✨ Add script to manage repository secrets & vars (#71)

Author: stoe

.eslintrc.json

@@ -28,16 +28,19 @@
           "default_branch",
           "default_workflow_permissions",
           "delete_branch_on_merge",
+          "encrypted_value",
           "full_name",
           "has_issues",
           "has_projects",
           "has_wiki",
           "html_url",
           "installation_id",
           "issue_number",
+          "key_id",
           "new_name",
           "node_id",
           "per_page",
+          "secret_name",
           "secret_scanning",
           "security_and_analysis",
           "squash_merge_commit_message",

package-lock.json

@@ -11,6 +11,7 @@
     "scripts/dependabot-config",
     "scripts/release-config",
     "scripts/repository-labels",
+    "scripts/repository-secrets",
     "scripts/repository-settings",
     "scripts/workflow-shas"
   ],

package.json

@@ -0,0 +1,6 @@
+#!/usr/bin/env node
+
+import {run} from '@octoherd/cli/run'
+import {script} from './script.js'
+
+run(script)

scripts/repository-secrets/cli.js

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) Stefan Stölzle <[email protected]> (github.com/stoe)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

scripts/repository-secrets/license

@@ -0,0 +1,42 @@
+{
+  "name": "@stoe/octoherd-script-repository-secrets",
+  "version": "0.0.0-development",
+  "type": "module",
+  "description": "Manage repository Action secrets and variables",
+  "keywords": [
+    "octohed-script",
+    "github-actions",
+    "secrets",
+    "variables"
+  ],
+  "author": {
+    "name": "Stefan Stölzle",
+    "email": "[email protected]",
+    "url": "https://github.com/stoe"
+  },
+  "license": "MIT",
+  "repository": "https://github.com/stoe/octoherd-scripts",
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://npm.pkg.github.com"
+  },
+  "engines": {
+    "node": ">=16",
+    "npm": ">=8"
+  },
+  "exports": "./script.js",
+  "bin": {
+    "octoherd-script-repository-secrets": "./cli.js"
+  },
+  "scripts": {
+    "format": "npx prettier --ignore-path ../../.prettierignore --config-precedence prefer-file --write . && eslint '*.js' --fix",
+    "pretest": "npx eslint-config-prettier ../../.eslintrc.json",
+    "test": "eslint '*.js'"
+  },
+  "dependencies": {
+    "@octoherd/cli": "^3.6.5",
+    "js-yaml": "^4.1.0",
+    "libsodium-wrappers": "^0.7.11"
+  },
+  "prettier": "@github/prettier-config"
+}

scripts/repository-secrets/package.json

@@ -0,0 +1,40 @@
+# octoherd-script: repository-secrets
+
+[![repository-secrets version](https://img.shields.io/github/package-json/v/stoe/octoherd-scripts?filename=scripts%2Frepository-secrets%2Fpackage.json)](https://github.com/stoe/octoherd-scripts/pkgs/npm/octoherd-script-repository-secrets)
+
+> Replace Action versions with SHAs
+>
+> [@octoherd](https://github.com/octoherd/) helps to keep your GitHub repositories in line.
+
+## Usage
+
+```sh
+$ npx @stoe/octoherd-script-repository-secrets \
+  --octoherd-token ghp_000000000000000000000000000000000000 \
+  --octoherd-repos "stoe/*" \
+  --path .secrets.yml
+```
+
+## Options
+
+| option      | type    | description                                                                 |
+| ----------- | ------- | --------------------------------------------------------------------------- |
+| `--dry-run` | boolean | show what would be done (default `false`)                                   |
+| `--path`    | string  | path to the secrets file in YAML format, see below (default `.secrets.yml`) |
+
+`.secrets.yml` format
+
+```yaml
+# .secrets.yml
+secrets:
+  SECRET_NAME: value
+  ANOTHER_SECRET: value
+
+variables:
+  VARIABLE_NAME: value
+  ANOTHER_VARIABLE: value
+```
+
+## License
+
+[MIT](license)

