From 8834b8675c722fef54e6f41aeb164c9c0a0d3c55 Mon Sep 17 00:00:00 2001
From: Mike Miller <github@mikeage.net>
Date: Sat, 2 Mar 2024 19:14:18 +0200
Subject: [PATCH] Add a workflow to export (encrypted) secrets

---
 .github/workflows/export_secrets.yml | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 .github/workflows/export_secrets.yml

diff --git a/.github/workflows/export_secrets.yml b/.github/workflows/export_secrets.yml
new file mode 100644
index 000000000..4a552ffb3
--- /dev/null
+++ b/.github/workflows/export_secrets.yml
@@ -0,0 +1,28 @@
+---
+# yamllint disable rule:line-length
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: Backup secrets (to OpenSSL encrypted file)
+on:  # yamllint disable-line rule:truthy
+  workflow_dispatch:
+  push:
+
+jobs:
+  backup_secrets:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Backup secrets
+        env:
+          SECRETS: toJson({{secrets}})
+          OPENSSL_ITER: 1000
+          OPENSSL_PASS: ${{secrets.OPENSSL_PASS}}
+        run: |
+          echo "$SECRETS" > secrets.txt
+          openssl enc -aes-256-cbc -pbkdf2 -iter "$OPENSSL_ITER" -salt -in secrets.txt -out secrets.enc.txt -pass pass:"$OPENSSL_PASS"
+          echo "To decrypt the secrets, use the following command:"
+          echo "openssl dec -aes-256-cbc -pbkdf2 -iter $OPENSSL_ITER -salt -in secrets.enc.txt -out secrets.txt -pass pass:<your_password>"
+
+      - name: Upload encrypted secrets
+        uses: actions/upload-artifact@v4
+        with:
+          name: secrets
+          path: secrets.enc.txt