lume/nodes: recover github actions secrets

Signed-off-by: Xe Iaso <me@xeiaso.net>

3 files changed, 76 insertions, 0 deletions

diff --git a/lume/src/notes/_data.yml b/lume/src/notes/_data.yml
new file mode 100644
index 0000000..51dce68
--- /dev/null
+++ b/lume/src/notes/_data.yml
@@ -0,0 +1,4 @@
+layout: blog.njk
+type: blog
+index: true
+is_note: true
\ No newline at end of file
diff --git a/lume/src/notes/recover-github-action-secret.mdx b/lume/src/notes/recover-github-action-secret.mdx
new file mode 100644
index 0000000..1c0c825
--- /dev/null
+++ b/lume/src/notes/recover-github-action-secret.mdx
@@ -0,0 +1,61 @@
+---
+title: "How to recover a GitHub Actions secret"
+date: 2023-11-02
+tags:
+  - github
+  - actions
+  - secrets
+  - tailscale
+---
+
+Sometimes you fuck up and lose your only copy of a GitHub secret that you can't replace easily, such as a [Cachix](https://www.cachix.org/) signing key. However you lucked out and that key is actually saved in GitHub Actions secrets...which won't let you read the contents of that secret for understandable security reasons. Here's how you work around that.
+
+First, make sure [Deno](https://deno.land) is installed and copy this program to `recover-secret.ts`.
+
+```ts
+const port = 8080;
+
+const handler = async (req: Request): Promise<Response> => {
+    const body = (await req.text());
+    console.log(body);
+    
+    return new Response()
+};
+
+console.log(`HTTP server running. Access it at: http://localhost:${port}/`);
+Deno.serve({ port }, handler);
+```
+
+Run it with `deno run -A recover-secret.ts`.
+
+Next go to the [Tailscale admin console OAuth clients section](https://login.tailscale.com/admin/settings/oauth) and generate a new OAuth client that lets you create auth keys (you want the write on devices scope). Add a helpful description like "GitHub Actions secret recovery" and copy the client ID and secret to your password manager. Then add them as GitHub secrets named `TAILSCALE_CLIENT_ID` and `TAILSCALE_CLIENT_SECRET`.
+
+Now create a new GitHub Actions workflow with the following contents:
+
+```yaml
+on:
+  workflow_dispatch:
+
+jobs:
+  recoversecret:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Tailscale
+        uses: tailscale/github-action@v2
+        with:
+          oauth-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
+          oauth-secret: ${{ secrets.TAILSCALE_CLIENT_SECRET }}
+          tags: tag:ci
+          version: 1.52.0
+      - name: "Recover secret"
+        run: |
+          echo ${SECRET} > ./output.txt
+          curl --data-binary @./output.txt ${TARGET}
+        env:
+          SECRET: ${{ secrets.CACHIX_SIGNING_KEY }}
+          TARGET: "http://kaine.shark-harmonic.ts.net:8080"
+```
+
+Replace the contents of `TARGET` as facts and circumstances demand.
+
+Now you can recover your secret by hitting the "Run workflow" button on the Actions tab of your repo. The secret will be in your terminal, and you can copy it to your password manager as a note.
\ No newline at end of file
diff --git a/scripts/recover-secret.ts b/scripts/recover-secret.ts
new file mode 100644
index 0000000..813ddaa
--- /dev/null
+++ b/scripts/recover-secret.ts
@@ -0,0 +1,11 @@
+const port = 8080;
+
+const handler = async (req: Request): Promise<Response> => {
+    const body = (await req.text());
+    console.log(body);
+    
+    return new Response()
+};
+
+console.log(`HTTP server running. Access it at: http://localhost:${port}/`);
+Deno.serve({ port }, handler);
\ No newline at end of file