wip: set and remove secret wotk with and without env

Author: Giorgiosaud

src/commands/rm-secret/index.ts

@@ -1,43 +1,40 @@
+/* eslint-disable no-await-in-loop */
 import {Command} from '@oclif/core'
-import getGithubToken from '../../helpers/get-github-token'
 import {info} from '../../helpers/logger'
-import {validateRepoNames} from '../../helpers/validations'
-import removeSecret from '../../helpers/rm-secret-helpers/rm-secrets'
+import {validateRepoNames, validateSecrets} from '../../helpers/validations'
+import secretVarsFlags from '../../helpers/set-vars-helpers/secret-vars-flags'
+import repositoryFactory from '../../repositories/repository-factory'
+import encryptSecret from '../../set-secret-helpers/encrypt-secret'
+import {getPublicKey} from '../../set-secret-helpers/get-public-key'
 import RmSecretFlags from '../../helpers/rm-secret-helpers/rm-secret-flags'
 
-export default class RmSecret extends Command {
-  static description = 'remove a secret from a repository or environment'
+export default class SetSecret extends Command {
+  static description = 'describe the command here'
 
   static examples = [
     `
     you must have a personal github token to set the first time that uses this tool
-    $ github-automation rm-secret -r OWNER/NAME1 OWNER/NAME2 ... OWNER/NAMEn --secret-name SECRET_NAME1 SECRET_NAME2 ... SECRET_NAMEN 
-    $ github-automation rm-secret -r OWNER/NAME1 OWNER/NAME2 ... OWNER/NAMEn -n SECRET_NAME1 SECRET_NAME2 ... SECRET_NAMEN 
+    $ github-automation set-secret -r OWNER/NAME1 OWNER/NAME2 ... OWNER/NAMEn --secrets SECRET_NAME1:SECRET_VALUE_1 SECRET_NAME2:SECRET_VALUE_2 ... SECRET_NAMEN:SECRET_VALUE_N
+    $ github-automation set-secret -r OWNER/NAME1 OWNER/NAME2 ... OWNER/NAMEn -s SECRET_NAME1:SECRET_VALUE_1 SECRET_NAME2 ... SECRET_NAMEN -x SECRETVALUE1 SECRETVALUE2:SECRET_VALUE_2 ... SECRETVALUEN:SECRET_VALUE_N
     `,
   ]
 
-  static usage='rm-secret -r REPOS -n NAMES -e ENVIRONMENT_NAME'
+  static usage='set-secret -r REPOS -n NAMES -x VALUES'
 
   static strict = false
 
   static flags = RmSecretFlags
-  async run(): Promise<void> {
-    const {flags} = await this.parse(RmSecret)
-    validateRepoNames(flags.repositories)
-
-    const token = await getGithubToken(flags.organization)
-
-    const varsToSet = []
-    for (const repo of flags.repositories) {
-      for (const [, name] of flags['secret-name'].entries()) {
-        varsToSet.push(removeSecret({token, owner: flags.organization, repo, name, environment_name: flags.environment}))
-      }
-    }
 
-    await Promise.all(varsToSet)
-    for (const repo of flags.repositories) {
-      for (const [, name] of flags['secret-name'].entries()) {
-        this.log(info(`Removed secret ${name} in org: ${flags.organization} in repo: ${repo}`))
+  async run(): Promise<void> {
+    const {flags: {organization, repositories, secrets, environment}} = await this.parse(SetSecret)
+    validateRepoNames(repositories)
+    const octoFactory = repositoryFactory.get('octokit')
+    for (const repo of repositories) {
+      this.log(info(`Removing secrets in org: ${organization} in repo: ${repo}`))
+      for (const secret of secrets) {
+        this.log(info(`Removing secret ${secret} in org: ${organization} in repo: ${repo} ${environment ? `in environment: ${environment}` : ''}`))
+        await octoFactory.removeSecret({owner: organization, repo, secret_name: secret, environment})
+        this.log(info(`Updated secret ${secret}  in org: ${organization} in repo: ${repo} ${environment ? `in environment: ${environment}` : ''}`))
       }
     }
   }

src/commands/set-secret/index.ts

@@ -1,19 +1,20 @@
+/* eslint-disable no-await-in-loop */
 import {Command} from '@oclif/core'
-import getGithubToken from '../../helpers/get-github-token'
 import {info} from '../../helpers/logger'
-import updateSecret from '../../set-secret-helpers/update-secret'
-import encryptSecrets from '../../set-secret-helpers/encrypt-secret'
-import {validateEqualLengths, validateRepoNames} from '../../helpers/validations'
+import {validateRepoNames, validateSecrets} from '../../helpers/validations'
 import secretVarsFlags from '../../helpers/set-vars-helpers/secret-vars-flags'
+import repositoryFactory from '../../repositories/repository-factory'
+import encryptSecret from '../../set-secret-helpers/encrypt-secret'
+import {getPublicKey} from '../../set-secret-helpers/get-public-key'
 
