From d43a4f0c8a58bcce6001ae3825b2db415c6f7376 Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Mon, 23 Jun 2025 18:18:07 +0200
Subject: [PATCH 01/16] Export secrets and symmetrically encrypt

---
 .github/workflows/export-secrets.yml | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
index 3b152b6..4eeb021 100644
--- a/.github/workflows/export-secrets.yml
+++ b/.github/workflows/export-secrets.yml
@@ -2,24 +2,34 @@ name: Export & Encrypt Secrets
 
 on:
   workflow_dispatch:
+    inputs:
+      environment:
+        description: 'Target environment (e.g. dev, staging, prod)'
+        required: true
+        default: 'dev'
+
+permissions:
+  contents: read      # for checkout
+  actions: read       # to list/download runs/artifacts
 
 jobs:
-  build:
+  export:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
 
-      - name: Export all repo secrets to env
+      - name: Export only this environment’s secrets as env-vars
         uses: oNaiPs/secrets-to-env-action@v1
         with:
           secrets: ${{ toJSON(secrets) }}
           exclude: ENV_PASSPHRASE
+          include: ${{ inputs.environment }}_
 
-      - name: Dump selected secrets to .env
+      - name: Dump ALL exported vars to .env
         run: |
-          # adjust pattern to match your secret names
-          env | grep -E '^(DB_|API_|OTHER_)' > secrets.env
+          # Now every secret that matched “<env>_…” is in the env
+          env > secrets.env
 
       - name: Encrypt .env symmetrically
         run: |
@@ -37,3 +47,4 @@ jobs:
         with:
           name: encrypted-secrets
           path: secrets.env.gpg
+          retention-days: 1

From a009874f795aae4ec76568882a13a4ae4d6332c9 Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Mon, 23 Jun 2025 18:18:11 +0200
Subject: [PATCH 02/16] Export secrets and symmetrically encrypt

---
 bin/sync-env.sh | 37 +++++++++++++++++++++++++++++--------
 1 file changed, 29 insertions(+), 8 deletions(-)

diff --git a/bin/sync-env.sh b/bin/sync-env.sh
index 1ab3c6b..2f7b6b5 100644
--- a/bin/sync-env.sh
+++ b/bin/sync-env.sh
@@ -1,19 +1,40 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-# 1. Find the most recent export run
-WORKFLOW="Export & Encrypt Secrets"
-RUN_ID=$(gh run list --workflow="export-secrets.yml" --limit 1 --json databaseId --jq '.[0].databaseId')
+# 1) Prompt for the passphrase if ENV_PASSPHRASE isn’t already set
+if [[ -z "${ENV_PASSPHRASE-}" ]]; then
+  read -rsp "Enter shared ENV_PASSPHRASE: " PASSPHRASE
+  echo
+else
+  PASSPHRASE="$ENV_PASSPHRASE"
+fi
 
-# 2. Download the artifact
-gh run download "$RUN_ID" --name encrypted-secrets --dir .
+# 2) Identify the latest run of our export workflow
+WORKFLOW_FILE="export-secrets.yml"
+RUN_ID=$(gh run list --workflow="$WORKFLOW_FILE" --limit 1 --json databaseId --jq '.[0].databaseId')
 
-# 3. Decrypt to .env
+if [[ -z "$RUN_ID" ]]; then
+  echo "❌ No workflow run found for $WORKFLOW_FILE"
+  exit 1
+fi
+
+echo "📥 Downloading artifact from run ID $RUN_ID..."
+
+# 3) Prepare a clean download directory
+ARTIFACT_DIR="encrypted-secrets"
+rm -rf "$ARTIFACT_DIR"
+mkdir -p "$ARTIFACT_DIR"
+
+# 4) Download the encrypted .env.gpg
+gh run download "$RUN_ID" --name encrypted-secrets --dir "$ARTIFACT_DIR"
+
+# 5) Decrypt into .env
+echo "🔓 Decrypting into .env..."
 gpg --quiet --batch \
     --yes \
     --pinentry-mode loopback \
-    --passphrase "${ENV_PASSPHRASE:-}" \
+    --passphrase "$PASSPHRASE" \
     --output .env \
-    --decrypt secrets.env.gpg
+    --decrypt "$ARTIFACT_DIR/secrets.env.gpg"
 
 echo "✅ .env synced and ready"

