⚠️ This doesn't work as Spacelift doesn't clone a git repo at the workroot.

Spacelift plus Transcrypt, for decrypting secret things in your git repo.

Based on the base AWS spacelift image, with transcrypt & dependencies added to save re-downloading every run.

The Spacelift Stack needs a couple of configuration options setting to have the decrypted files available in your runs. These settings can be configured from:

• Runtime Configuration using spacelift/config.yml in the repo
• Spacelift Context attached to your stack
• Spacelift UI -> Stack -> Settings -> Behaviour page (click Advanced for phase hooks)
• Spacelift's Terraform Provider / API, in the spacelift_stack resource

Setting it via the config.yml is most flexible, because you can test out changes in pull requests before merging down. (As suggested by the Spacelift docs.)

Firstly the runner_image needs setting to ghcr.io/caius/spacelift-transcrypt:latest (or pin a specific SHA¹ instead of latest to control updates.)

Secondly, the before_init hook needs the transcrypt hydration command adding from transcrypt --display in your repo locally. For example, with the default cipher:

transcrypt -c aes-256-cbc -p $TRANSCRYPT_PASSWORD

The TRANSCRYPT_PASSWORD environment variable needs setting in the Spacelift stack, either directly on the Stack or via an attached Context.

See LICENSE file.