@@ -68,13 +68,40 @@ jobs:
6868 echo "Backup files created:"
6969 ls -lh supabase_snapshot/
7070
71- - name : Upload backup artifacts
71+ - name : Encrypt backup files
72+ env :
73+ BACKUP_ENCRYPTION_KEY : ${{ secrets.BACKUP_ENCRYPTION_KEY }}
74+ run : |
75+ echo "🔒 Encrypting backup files..."
76+
77+ # Check if encryption key is set
78+ if [ -z "$BACKUP_ENCRYPTION_KEY" ]; then
79+ echo "❌ ERROR: BACKUP_ENCRYPTION_KEY is not set!"
80+ echo "Please add BACKUP_ENCRYPTION_KEY to your repository secrets."
81+ echo "This is required to encrypt backups in a public repository."
82+ exit 1
83+ fi
84+
85+ # Create encrypted archive
86+ tar -czf supabase_snapshot.tar.gz supabase_snapshot/
87+
88+ # Encrypt using GPG with symmetric encryption
89+ echo "$BACKUP_ENCRYPTION_KEY" | gpg --batch --yes --passphrase-fd 0 --symmetric --cipher-algo AES256 -o supabase_snapshot.tar.gz.gpg supabase_snapshot.tar.gz
90+
91+ # Remove unencrypted files
92+ rm -rf supabase_snapshot/
93+ rm supabase_snapshot.tar.gz
94+
95+ echo "✅ Backup encrypted successfully"
96+ ls -lh supabase_snapshot.tar.gz.gpg
97+
98+ - name : Upload encrypted backup artifacts
7299 uses : actions/upload-artifact@v4
73100 with :
74- name : supabase-backup-${{ github.run_number }}-${{ github.run_attempt }}
75- path : supabase_snapshot/
101+ name : supabase-backup-encrypted- ${{ github.run_number }}-${{ github.run_attempt }}
102+ path : supabase_snapshot.tar.gz.gpg
76103 retention-days : 30
77- compression-level : 9
104+ compression-level : 0
78105
79106 - name : Generate job summary
80107 if : always()
@@ -83,27 +110,24 @@ jobs:
83110 echo "" >> $GITHUB_STEP_SUMMARY
84111 echo "**Date:** $(date)" >> $GITHUB_STEP_SUMMARY
85112 echo "" >> $GITHUB_STEP_SUMMARY
113+ echo "🔒 **Security:** Backup is encrypted with AES256" >> $GITHUB_STEP_SUMMARY
114+ echo "" >> $GITHUB_STEP_SUMMARY
86115
87- if [ -f supabase_snapshot/backup_info.txt ]; then
88- echo "## Backup Information" >> $GITHUB_STEP_SUMMARY
89- echo '```' >> $GITHUB_STEP_SUMMARY
90- cat supabase_snapshot/backup_info.txt >> $GITHUB_STEP_SUMMARY
116+ if [ -f supabase_snapshot.tar.gz.gpg ]; then
117+ echo "## Encrypted Backup File" >> $GITHUB_STEP_SUMMARY
118+ echo "" >> $GITHUB_STEP_SUMMARY
119+ echo "| File | Size |" >> $GITHUB_STEP_SUMMARY
120+ echo "|------|------|" >> $GITHUB_STEP_SUMMARY
121+ size=$(du -h supabase_snapshot.tar.gz.gpg | cut -f1)
122+ echo "| supabase_snapshot.tar.gz.gpg | $size |" >> $GITHUB_STEP_SUMMARY
123+ echo "" >> $GITHUB_STEP_SUMMARY
124+ echo "## How to Decrypt" >> $GITHUB_STEP_SUMMARY
125+ echo '```bash' >> $GITHUB_STEP_SUMMARY
126+ echo "# Download the artifact, then run:" >> $GITHUB_STEP_SUMMARY
127+ echo "gpg --decrypt supabase_snapshot.tar.gz.gpg > supabase_snapshot.tar.gz" >> $GITHUB_STEP_SUMMARY
128+ echo "tar -xzf supabase_snapshot.tar.gz" >> $GITHUB_STEP_SUMMARY
91129 echo '```' >> $GITHUB_STEP_SUMMARY
92130 fi
93131
94- echo "" >> $GITHUB_STEP_SUMMARY
95- echo "## Backup Files" >> $GITHUB_STEP_SUMMARY
96- echo "" >> $GITHUB_STEP_SUMMARY
97- echo "| File | Size |" >> $GITHUB_STEP_SUMMARY
98- echo "|------|------|" >> $GITHUB_STEP_SUMMARY
99-
100- for file in supabase_snapshot/*; do
101- if [ -f "$file" ]; then
102- filename=$(basename "$file")
103- size=$(du -h "$file" | cut -f1)
104- echo "| $filename | $size |" >> $GITHUB_STEP_SUMMARY
105- fi
106- done
107-
108132 echo "" >> $GITHUB_STEP_SUMMARY
109133 echo "✅ Backup completed successfully!" >> $GITHUB_STEP_SUMMARY
0 commit comments