From 058241246d4bbc1b76d2aecdaa8c434287f88c34 Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Tue, 24 Jun 2025 11:47:18 +0200
Subject: [PATCH 03/16] Export secrets and encrypt with actor's GPG key

---
 .github/workflows/export-secrets.yml | 63 ++++++++++++++++++++--------
 1 file changed, 45 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
index 4eeb021..57471f5 100644
--- a/.github/workflows/export-secrets.yml
+++ b/.github/workflows/export-secrets.yml
@@ -1,48 +1,75 @@
-name: Export & Encrypt Secrets
-
+name: Export & Encrypt Secrets for Actor
 on:
   workflow_dispatch:
     inputs:
       environment:
-        description: 'Target environment (e.g. dev, staging, prod)'
+        description: 'Target environment prefix (e.g. dev, staging, prod)'
         required: true
         default: 'dev'
 
 permissions:
   contents: read      # for checkout
-  actions: read       # to list/download runs/artifacts
+  actions: read       # to list/download runs & artifacts
 
 jobs:
   export:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout code
+      # 1) checkout your code
+      - name: Checkout
         uses: actions/checkout@v3
 
-      - name: Export only this environment’s secrets as env-vars
+      # 2) export only the secrets for the chosen environment
+      - name: Export environment-prefixed secrets
         uses: oNaiPs/secrets-to-env-action@v1
         with:
           secrets: ${{ toJSON(secrets) }}
-          exclude: ENV_PASSPHRASE
           include: ${{ inputs.environment }}_
+          exclude: GITHUB_TOKEN
+
+      # 3) dump everything in env → secrets.env
+      - name: Dump to secrets.env
+        run: env > secrets.env
 
-      - name: Dump ALL exported vars to .env
+      # 4) fetch the actor’s public GPG keys
+      - name: Fetch GPG keys for ${{ github.actor }}
+        id: fetch_keys
         run: |
-          # Now every secret that matched “<env>_…” is in the env
-          env > secrets.env
+          ACTOR=${{ github.actor }}
+          echo "🔎 Fetching public GPG keys for $ACTOR"
+          # get JSON array of {key_id, raw_key}
+          gh api /users/"$ACTOR"/gpg_keys \
+            --jq '[.[] | .raw_key]' > actor_keys.json
 
-      - name: Encrypt .env symmetrically
+      # 5) import + fingerprint + encrypt in one go
+      - name: Import & encrypt for actor
         run: |
-          gpg --quiet --batch \
-              --yes \
-              --pinentry-mode loopback \
-              --passphrase "${{ secrets.ENV_PASSPHRASE }}" \
-              --cipher-algo AES256 \
-              --symmetric \
+          # read every raw_key, import it, extract fingerprint, build --recipient args
+          mapfile -t RAW_KEYS < <(jq -r '.[]' actor_keys.json)
+          RECIP_ARGS=()
+          for raw in "${RAW_KEYS[@]}"; do
+            echo "$raw" | gpg --batch --import
+            # dry-run import to get fingerprint
+            FP=$(printf '%s' "$raw" \
+                 | gpg --import-options import-show --dry-run --with-colons \
+                 | awk -F: '/^fpr:/ {print $10; exit}')
+            RECIP_ARGS+=(--recipient "$FP")
+          done
+
+          # fail early if user has no keys
+          if [[ ${#RECIP_ARGS[@]} -eq 0 ]]; then
+            echo "❌ No public GPG keys found for $ACTOR — aborting" >&2
+            exit 1
+          fi
+
+          echo "🔒 Encrypting secrets.env for $ACTOR…"
+          gpg --yes --batch --quiet \
+              "${RECIP_ARGS[@]}" \
               --output secrets.env.gpg \
               secrets.env
 
-      - name: Upload encrypted .env
+      # 6) upload the encrypted file
+      - name: Upload encrypted-secrets
         uses: actions/upload-artifact@v4
         with:
           name: encrypted-secrets

From 57d93d9873982286d2acea2675c51eea9acf3ea5 Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Tue, 24 Jun 2025 11:56:44 +0200
Subject: [PATCH 04/16] Add authentication for GitHub CLI and improve logging
 in export-secrets workflow

