Use shell parsing for LOWER bundled secret

2026-05-29 14:18:40 -04:00 · 2026-05-29 14:18:40 -04:00 · c40bb4455f
commit c40bb4455f
parent 96ab9d7e97
1 changed files with 31 additions and 43 deletions
--- a/.forgejo/workflows/deploy-cfn.yml
+++ b/.forgejo/workflows/deploy-cfn.yml
@ -69,51 +69,39 @@ jobs:
                exit 0
            fi
-            python3 - <<'PY'
+              # Expected LOWER format is multiline KEY=VALUE entries.
-              import json
+              # Example:
-              import os
+              # AWS_ACCESS_KEY_ID=...
              # AWS_SECRET_ACCESS_KEY=...
              # AWS_SESSION_TOKEN=...   (optional)
              # AWS_DEFAULT_REGION=us-east-1
              while IFS= read -r line; do
                l="$(echo "$line" | sed 's/^ *//;s/ *$//')"
                [ -z "$l" ] && continue
                [ "${l#\#}" != "$l" ] && continue
                case "$l" in
                  *=*) ;;
                  *) continue ;;
                esac
-              keys = [
+                key="${l%%=*}"
-                  "AWS_ACCESS_KEY_ID",
+                value="${l#*=}"
-                  "AWS_SECRET_ACCESS_KEY",
+                key="$(echo "$key" | sed 's/^ *//;s/ *$//')"
-                  "AWS_SESSION_TOKEN",
+                value="$(echo "$value" | sed 's/^ *//;s/ *$//')"
                  "AWS_DEFAULT_REGION",
                  "AWS_REGION",
              ]
-              lower = os.environ.get("LOWER", "")
+                case "$key" in
-              parsed = {}
+                  AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY|AWS_SESSION_TOKEN|AWS_DEFAULT_REGION|AWS_REGION)
-
+                    if [ -n "$value" ]; then
-              # Format 1: JSON object
+                      echo "$key=$value" >> "$GITHUB_ENV"
-              try:
+                      if [ "$key" = "AWS_REGION" ]; then
-                  obj = json.loads(lower)
+                        echo "AWS_DEFAULT_REGION=$value" >> "$GITHUB_ENV"
-                  if isinstance(obj, dict):
+                      fi
-                      parsed = {str(k): str(v) for k, v in obj.items() if v is not None}
+                    fi
-              except Exception:
+                    ;;
-                  pass
+                esac
-
+              done <<EOF
-              # Format 2: dotenv style lines: KEY=VALUE
+              $LOWER
-              if not parsed:
+              EOF
                  for line in lower.splitlines():
                      s = line.strip()
                      if not s or s.startswith("#") or "=" not in s:
                          continue
                      k, v = s.split("=", 1)
                      parsed[k.strip()] = v.strip().strip('"').strip("'")
              env_path = os.environ["GITHUB_ENV"]
              with open(env_path, "a", encoding="utf-8") as f:
                  for k in keys:
                      if os.environ.get(k):
                          continue
                      v = parsed.get(k)
                      if v:
                          f.write(f"{k}={v}\\n")
                  # Accept AWS_REGION in bundle as region source.
                  if not os.environ.get("AWS_DEFAULT_REGION") and parsed.get("AWS_REGION"):
                      f.write(f"AWS_DEFAULT_REGION={parsed['AWS_REGION']}\\n")
              PY
      - name: Check required AWS secrets
        run: |