tekton-hub/tasks/secret-home/task.yaml

apiVersion: tekton.dev/v1
kind: Task
metadata:
  name: secret-home
spec:
  params:
    - name: home
      type: string
      description: home directory
      default: ""

    - name: workshop
      type: string
      description: workshop directory
      default: ""

    - name: keys
      type: string
      description: |
        Comma-separated keys (e.g. ".gitconfig,.git-credentials")

  workspaces:
    - name: shared
      description: Workspace containing the cloned Git repository
    - name: credentials
      description: Secret data from workspace

  steps:
    - name: extract
      image: python:3.11-slim
      workingDir: /workspace/shared/$(params.workshop)
      env:
        - name: HOME
          value: /workspace/shared/$(params.home)
      script: |
        #!/usr/bin/env bash
        set -e
        apt-get update && apt-get install -y coreutils >/dev/null

        IFS=',' read -r -a KEY_ARR <<< "$(params.keys)"
        for key in "${KEY_ARR[@]}"; do
          echo "encoding $key"
          key_decoded="${key//__//}"
          echo "decoding $key_decoded"
          target="$HOME/$key_decoded"
          mkdir -p "$(dirname "$target")"
          cp "/workspace/credentials/$key" "$target"
        done