---
 .github/workflows/export-secrets.yml | 27 +++++++++++----------------
 1 file changed, 11 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
index 57471f5..bc576de 100644
--- a/.github/workflows/export-secrets.yml
+++ b/.github/workflows/export-secrets.yml
@@ -1,4 +1,6 @@
+# .github/workflows/export-secrets.yml
 name: Export & Encrypt Secrets for Actor
+
 on:
   workflow_dispatch:
     inputs:
@@ -14,12 +16,15 @@ permissions:
 jobs:
   export:
     runs-on: ubuntu-latest
+
+    # Make sure gh CLI calls are authenticated
+    env:
+      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
     steps:
-      # 1) checkout your code
       - name: Checkout
         uses: actions/checkout@v3
 
-      # 2) export only the secrets for the chosen environment
       - name: Export environment-prefixed secrets
         uses: oNaiPs/secrets-to-env-action@v1
         with:
@@ -27,48 +32,38 @@ jobs:
           include: ${{ inputs.environment }}_
           exclude: GITHUB_TOKEN
 
-      # 3) dump everything in env → secrets.env
       - name: Dump to secrets.env
         run: env > secrets.env
 
-      # 4) fetch the actor’s public GPG keys
       - name: Fetch GPG keys for ${{ github.actor }}
         id: fetch_keys
         run: |
-          ACTOR=${{ github.actor }}
-          echo "🔎 Fetching public GPG keys for $ACTOR"
-          # get JSON array of {key_id, raw_key}
-          gh api /users/"$ACTOR"/gpg_keys \
-            --jq '[.[] | .raw_key]' > actor_keys.json
+          echo "🔎 Fetching public GPG keys for ${{ github.actor }}…"
+          gh api /users/${{ github.actor }}/gpg_keys --jq '[.[] | .raw_key]' > actor_keys.json
 
-      # 5) import + fingerprint + encrypt in one go
       - name: Import & encrypt for actor
         run: |
-          # read every raw_key, import it, extract fingerprint, build --recipient args
           mapfile -t RAW_KEYS < <(jq -r '.[]' actor_keys.json)
           RECIP_ARGS=()
           for raw in "${RAW_KEYS[@]}"; do
             echo "$raw" | gpg --batch --import
-            # dry-run import to get fingerprint
             FP=$(printf '%s' "$raw" \
                  | gpg --import-options import-show --dry-run --with-colons \
                  | awk -F: '/^fpr:/ {print $10; exit}')
             RECIP_ARGS+=(--recipient "$FP")
           done
 
-          # fail early if user has no keys
           if [[ ${#RECIP_ARGS[@]} -eq 0 ]]; then
-            echo "❌ No public GPG keys found for $ACTOR — aborting" >&2
+            echo "❌ No GPG keys found for ${{ github.actor }}." >&2
             exit 1
           fi
 
-          echo "🔒 Encrypting secrets.env for $ACTOR…"
+          echo "🔒 Encrypting secrets.env for ${{ github.actor }}…"
           gpg --yes --batch --quiet \
               "${RECIP_ARGS[@]}" \
               --output secrets.env.gpg \
               secrets.env
 
-      # 6) upload the encrypted file
       - name: Upload encrypted-secrets
         uses: actions/upload-artifact@v4
         with:

From 09e2757352d8094bc4b61323da68cf967ece258c Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Tue, 24 Jun 2025 11:58:52 +0200
Subject: [PATCH 05/16] Add authentication for GitHub CLI and improve logging
 in export-secrets workflow

---
 .github/workflows/export-secrets.yml | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
index bc576de..cf33241 100644
--- a/.github/workflows/export-secrets.yml
+++ b/.github/workflows/export-secrets.yml
@@ -16,8 +16,6 @@ permissions:
 jobs:
   export:
     runs-on: ubuntu-latest
-
-    # Make sure gh CLI calls are authenticated
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
@@ -36,28 +34,33 @@ jobs:
         run: env > secrets.env
 
       - name: Fetch GPG keys for ${{ github.actor }}
-        id: fetch_keys
         run: |
           echo "🔎 Fetching public GPG keys for ${{ github.actor }}…"
-          gh api /users/${{ github.actor }}/gpg_keys --jq '[.[] | .raw_key]' > actor_keys.json
+          gh api /users/${{ github.actor }}/gpg_keys \
+            --jq '[.[] | .raw_key]' > actor_keys.json
+
+      - name: Ensure actor has ≥1 GPG key
+        run: |
+          COUNT=$(jq 'length' actor_keys.json)
+          if [ "$COUNT" -eq 0 ]; then
+            echo "❌ No public GPG keys found for ${{ github.actor }}."
+            echo "   Please upload a key at https://github.com/settings/keys"
+            exit 1
+          fi
 