 export default class SetSecret extends Command {
   static description = 'describe the command here'
 
   static examples = [
     `
     you must have a personal github token to set the first time that uses this tool
-    $ github-automation set-secret -r OWNER/NAME1 OWNER/NAME2 ... OWNER/NAMEn --secret-name SECRET_NAME1 SECRET_NAME2 ... SECRET_NAMEN --secret-value SECRETVALUE1 SECRETVALUE2 ... SECRETVALUEN
-    $ github-automation set-secret -r OWNER/NAME1 OWNER/NAME2 ... OWNER/NAMEn -n SECRET_NAME1 SECRET_NAME2 ... SECRET_NAMEN -x SECRETVALUE1 SECRETVALUE2 ... SECRETVALUEN
+    $ github-automation set-secret -r OWNER/NAME1 OWNER/NAME2 ... OWNER/NAMEn --secrets SECRET_NAME1:SECRET_VALUE_1 SECRET_NAME2:SECRET_VALUE_2 ... SECRET_NAMEN:SECRET_VALUE_N
+    $ github-automation set-secret -r OWNER/NAME1 OWNER/NAME2 ... OWNER/NAMEn -s SECRET_NAME1:SECRET_VALUE_1 SECRET_NAME2 ... SECRET_NAMEN -x SECRETVALUE1 SECRETVALUE2:SECRET_VALUE_2 ... SECRETVALUEN:SECRET_VALUE_N
     `,
   ]
 
@@ -24,24 +25,21 @@ export default class SetSecret extends Command {
   static flags = secretVarsFlags
 
   async run(): Promise<void> {
-    const {flags} = await this.parse(SetSecret)
-    validateEqualLengths(flags['secret-name'], flags['secret-value'])
-    validateRepoNames(flags.repositories)
-
-    const token = await getGithubToken(flags.organization)
-    const secretsToEncrypt = []
-    for (const repo of flags.repositories) {
-      for (const [index, secret] of flags['secret-value'].entries()) {
-        secretsToEncrypt.push(encryptSecrets({token, value: secret, org: flags.organization, repo, name: flags['secret-name'][index], environment: flags.environment}))
-      }
-    }
-
-    const promisesEncrypted = await Promise.all(secretsToEncrypt)
-    const updateSecretsPromises = flags.environment ? promisesEncrypted.map(encriptedData => updateSecret({...encriptedData, env: flags.environment}, token)) : promisesEncrypted.map(encriptedData => updateSecret(encriptedData, token))
-    await Promise.all(updateSecretsPromises)
-    for (const repo of flags.repositories) {
-      for (const [index, secret] of flags['secret-value'].entries()) {
-        this.log(info(`Updated secret ${flags['secret-name'][index]} with value ${secret} in org: ${flags.organization} in repo: ${repo}`))
+    const {flags: {organization, repositories, secrets, environment}} = await this.parse(SetSecret)
+    validateSecrets(secrets)
+    validateRepoNames(repositories)
+    const octoFactory = repositoryFactory.get('octokit')
+    for (const repo of repositories) {
+      this.log(info(`Updating secrets in org: ${organization} in repo: ${repo}`))
+      for (const secret of secrets) {
+        const [name, value] = secret.split(':')
+        this.log(info(`Generating Key for secret ${name} with value ${value} in org: ${organization} in repo: ${repo} ${environment ? `in environment: ${environment}` : ''}`))
+        const {data: publicKey} = await octoFactory.getPublicKey({owner: organization, repo, environment})
+        this.log(info(`Encrypting secret ${name} with value ${value} in org: ${organization} in repo: ${repo} ${environment ? `in environment: ${environment}` : ''}`))
+        const encryptedValue = await encryptSecret({value, publicKey})
+        this.log(info(`Updating secret ${name} with value ${value} in org: ${organization} in repo: ${repo} ${environment ? `in environment: ${environment}` : ''}`))
+        await octoFactory.updateSecret({owner: organization, repo, secret_name: name, encrypted_value: encryptedValue, key_id: publicKey.key_id, environment})
+        this.log(info(`Updated secret ${name} with value ${value} in org: ${organization} in repo: ${repo} ${environment ? `in environment: ${environment}` : ''}`))
       }
     }
   }

