keybase-cli
Keybase docker container that exposes the keybase CLI and some common commands such as getting files or git loading github action secrets.
GitHub: https://github.com/bjgeiser/keybase-cli
Docker Hub: https://hub.docker.com/r/bjgeiser/keybase-cli
GitHub Action
The primary purpose of this docker image is for use in this GitHub action:
https://github.com/bjgeiser/keybase-action
Usage
Example Docker Command
docker run --rm \
-v $PWD:$PWD -w $PWD \
-e KEYBASE_USERNAME="$KEYBASE_USER" \
-e KEYBASE_PAPERKEY="$KEYBASE_PAPERKEY" \
-e KEYBASE_UID=$UID -e KEYBASE_GID=$GID \
bjgeiser/keybase-cli keybase --version
Environment Variables
| Environment Variable | Description | Required |
|---|---|---|
| KEYBASE_USERNAME | Keybase user name | Yes |
| KEYBASE_PAPERKEY | Keybase paper key | Yes |
| KEYBASE_UID | Docker host user id to store files as | No |
| KEYBASE_GID | Docker host group id to store files as | No |
About file permissions
By default keybase will copy files with the following permissions -rw------- and the keybase executable will not run as root. Without setting KEYBASE_UID and KEYBASE_GID copied out files will be be owned by 1000:1000. In order for your files to be readable, the calling user can pass the current user and group into the container with environment variables. The script can then dynamically create a user inside the container with the same UID:GID as the host user and files will be readable after the container exits. Using --user UID:GID will not set up a user with a home directory (required for keybase) dynamically and the container will detect this and error out.
Commands
| Command | syntax | Description |
|---|---|---|
| github-action-secrets | github-action-secrets keybase://path/to/file |
For use in github actions to get keybase secrets |
| get | get keybase://path/to/file {localpath} |
Get the file from keybase and copy to a local path |
| read | read keybase://path/to/file |
Dump contents of file to stdout |
| clone | clone {git clone options} keybase://path/to/repo {localpath} |
Clone a keybase git repository |
| batch | batch "{any of the above commands},{any of the above commands}" orbatch "{any of the above commands};{any of the above commands}" |
Run more than 1 command in a single docker run |
| file | file /path/to/file |
Run more than 1 command in a single docker run |
| keybase | See: client command | Run any keybase client command |
{any other command aka raw} |
Commands that don't match the above keywords will be run as is. Such as chmod a+r filename |
Unmatched commands run as is |
Note:
{arguments}are optional.
Command: github-action-secrets
docker run --rm \
-v $PWD:$PWD -w $PWD \
-e KEYBASE_USERNAME="$KEYBASE_USER" \
-e KEYBASE_PAPERKEY="$KEYBASE_PAPERKEY" \
-e KEYBASE_UID=$UID -e KEYBASE_GID=$GID \
bjgeiser/keybase-cli github-action-secrets keybase://path/to/file
This command will parse a .yaml, .json or .env file and set secrets in a github action. Each entry result in the supplied file will cause the container to emit.
::set-output name={name}::{value} reference
::add-mask::{value} reference
Note secrets loaded in using this method will be masked in with
*****in workflow logs. See: reference for more information regarding action security.
Examples
action-secrets.yaml
secret_1: this is secret 1
secret_2: this is secret 2
action-secrets.json
{
"secret_1": "this is secret 1",
"secret_2": "this is secret 2"
}
action-secrets.env
secret_1="this is secret 1"
secret_2="this is secret 2"
secret_3=this_is_secret_3
Using in github actions
jobs:
example:
runs-on: ubuntu-latest
steps:
- name: Get secrets
id: keybase_secrets
shell: bash
run: |
run --rm \
-v $PWD:$PWD -w $PWD \
-e KEYBASE_USERNAME="${{secrets.KEYBASE_USERNAME}}" \
-e KEYBASE_PAPERKEY="${{secrets.KEYBASE_PAPERKEY}}" \
-e KEYBASE_UID=$UID -e KEYBASE_GID=$GID \
bjgeiser/keybase-cli github-action-secrets keybase://path/to/file
- name: Check that secret is loaded and masked
### This should log the secret with `*****`
run: echo "${{steps.secrets.outputs.secret_1}}"
Command: get
Copy a file to the local file system.