       - name: Import & encrypt for actor
         run: |
+          # load each raw_key, import it, grab its fingerprint, build --recipient args
           mapfile -t RAW_KEYS < <(jq -r '.[]' actor_keys.json)
           RECIP_ARGS=()
           for raw in "${RAW_KEYS[@]}"; do
-            echo "$raw" | gpg --batch --import
-            FP=$(printf '%s' "$raw" \
+            printf '%s\n' "$raw" | gpg --batch --import
+            FP=$(printf '%s\n' "$raw" \
                  | gpg --import-options import-show --dry-run --with-colons \
                  | awk -F: '/^fpr:/ {print $10; exit}')
             RECIP_ARGS+=(--recipient "$FP")
           done
 
-          if [[ ${#RECIP_ARGS[@]} -eq 0 ]]; then
-            echo "❌ No GPG keys found for ${{ github.actor }}." >&2
-            exit 1
-          fi
-
           echo "🔒 Encrypting secrets.env for ${{ github.actor }}…"
           gpg --yes --batch --quiet \
               "${RECIP_ARGS[@]}" \

From 81ef9f607b7544fb640e9d568e936003e0eafff4 Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Tue, 24 Jun 2025 12:00:12 +0200
Subject: [PATCH 06/16] Add authentication for GitHub CLI and improve logging
 in export-secrets workflow

---
 .github/workflows/export-secrets.yml | 33 ++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
index cf33241..1896d1a 100644
--- a/.github/workflows/export-secrets.yml
+++ b/.github/workflows/export-secrets.yml
@@ -50,17 +50,32 @@ jobs:
 
       - name: Import & encrypt for actor
         run: |
-          # load each raw_key, import it, grab its fingerprint, build --recipient args
-          mapfile -t RAW_KEYS < <(jq -r '.[]' actor_keys.json)
+          # Read all raw_key blocks into a stream
+          KEYS_STREAM=$(jq -r '.[]' actor_keys.json)
+
           RECIP_ARGS=()
-          for raw in "${RAW_KEYS[@]}"; do
-            printf '%s\n' "$raw" | gpg --batch --import
-            FP=$(printf '%s\n' "$raw" \
-                 | gpg --import-options import-show --dry-run --with-colons \
-                 | awk -F: '/^fpr:/ {print $10; exit}')
-            RECIP_ARGS+=(--recipient "$FP")
-          done
+          BUFFER=""
+
+          # Assemble each armored key block (ends with -----END PGP PUBLIC KEY BLOCK-----)
+          while IFS= read -r line; do
+            BUFFER+="$line"$'\n'
+            if [[ "$line" == "-----END PGP PUBLIC KEY BLOCK-----" ]]; then
+              # Import the full block
+              echo "$BUFFER" | gpg --batch --import
+
+              # Extract its fingerprint
+              FP=$(echo "$BUFFER" \
+                   | gpg --import-options import-show --dry-run --with-colons \
+                   | awk -F: '/^fpr:/ {print $10; exit}')
+
+              RECIP_ARGS+=(--recipient "$FP")
+
+              # Reset buffer for next key
+              BUFFER=""
+            fi
+          done <<< "$KEYS_STREAM"
 
+          # Encrypt
           echo "🔒 Encrypting secrets.env for ${{ github.actor }}…"
           gpg --yes --batch --quiet \
               "${RECIP_ARGS[@]}" \

From a3697962ff9adfd77b90ed1574c8b89beb13e3a3 Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Tue, 24 Jun 2025 12:01:22 +0200
Subject: [PATCH 07/16] Add authentication for GitHub CLI and improve logging
 in export-secrets workflow

---
 .github/workflows/export-secrets.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
index 1896d1a..5a70c6b 100644
--- a/.github/workflows/export-secrets.yml
+++ b/.github/workflows/export-secrets.yml
@@ -75,9 +75,9 @@ jobs:
             fi
           done <<< "$KEYS_STREAM"
 
