git: set up secret redaction

2024-10-16 19:35:57 +02:00 · 2024-10-16 19:35:57 +02:00 · 403ccee537
commit 403ccee537
parent 4ed4ed4cdb
3 changed files with 23 additions and 0 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,5 @@
+dijkstra/.local/libexec/cron/backup filter=redact
+common/.config/elia/config.toml filter=redact
+common/.config/nvim/lua/config/secrets.lua filter=redact
+common/.config/git/credentials filter=redact
+common/.local/bin/openproject_hours filter=redact
--- a/common/.config/git/config
+++ b/common/.config/git/config
@ -23,6 +23,10 @@
 	smudge = git-lfs smudge -- %f
 	process = git-lfs filter-process
 	required = true
+[filter "redact"]
+    clean = ~/.local/libexec/redact_git_filter clean
+    smudge = ~/.local/libexec/redact_git_filter smudge
+    required = true
 [diff]
    colorMoved = default
 [core]
--- a/common/.local/libexec/redact_git_filter
+++ b/common/.local/libexec/redact_git_filter
@ -0,0 +1,14 @@
+#!/bin/sh
+# shellcheck disable=SC2016
+
+FS="$(printf '\033')"
+GS="$(printf '\034')"
+
+map=$(jq -r 'to_entries[] | "\(.key)'"$FS"'\(.value)"' "${HOME}/.secrets/dotfile-secrets.json")
+
+case $1 in
+    clean) awk='{printf "s%s%s%s<#%s#>%sg;", d, $2, d, $1, d }' ;;
+    smudge) awk='{printf "s%s<#%s#>%s%s%sg;", d, $1, d, $2, d }' ;;
+esac
+
+sed "$(echo "$map" | awk -F"$FS" -v d="$GS" "$awk")"