From 9a71c2f00a2f137c4803e4957b0fbaf447857635 Mon Sep 17 00:00:00 2001 From: Akshay Date: Tue, 25 Nov 2025 10:40:38 +0530 Subject: [PATCH] feat: Encrypt backup artifacts with GPG using AES256 and update the job summary to include decryption instructions. --- .github/workflows/backup.yml | 68 ++++++++++++++++++++++++------------ 1 file changed, 46 insertions(+), 22 deletions(-) diff --git a/.github/workflows/backup.yml b/.github/workflows/backup.yml index c439acda..57508718 100644 --- a/.github/workflows/backup.yml +++ b/.github/workflows/backup.yml @@ -68,13 +68,40 @@ jobs: echo "Backup files created:" ls -lh supabase_snapshot/ - - name: Upload backup artifacts + - name: Encrypt backup files + env: + BACKUP_ENCRYPTION_KEY: ${{ secrets.BACKUP_ENCRYPTION_KEY }} + run: | + echo "🔒 Encrypting backup files..." + + # Check if encryption key is set + if [ -z "$BACKUP_ENCRYPTION_KEY" ]; then + echo "❌ ERROR: BACKUP_ENCRYPTION_KEY is not set!" + echo "Please add BACKUP_ENCRYPTION_KEY to your repository secrets." + echo "This is required to encrypt backups in a public repository." + exit 1 + fi + + # Create encrypted archive + tar -czf supabase_snapshot.tar.gz supabase_snapshot/ + + # Encrypt using GPG with symmetric encryption + echo "$BACKUP_ENCRYPTION_KEY" | gpg --batch --yes --passphrase-fd 0 --symmetric --cipher-algo AES256 -o supabase_snapshot.tar.gz.gpg supabase_snapshot.tar.gz + + # Remove unencrypted files + rm -rf supabase_snapshot/ + rm supabase_snapshot.tar.gz + + echo "✅ Backup encrypted successfully" + ls -lh supabase_snapshot.tar.gz.gpg + + - name: Upload encrypted backup artifacts uses: actions/upload-artifact@v4 with: - name: supabase-backup-${{ github.run_number }}-${{ github.run_attempt }} - path: supabase_snapshot/ + name: supabase-backup-encrypted-${{ github.run_number }}-${{ github.run_attempt }} + path: supabase_snapshot.tar.gz.gpg retention-days: 30 - compression-level: 9 + compression-level: 0 - name: Generate job summary if: always() @@ -83,27 +110,24 @@ jobs: echo "" >> $GITHUB_STEP_SUMMARY echo "**Date:** $(date)" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY + echo "🔒 **Security:** Backup is encrypted with AES256" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY - if [ -f supabase_snapshot/backup_info.txt ]; then - echo "## Backup Information" >> $GITHUB_STEP_SUMMARY - echo '```' >> $GITHUB_STEP_SUMMARY - cat supabase_snapshot/backup_info.txt >> $GITHUB_STEP_SUMMARY + if [ -f supabase_snapshot.tar.gz.gpg ]; then + echo "## Encrypted Backup File" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "| File | Size |" >> $GITHUB_STEP_SUMMARY + echo "|------|------|" >> $GITHUB_STEP_SUMMARY + size=$(du -h supabase_snapshot.tar.gz.gpg | cut -f1) + echo "| supabase_snapshot.tar.gz.gpg | $size |" >> $GITHUB_STEP_SUMMARY + echo "" >> $GITHUB_STEP_SUMMARY + echo "## How to Decrypt" >> $GITHUB_STEP_SUMMARY + echo '```bash' >> $GITHUB_STEP_SUMMARY + echo "# Download the artifact, then run:" >> $GITHUB_STEP_SUMMARY + echo "gpg --decrypt supabase_snapshot.tar.gz.gpg > supabase_snapshot.tar.gz" >> $GITHUB_STEP_SUMMARY + echo "tar -xzf supabase_snapshot.tar.gz" >> $GITHUB_STEP_SUMMARY echo '```' >> $GITHUB_STEP_SUMMARY fi - echo "" >> $GITHUB_STEP_SUMMARY - echo "## Backup Files" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "| File | Size |" >> $GITHUB_STEP_SUMMARY - echo "|------|------|" >> $GITHUB_STEP_SUMMARY - - for file in supabase_snapshot/*; do - if [ -f "$file" ]; then - filename=$(basename "$file") - size=$(du -h "$file" | cut -f1) - echo "| $filename | $size |" >> $GITHUB_STEP_SUMMARY - fi - done - echo "" >> $GITHUB_STEP_SUMMARY echo "✅ Backup completed successfully!" >> $GITHUB_STEP_SUMMARY