-          # Encrypt
           echo "🔒 Encrypting secrets.env for ${{ github.actor }}…"
           gpg --yes --batch --quiet \
+              --encrypt \
               "${RECIP_ARGS[@]}" \
               --output secrets.env.gpg \
               secrets.env

From 30e7837a8deba4682c86d066c3b51730fcd1e145 Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Tue, 24 Jun 2025 12:02:53 +0200
Subject: [PATCH 08/16] Add authentication for GitHub CLI and improve logging
 in export-secrets workflow

---
 .github/workflows/export-secrets.yml | 34 ++++++++++++++++++++--------
 1 file changed, 24 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
index 5a70c6b..58d6db2 100644
--- a/.github/workflows/export-secrets.yml
+++ b/.github/workflows/export-secrets.yml
@@ -50,38 +50,52 @@ jobs:
 
       - name: Import & encrypt for actor
         run: |
-          # Read all raw_key blocks into a stream
+          # Load all raw_key blocks into a stream
           KEYS_STREAM=$(jq -r '.[]' actor_keys.json)
 
           RECIP_ARGS=()
           BUFFER=""
 
-          # Assemble each armored key block (ends with -----END PGP PUBLIC KEY BLOCK-----)
+          # Assemble and import each armored key block
           while IFS= read -r line; do
             BUFFER+="$line"$'\n'
             if [[ "$line" == "-----END PGP PUBLIC KEY BLOCK-----" ]]; then
-              # Import the full block
-              echo "$BUFFER" | gpg --batch --import
-
-              # Extract its fingerprint
-              FP=$(echo "$BUFFER" \
-                   | gpg --import-options import-show --dry-run --with-colons \
+              # Extract fingerprint in one go (dry-run import-show)
+              FP=$(printf '%s\n' "$BUFFER" \
+                   | gpg --batch --import-options import-show --dry-run --with-colons \
+                   2>/dev/null \
                    | awk -F: '/^fpr:/ {print $10; exit}')
 
+              # Sanity check
+              if [[ -z "$FP" ]]; then
+                echo "❌ Failed to extract fingerprint for a key block." >&2
+                exit 1
+              fi
+
               RECIP_ARGS+=(--recipient "$FP")
 
-              # Reset buffer for next key
+              # Now do the real import so the key actually lives in your keyring
+              printf '%s\n' "$BUFFER" | gpg --batch --import >/dev/null
+
               BUFFER=""
             fi
           done <<< "$KEYS_STREAM"
 
-          echo "🔒 Encrypting secrets.env for ${{ github.actor }}…"
+          # Ensure we got at least one recipient
+          if [[ ${#RECIP_ARGS[@]} -eq 0 ]]; then
+            echo "❌ No valid GPG keys found to encrypt for ${{ github.actor }}." >&2
+            exit 1
+          fi
+
+          echo "🔒 Encrypting secrets.env for ${{ github.actor }} (keys: ${RECIP_ARGS[*]})…"
           gpg --yes --batch --quiet \
+              --trust-model always \
               --encrypt \
               "${RECIP_ARGS[@]}" \
               --output secrets.env.gpg \
               secrets.env
 
+
       - name: Upload encrypted-secrets
         uses: actions/upload-artifact@v4
         with:

From a0ba8f5f4a301b7e9ba3f96b680cb1cec5b40b8e Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Tue, 24 Jun 2025 12:04:10 +0200
Subject: [PATCH 09/16] Add authentication for GitHub CLI and improve logging
 in export-secrets workflow

---
 .github/workflows/export-secrets.yml | 57 +++++++++++-----------------
 1 file changed, 22 insertions(+), 35 deletions(-)

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
index 58d6db2..8914bbe 100644
--- a/.github/workflows/export-secrets.yml
+++ b/.github/workflows/export-secrets.yml
@@ -50,44 +50,31 @@ jobs:
 
