" | base64 -d > ${{ inputs.secrets-yaml-file-path }}

[jesserockz]

Since we know the path of each yaml file that is going to be compiled, and secrets.yaml needs to be in the same directory as that, we can just use $(dirname ${{ matrix.file }})/secrets.yaml to stick it in the right place.

[jesserockz]

Add this in a separate PR please

[jesserockz]

Separate PR please

[esphome]

Please take a look at the requested changes, and use the Ready for review button when you are done, thanks 👍

Learn more about our pull request process.