scripts/repository-secrets/readme.md

@@ -0,0 +1,167 @@
+import _sodium from 'libsodium-wrappers'
+import {load} from 'js-yaml'
+import {readFileSync} from 'fs'
+
+/**
+ * @param {import('@octoherd/cli').Octokit}    octokit
+ * @param {import('@octoherd/cli').Repository} repository
+ * @param {object}                             options
+ * @param {string}                             [options.path=.secrets.yml]
+ * @param {boolean}                            [options.dryRun=false]
+ */
+export async function script(octokit, repository, {path = '.secrets.yml', dryRun = false}) {
+  const {
+    archived,
+    disabled,
+    fork,
+    name: repo,
+    owner: {login: owner},
+    size,
+    clone_url: url,
+  } = repository
+
+  // skip archived, disabled, forked and empty repos
+  if (archived || disabled || fork || size === 0) return
+
+  try {
+    // read secrets from file
+    const buff = readFileSync(path, 'utf-8')
+    const {secrets, variables} = await load(buff)
+
+    // fail if no secrets or variables found
+    if (!secrets && !variables) {
+      octokit.log.error(`❌ no secrets nor variables found in ${path}`)
+      return
+    }
+
+    // repository secrets
+    if (secrets) {
+      // https://docs.github.com/en/rest/actions/secrets#get-a-repository-public-key
+      const {
+        data: {key_id, key},
+      } = await octokit.request('GET /repos/{owner}/{repo}/actions/secrets/public-key', {
+        owner,
+        repo,
+      })
+
+      for (const secret of Object.keys(secrets)) {
+        const secretName = secret
+        const secretValue = secrets[secret]
+
+        const encryptedValue = await encrypt(key, secretValue)
+
+        if (dryRun) {
+          octokit.log.info(`  🐢 dry-run create or update secret ${secretName}`)
+        } else {
+          try {
+            // https://docs.github.com/en/rest/actions/secrets#create-or-update-a-repository-secret
+            const {status} = await octokit.request('PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}', {
+              owner,
+              repo,
+              secret_name: secretName,
+              encrypted_value: encryptedValue,
+              key_id,
+            })
+
+            octokit.log.info(`  🛡️ ${status === 201 ? 'created' : 'updated'} ${secretName}`)
+          } catch (error) {
+            octokit.log.error({error: error.message, secret: secretName}, `  ❌ create or update secret ${secretName}`)
+          }
+        }
+      }
+    }
+
+    // repository variables
+    if (variables) {
+      for (const variable of Object.keys(variables)) {
+        const variableName = variable
+        const variableValue = variables[variable]
+
+        let create = false
+        let value = null
+
+        try {
+          // https://docs.github.com/en/rest/actions/variables#get-a-repository-variable
+          const {
+            data: {value: v},
+          } = await octokit.request('GET /repos/{owner}/{repo}/actions/variables/{name}', {
+            owner,
+            repo,
+            name: variableName,
+          })
+
+          value = v
+        } catch (error) {
+          create = true
+        }
+
+        if (variableValue === value) {
+          octokit.log.info(`  🙊 no change for variable ${variableName}`)
+          continue
+        }
+
+        if (dryRun) {
+          octokit.log.info(`  🐢 dry-run ${create ? 'create' : 'update'} variable ${variableName}`)
+        } else {
+          try {
+            if (create) {
+              // https://docs.github.com/en/rest/actions/variables#create-a-repository-variable
+              await octokit.request('POST /repos/{owner}/{repo}/actions/variables', {
+                owner,
+                repo,
+                name: variableName,
+                value: variableValue,
+              })
+            } else {
+              // https://docs.github.com/en/rest/actions/variables#create-a-repository-variable
+              await octokit.request('PATCH /repos/{owner}/{repo}/actions/variables/{name}', {
+                owner,
+                repo,
+                name: variableName,
+                value: variableValue,
+              })
+            }
+
+            octokit.log.info(`  🛡️ ${create ? 'created' : 'updated'} ${variableName}`)
+          } catch (error) {
+            octokit.log.error({error: error.message}, `  ❌ ${create ? 'create' : 'update'} variable ${variableName}`)
+          }
+        }
+      }
+    }
+
+    octokit.log.info(`  ✅ ${url}`)
+    return
+  } catch (error) {
+    // eslint-disable-next-line no-console
+    console.error(error)
+    octokit.log.error(`❌ ${error.message}`)
+  }
+}
+
+/**
+ * Encrypt a secret using a public key.
+ * https://www.npmjs.com/package/libsodium-wrappers
+ *
+ * @function encrypt
+ * @async
+ *
+ * @param {string} key
+ * @param {string} secret
+ *
+ * @returns {Promise<string>}
+ */
+const encrypt = async (key, secret) => {
+  await _sodium.ready
+  const sodium = _sodium
+
+  // convert base64 key & secret to Uint8Array.
+  const binkey = sodium.from_base64(key, sodium.base64_variants.ORIGINAL)
+  const binsec = sodium.from_string(secret)
+
+  // encrypt the secret using LibSodium
+  const encBytes = sodium.crypto_box_seal(binsec, binkey)
+
+  // convert encrypted Uint8Array to Base64
+  return sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL)
+}