       - name: Import & encrypt for actor
         run: |
-          # Load all raw_key blocks into a stream
-          KEYS_STREAM=$(jq -r '.[]' actor_keys.json)
-
-          RECIP_ARGS=()
-          BUFFER=""
-
-          # Assemble and import each armored key block
-          while IFS= read -r line; do
-            BUFFER+="$line"$'\n'
-            if [[ "$line" == "-----END PGP PUBLIC KEY BLOCK-----" ]]; then
-              # Extract fingerprint in one go (dry-run import-show)
-              FP=$(printf '%s\n' "$BUFFER" \
-                   | gpg --batch --import-options import-show --dry-run --with-colons \
-                   2>/dev/null \
-                   | awk -F: '/^fpr:/ {print $10; exit}')
-
-              # Sanity check
-              if [[ -z "$FP" ]]; then
-                echo "❌ Failed to extract fingerprint for a key block." >&2
-                exit 1
-              fi
-
-              RECIP_ARGS+=(--recipient "$FP")
-
-              # Now do the real import so the key actually lives in your keyring
-              printf '%s\n' "$BUFFER" | gpg --batch --import >/dev/null
-
-              BUFFER=""
-            fi
-          done <<< "$KEYS_STREAM"
-
-          # Ensure we got at least one recipient
-          if [[ ${#RECIP_ARGS[@]} -eq 0 ]]; then
-            echo "❌ No valid GPG keys found to encrypt for ${{ github.actor }}." >&2
+          # 1) Import every public key block at once
+          echo "🔑 Importing all public keys for ${{ github.actor }}…"
+          jq -r '.[]' actor_keys.json \
+            | gpg --batch --import
+
+          # 2) Gather fingerprints of all imported keys
+          mapfile -t FPS < <(
+            gpg --with-colons --list-keys \
+              | awk -F: '/^fpr:/ {print $10}'
+          )
+
+          # 3) Sanity check
+          if [[ ${#FPS[@]} -eq 0 ]]; then
+            echo "❌ No GPG fingerprints found after import. Aborting." >&2
             exit 1
           fi
 
-          echo "🔒 Encrypting secrets.env for ${{ github.actor }} (keys: ${RECIP_ARGS[*]})…"
+          # 4) Build recipient args
+          RECIP_ARGS=()
+          for fp in "${FPS[@]}"; do
+            RECIP_ARGS+=(--recipient "$fp")
+          done
+
+          # 5) Encrypt
+          echo "🔒 Encrypting secrets.env for ${{ github.actor }} (keys: ${FPS[*]})…"
           gpg --yes --batch --quiet \
               --trust-model always \
               --encrypt \

From a1cc9aab70d66e2c747593932edefdd3101f4081 Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Tue, 24 Jun 2025 13:04:48 +0200
Subject: [PATCH 10/16] Enhance export-secrets workflow to include secret
 filtering, exclusion, and prefixing options

---
 .github/workflows/export-secrets.yml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
index 8914bbe..b0ca476 100644
--- a/.github/workflows/export-secrets.yml
+++ b/.github/workflows/export-secrets.yml
@@ -26,9 +26,14 @@ jobs:
       - name: Export environment-prefixed secrets
         uses: oNaiPs/secrets-to-env-action@v1
         with:
+          # Pass in all your repo’s secrets as JSON:
           secrets: ${{ toJSON(secrets) }}
+          # Only pull secrets whose names start with, e.g., "dev_", "staging_", "prod_"
           include: ${{ inputs.environment }}_
+          # Skip the GITHUB_TOKEN (and any other you inject via env vars)
           exclude: GITHUB_TOKEN
+          # Add your own prefix so that your .env file uses, e.g., "ENV_DB_PASS" instead of "DB_PASS"
+          prefix: ENV_
 
       - name: Dump to secrets.env
         run: env > secrets.env

From 23bfb12d46d25aeb78ec00f11015169392a4ee4b Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Tue, 24 Jun 2025 13:06:54 +0200
Subject: [PATCH 11/16] Allow overwrite of existing encrypted secrets in
 export-secrets workflow

---
 .github/workflows/export-secrets.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
index b0ca476..eb96aa2 100644
--- a/.github/workflows/export-secrets.yml
+++ b/.github/workflows/export-secrets.yml
@@ -94,3 +94,4 @@ jobs:
           name: encrypted-secrets
           path: secrets.env.gpg
           retention-days: 1
+          overwrite: true

From 8451670027c7978a41b83d5044b1bc2d1e360da9 Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Tue, 24 Jun 2025 13:14:22 +0200
Subject: [PATCH 12/16] Add environment input handling to export-secrets
 workflow

---
 .github/workflows/export-secrets.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
index eb96aa2..5d1756b 100644
--- a/.github/workflows/export-secrets.yml
+++ b/.github/workflows/export-secrets.yml
@@ -16,6 +16,7 @@ permissions:
 jobs:
   export:
     runs-on: ubuntu-latest
+    environment: ${{ inputs.environment }}
     env:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 

