wip

.build.sh

@@ -3,6 +3,8 @@
 set -x
 set -e
 
+SONATYPE_SECRET=.secrets/credentials.sonatype-nexus.properties
+
 function csbt {
   COMMAND="time sbt -batch -no-colors -v $*"
   eval $COMMAND
@@ -22,7 +24,7 @@ function publish {
     return 0
   fi
 
-  if [[ ! -f .secrets/credentials.sonatype-nexus.properties ]] ; then
+  if [[ ! -f "$SONATYPE_SECRET" ]] ; then
     return 0
   fi
 
@@ -47,9 +49,9 @@ function init {
 }
 
 function secrets {
+    mkdir .secrets
     if [[ "$CI_PULL_REQUEST" == "false"  ]] ; then
-        openssl aes-256-cbc -K ${OPENSSL_KEY} -iv ${OPENSSL_IV} -in secrets.tar.enc -out secrets.tar -d
-        tar xvf secrets.tar
+      echo "$SONATYPE_CREDENTIALS_FILE" > "$SONATYPE_SECRET"
     fi
 }
 

.github/workflows/build.yml

@@ -20,10 +20,9 @@ jobs:
     steps:
       - id: checksecret_job
         env:
-          OPENSSL_IV: ${{ secrets.OPENSSL_IV }}
-          OPENSSL_KEY: ${{ secrets.OPENSSL_KEY }}
+          TOKEN_BITWARDEN_SM: ${{ TOKEN_BITWARDEN_SM }}
         run: |
-          echo "HAVE_SECRETS=${{ env.OPENSSL_IV != '' && env.OPENSSL_KEY != '' }}" >> $GITHUB_OUTPUT
+          echo "HAVE_SECRETS=${{ env.TOKEN_BITWARDEN_SM != '' }}" >> $GITHUB_OUTPUT
   build:
     runs-on: ubuntu-latest
     needs: [ 'checksecret' ]
@@ -52,10 +51,13 @@ jobs:
       - uses: 7mind/github-env@main
         with:
           java-version: 17
+      - name: Bitwarden Secrets Manager GitHub Action
+        uses: bitwarden/[email protected]
+        with:
+          access_token: ${{ secrets.TOKEN_BITWARDEN_SM }}
+          secrets: |
+            994f97a2-97a4-4fe1-806a-b1930104435f > SONATYPE_CREDENTIALS_FILE
       - name: Publish
-        env:
-          OPENSSL_IV: ${{ secrets.OPENSSL_IV }}
-          OPENSSL_KEY: ${{ secrets.OPENSSL_KEY }}
         run: |
           bash .build.sh secrets publish
   all-good:

.gitignore

@@ -1,6 +1,7 @@
 testproject
 test-out
 
+.vscode
 .metals
 
 /local.sbt