docker run --rm -v $PWD:$PWD -w $PWD -e KEYBASE_USERNAME="$KEYBASE_USER" \
-e KEYBASE_PAPERKEY="$KEYBASE_PAPERKEY" -e KEYBASE_UID=$UID -e KEYBASE_GID=$GID \
bjgeiser/keybase-cli get keybase://path/to/file
docker run --rm -v $PWD:$PWD -w $PWD -e KEYBASE_USERNAME="$KEYBASE_USER" \
-e KEYBASE_PAPERKEY="$KEYBASE_PAPERKEY" -e KEYBASE_UID=$UID -e KEYBASE_GID=$GID \
bjgeiser/keybase-cli get keybase://path/to/file keybase://path/to/file path/to/local/file
Command: read
Print files to stdout.
docker run --rm -v $PWD:$PWD -w $PWD -e KEYBASE_USERNAME="$KEYBASE_USER" \
-e KEYBASE_PAPERKEY="$KEYBASE_PAPERKEY" -e KEYBASE_UID=$UID -e KEYBASE_GID=$GID \
bjgeiser/keybase-cli read keybase://path/to/file
Command: clone
Clone a git repository.
docker run --rm -v $PWD:$PWD -w $PWD -e KEYBASE_USERNAME="$KEYBASE_USER" \
-e KEYBASE_PAPERKEY="$KEYBASE_PAPERKEY" -e KEYBASE_UID=$UID -e KEYBASE_GID=$GID \
bjgeiser/keybase-cli clone keybase://path/to/clone
docker run --rm -v $PWD:$PWD -w $PWD -e KEYBASE_USERNAME="$KEYBASE_USER" \
-e KEYBASE_PAPERKEY="$KEYBASE_PAPERKEY" -e KEYBASE_UID=$UID -e KEYBASE_GID=$GID \
bjgeiser/keybase-cli clone -b my_branch keybase://path/to/clone path/to/local
Command: keybase
Execute keybase cli commands.
docker run --rm -v $PWD:$PWD -w $PWD -e KEYBASE_USERNAME="$KEYBASE_USER" \
-e KEYBASE_PAPERKEY="$KEYBASE_PAPERKEY" -e KEYBASE_UID=$UID -e KEYBASE_GID=$GID \
bjgeiser/keybase-cli keybase --version
Note: Any commands that don't match one of the commands are tried as raw commands. Things such as
ls -la .orkeybase --versionwill work.
Command: raw
Execute raw commands from inside the container.
docker run --rm -v $PWD:$PWD -w $PWD -e KEYBASE_USERNAME="$KEYBASE_USER" \
-e KEYBASE_PAPERKEY="$KEYBASE_PAPERKEY" -e KEYBASE_UID=$UID -e KEYBASE_GID=$GID \
bjgeiser/keybase-cli ls -la .
Note: Any commands that don't match one of the commands are tried as raw commands. Things such as
ls -la .orkeybase --versionwill work.
Command: batch
Executes a series of commands in a , or ; separated string.
docker run --rm -v $PWD:$PWD -w $PWD -e KEYBASE_USERNAME="$KEYBASE_USER" \
-e KEYBASE_PAPERKEY="$KEYBASE_PAPERKEY" -e KEYBASE_UID=$UID -e KEYBASE_GID=$GID \
bjgeiser/keybase-cli batch "{any of the above commands},{any of the above commands}"`
Command: file
Executes a series of commands contained in a yaml file.
docker run --rm -v $PWD:$PWD -w $PWD -e KEYBASE_USERNAME="$KEYBASE_USER" \
-e KEYBASE_PAPERKEY="$KEYBASE_PAPERKEY" -e KEYBASE_UID=$UID -e KEYBASE_GID=$GID \
bjgeiser/keybase-cli file keybase://path/to/command_file.yaml
command_file.yaml
commands:
- get keybase://path/to/file
- get keybase://path/to/file2
- get keybase://path/to/file3
- clone keybase://path/to/clone
- github-action-secrets keybase://path/to/file
# modify file downloaded above
- chmod a+rw file3
502 Dec 30, 2022
0 May 17, 2022
15 Nov 06, 2022
0 Aug 10, 2021
6 Aug 27, 2022
1.3k Jan 08, 2023
17 Dec 15, 2022
11 Jul 13, 2022
6 Jan 14, 2022
4 May 15, 2022
186 Oct 28, 2022
11 Jan 04, 2022
2 Apr 07, 2022
133 Nov 30, 2022
1 Mar 04, 2022
8 Jan 09, 2023
1.7k Jan 01, 2023
1 Feb 14, 2022
2 Jan 05, 2022
22 Dec 05, 2022