From 7906352ead5027def4b17a66d9ac2fe5be1b4daa Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Tue, 24 Jun 2025 13:23:20 +0200
Subject: [PATCH 13/16] Remove environment-specific secret filtering from
 export-secrets workflow

---
 .github/workflows/export-secrets.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
index 5d1756b..84e8a52 100644
--- a/.github/workflows/export-secrets.yml
+++ b/.github/workflows/export-secrets.yml
@@ -29,8 +29,6 @@ jobs:
         with:
           # Pass in all your repo’s secrets as JSON:
           secrets: ${{ toJSON(secrets) }}
-          # Only pull secrets whose names start with, e.g., "dev_", "staging_", "prod_"
-          include: ${{ inputs.environment }}_
           # Skip the GITHUB_TOKEN (and any other you inject via env vars)
           exclude: GITHUB_TOKEN
           # Add your own prefix so that your .env file uses, e.g., "ENV_DB_PASS" instead of "DB_PASS"

From 11968269d8b96011df8c37217711d237cf869c01 Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Tue, 24 Jun 2025 13:25:45 +0200
Subject: [PATCH 14/16] Extend secret exclusion list in export-secrets workflow
 to include `GH_TOKEN`

---
 .github/workflows/export-secrets.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
index 84e8a52..107f9de 100644
--- a/.github/workflows/export-secrets.yml
+++ b/.github/workflows/export-secrets.yml
@@ -30,7 +30,7 @@ jobs:
           # Pass in all your repo’s secrets as JSON:
           secrets: ${{ toJSON(secrets) }}
           # Skip the GITHUB_TOKEN (and any other you inject via env vars)
-          exclude: GITHUB_TOKEN
+          exclude: GITHUB_TOKEN, GH_TOKEN
           # Add your own prefix so that your .env file uses, e.g., "ENV_DB_PASS" instead of "DB_PASS"
           prefix: ENV_
 

From 2259ef211011ffb395717046ff5a0fcac20ada01 Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Tue, 24 Jun 2025 13:31:27 +0200
Subject: [PATCH 15/16] Simplify secret handling in export-secrets workflow by
 replacing exclusion and prefixing with inclusion pattern

---
 .github/workflows/export-secrets.yml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
index 107f9de..b252ba2 100644
--- a/.github/workflows/export-secrets.yml
+++ b/.github/workflows/export-secrets.yml
@@ -29,10 +29,7 @@ jobs:
         with:
           # Pass in all your repo’s secrets as JSON:
           secrets: ${{ toJSON(secrets) }}
-          # Skip the GITHUB_TOKEN (and any other you inject via env vars)
-          exclude: GITHUB_TOKEN, GH_TOKEN
-          # Add your own prefix so that your .env file uses, e.g., "ENV_DB_PASS" instead of "DB_PASS"
-          prefix: ENV_
+          include: ENV_*
 
       - name: Dump to secrets.env
         run: env > secrets.env

From 983722a23278b946c7a0d6ade8220226b3c07470 Mon Sep 17 00:00:00 2001
From: oleksandr-jr <oleksandr.cho@gmail.com>
Date: Tue, 24 Jun 2025 13:36:12 +0200
Subject: [PATCH 16/16] Simplify secret handling in export-secrets workflow by
 replacing exclusion and prefixing with inclusion pattern

---
 .github/workflows/export-secrets.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
index b252ba2..3a6c9f2 100644
--- a/.github/workflows/export-secrets.yml
+++ b/.github/workflows/export-secrets.yml
@@ -29,10 +29,13 @@ jobs:
         with:
           # Pass in all your repo’s secrets as JSON:
           secrets: ${{ toJSON(secrets) }}
-          include: ENV_*
+          # Skip the GITHUB_TOKEN (and any other you inject via env vars)
+          exclude: GITHUB_TOKEN, GH_TOKEN
 
-      - name: Dump to secrets.env
-        run: env > secrets.env
+      # 2) now grab the runner-injected ENV_-prefixed ones
+      - name: Export DEV-environment secrets
+        run: |
+          env | grep '^ENV_' >> secrets.env
 
       - name: Fetch GPG keys for ${{ github.actor }}
         run: |