managarten/scripts/generate-staging-secrets.sh

#!/bin/bash

# Generate Staging Secrets for GitHub
# Run this script and copy the output to GitHub Secrets

set -e

echo "================================================"
echo "  STAGING SECRETS GENERATOR"
echo "================================================"
echo ""
echo "Copy each value below to GitHub Settings → Secrets and variables → Actions"
echo ""
echo "Note: Configuration values (host, ports, etc.) are now hardcoded in the workflow"
echo "Only sensitive values (passwords, keys) need to be added as secrets"
echo ""
echo "================================================"
echo ""

# Generate secure random passwords
POSTGRES_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32)
REDIS_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32)
JWT_SECRET=$(openssl rand -base64 64 | tr -d "=+/" | cut -c1-64)

# Generate Ed25519 key pair for JWT
TEMP_KEY_DIR=$(mktemp -d)
ssh-keygen -t ed25519 -f "$TEMP_KEY_DIR/jwt_key" -N "" -C "manacore-staging-jwt" > /dev/null 2>&1

# Convert SSH keys to raw format for JWT
PRIVATE_KEY=$(cat "$TEMP_KEY_DIR/jwt_key" | grep -v "BEGIN" | grep -v "END" | tr -d '\n')
PUBLIC_KEY=$(ssh-keygen -e -m PKCS8 -f "$TEMP_KEY_DIR/jwt_key.pub" 2>/dev/null | grep -v "BEGIN" | grep -v "END" | tr -d '\n' || cat "$TEMP_KEY_DIR/jwt_key.pub" | awk '{print $2}')

# Clean up temp files
rm -rf "$TEMP_KEY_DIR"

# Output all secrets in GitHub format
echo "# ============================================"
echo "# DATABASE SECRETS (2 secrets)"
echo "# ============================================"
echo ""
echo "STAGING_POSTGRES_PASSWORD"
echo "$POSTGRES_PASSWORD"
echo ""

echo "# ============================================"
echo "# REDIS SECRETS (1 secret)"
echo "# ============================================"
echo ""
echo "STAGING_REDIS_PASSWORD"
echo "$REDIS_PASSWORD"
echo ""

echo "# ============================================"
echo "# MANA CORE AUTH SECRETS (3 secrets)"
echo "# ============================================"
echo ""
echo "STAGING_JWT_SECRET"
echo "$JWT_SECRET"
echo ""
echo "STAGING_JWT_PUBLIC_KEY"
echo "$PUBLIC_KEY"
echo ""
echo "STAGING_JWT_PRIVATE_KEY"
echo "$PRIVATE_KEY"
echo ""

echo "# ============================================"
echo "# SUPABASE SECRETS (Fill these manually - 3 secrets)"
echo "# ============================================"
echo ""
echo "STAGING_SUPABASE_URL"
echo "https://YOUR_PROJECT.supabase.co"
echo ""
echo "STAGING_SUPABASE_ANON_KEY"
echo "YOUR_SUPABASE_ANON_KEY_HERE"
echo ""
echo "STAGING_SUPABASE_SERVICE_ROLE_KEY"
echo "YOUR_SUPABASE_SERVICE_ROLE_KEY_HERE"
echo ""

echo "# ============================================"
echo "# AZURE OPENAI SECRETS (Fill these manually - 2 secrets)"
echo "# ============================================"
echo ""
echo "STAGING_AZURE_OPENAI_ENDPOINT"
echo "https://YOUR_RESOURCE.openai.azure.com/"
echo ""
echo "STAGING_AZURE_OPENAI_API_KEY"
echo "YOUR_AZURE_OPENAI_API_KEY_HERE"
echo ""

echo "# ============================================"
echo "# SSH DEPLOYMENT SECRETS (Fill these manually - 1 secret)"
echo "# ============================================"
echo ""
echo "STAGING_SSH_KEY"
echo "Run: cat ~/.ssh/hetzner_deploy_key"
echo "(Copy the ENTIRE output including -----BEGIN and -----END lines)"
echo ""

echo "================================================"
echo "  SUMMARY"
echo "================================================"
echo ""
echo "Total secrets to add: 12"
echo "  - Auto-generated: 6 (passwords, JWT keys)"
echo "  - Manual: 6 (Supabase, Azure, SSH key)"
echo ""
echo "The following are now HARDCODED in the workflow:"
echo "  - POSTGRES_HOST, POSTGRES_PORT, POSTGRES_DB, POSTGRES_USER"
echo "  - REDIS_HOST, REDIS_PORT"
echo "  - MANA_SERVICE_URL"
echo "  - STAGING_HOST (46.224.108.214)"
echo "  - STAGING_USER (deploy)"
echo ""
echo "================================================"
echo ""
echo "Next steps:"
echo "1. Go to: https://github.com/YOUR_ORG/manacore-monorepo/settings/secrets/actions"
echo "2. Click 'New repository secret' for each value above"
echo "3. Copy the secret name (e.g., STAGING_POSTGRES_PASSWORD)"
echo "4. Copy the secret value (the line below the name)"
echo "5. Fill in Supabase, Azure, and SSH key values manually"
echo ""