integrating sops with github actions

It’s surprisingly tricky, if you want to work with env variables.

After some clumsiness around exec-env I settle down on this snippet:

- name: Add secrets
  run: |
    echo "::add-mask::$(sops exec-file secrets.env 'cat {} | cut -d = -f 2-')"
    sops exec-file secrets.env 'cat {} >> $GITHUB_ENV'
  shell: bash

First line masks values in github logs, second adds them as env variables for all following steps, which reduces clutter a lot.

Note: shell: bash is essential here, because they treats ‘\n’ in echo very differently.