about summary refs log tree commit diff
path: root/nixpkgs/pkgs/build-support/replace-secret/replace-secret.py
diff options
context:
space:
mode:
Diffstat (limited to 'nixpkgs/pkgs/build-support/replace-secret/replace-secret.py')
-rwxr-xr-xnixpkgs/pkgs/build-support/replace-secret/replace-secret.py28
1 files changed, 28 insertions, 0 deletions
diff --git a/nixpkgs/pkgs/build-support/replace-secret/replace-secret.py b/nixpkgs/pkgs/build-support/replace-secret/replace-secret.py
new file mode 100755
index 000000000000..30ff41d491ba
--- /dev/null
+++ b/nixpkgs/pkgs/build-support/replace-secret/replace-secret.py
@@ -0,0 +1,28 @@
+#!/usr/bin/env python
+
+import argparse
+from argparse import RawDescriptionHelpFormatter
+
+description = """
+Replace a string in one file with a secret from a second file.
+
+Since the secret is read from a file, it won't be leaked through
+'/proc/<pid>/cmdline', unlike when 'sed' or 'replace' is used.
+"""
+
+parser = argparse.ArgumentParser(
+    description=description,
+    formatter_class=RawDescriptionHelpFormatter
+)
+parser.add_argument("string_to_replace", help="the string to replace")
+parser.add_argument("secret_file", help="the file containing the secret")
+parser.add_argument("file", help="the file to perform the replacement on")
+args = parser.parse_args()
+
+with open(args.secret_file) as sf, open(args.file, 'r+') as f:
+    old = f.read()
+    secret = sf.read().strip("\n")
+    new_content = old.replace(args.string_to_replace, secret)
+    f.seek(0)
+    f.write(new_content)
+    f.truncate()
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-09 01:00:07 +0000