apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: secret-home
spec:
  params:
    - name: subdirectory
      type: string
      description: Subdirectory within the repo where the source code is located
      default: ""

    - name: keys
      type: string
      description: |
        Comma-separated keys (e.g. ".gitconfig,.git-credentials")

  workspaces:
    - name: shared
      description: Workspace containing the cloned Git repository
    - name: credentials
      description: Secret data from workspace

  steps:
    - name: extract
      image: alpine:3.21.3
      workingDir: /workspace/shared/$(params.subdirectory)
      script: |
        #!/usr/bin/env bash
        set -e
        apk add --no-cache coreutils

        IFS=',' read -r -a KEY_ARR <<< "$(params.keys)"
        for key in "${KEY_ARR[@]}"; do
          echo "encoding $key"
          key_decoded="${key//__//}"
          echo "decoding $key_decoded"
          target="/workspace/shared/$(params.subdirectory)/___HOME___/$key_decoded"
          mkdir -p "$(dirname "$target")"
          cp "/workspace/credentials/$key" "$target"
        done