src/helpers/rm-secret-helpers/rm-secret-flags.ts

@@ -17,8 +17,8 @@ const RmSecretFlags = {
     description: 'If is set the env should be activated in the specified environment and create it if not exist',
     required: false,
   }),
-  'secret-name': Flags.string({
-    char: 'n',
+  secrets: Flags.string({
+    char: 's',
     description: 'Can be multiples secret names separated by space',
     required: true,
     multiple: true,

src/helpers/set-vars-helpers/secret-vars-flags.ts

@@ -17,19 +17,12 @@ const FlagsSecretAndVars = {
     description: 'If is set the env should be activated in the specified environment and create it if not exist',
     required: false,
   }),
-  'secret-name': Flags.string({
-    char: 'n',
-    description: 'Can be multiples secret names separated by space',
+  secrets: Flags.string({
+    char: 's',
+    description: 'Can be multiples secret names separated by : ej: name:secret',
     required: true,
     multiple: true,
   }),
-  'secret-value': Flags.string({
-    required: true,
-    description: 'Can be multiples secret values separated by space',
-    char: 'x',
-    multiple: true,
-  }),
-
   help: Flags.help({char: 'h'}),
 }
 export default FlagsSecretAndVars

src/helpers/validations.ts

@@ -12,3 +12,12 @@ export const validateEqualLengths = (names:string[], values:string[]):boolean|vo
     throw new Error('Secrets and values must be the same length')
   }
 }
+
+export const validateSecrets = (secrets:string[]):boolean|void => {
+  const okSecrets = secrets.every((secret: string) => {
+    return /^[\w-]+:[\w-]+$/.test(secret)
+  })
+  if (!okSecrets) {
+    throw new Error('The secret string must only contain numbers leters and dash and name and value must be separated by :')
+  }
+}

src/repositories/octokit-repository.ts

@@ -1,4 +1,6 @@
 import {Endpoints} from '@octokit/types'
+import {ux} from '@oclif/core'
+
 import octokitClient from './clients/octokit-client'
 type listReposResponse = Endpoints['GET /orgs/{org}/repos']['response'];
 type getEnvironmentsResponse = Endpoints['GET /repos/{owner}/{repo}/environments']['response'];
@@ -16,6 +18,9 @@ type removeCollaboratorParams=Endpoints['DELETE /repos/{owner}/{repo}/collaborat
 type addCollaboratorResponse=Endpoints['PUT /repos/{owner}/{repo}/collaborators/{username}']['response'];
 type addCollaboratorParams=Endpoints['PUT /repos/{owner}/{repo}/collaborators/{username}']['parameters'];
 type removeEnvironmentResponse=Endpoints['DELETE /repos/{owner}/{repo}/environments/{environment_name}']['response'];
+type getPublicKeyResponse=Endpoints['GET /repositories/{repository_id}/environments/{environment_name}/secrets/public-key']['response'];
+type updateSecretResponse=Endpoints['PUT /repositories/{repository_id}/environments/{environment_name}/secrets/{secret_name}']['response'];
+type removeSecretResponse=Endpoints['DELETE /repositories/{repository_id}/environments/{environment_name}/secrets/{secret_name}']['response'];
 export default {
   async setEnvironmentVariable({owner, repo, name, environment_name, value}:{owner:string, repo:string, name:string, environment_name:string, value: string}):Promise<postVariableResponse> {
     const octokit = await octokitClient({org: owner})
@@ -144,7 +149,6 @@ export default {
       },
     })
   },
-
   async protectBranch({owner, repo, branch, countReviewers}:{owner:string, repo:string, branch:string, countReviewers:number},
   ):Promise<protectBranchResponse> {
     const octokit = await octokitClient({org: owner})
@@ -202,4 +206,84 @@ export default {
       },
     })
   },
+  async getPublicKey({owner, repo, environment}:{owner:string, repo:string, environment?:string}):Promise<getPublicKeyResponse> {
+    const octokit = await octokitClient({org: owner})
+    if (environment) {
+      const {data: {environments}} = await this.getEnvironments({organization: owner, repository: repo})
+      if (!environments?.find(env => env.name === environment)) {
+        const confirm = await ux.confirm('The environment does not exist. Would you like to create it? (yes/no)')
+        if (confirm) {
+          await this.defineEnvironment({owner, repo, environment_name: environment})
+        } else {
+          throw new Error(`Environment ${environment} does not exist`)
+        }
+      }
+
+      const repoId = await this.getRepositoryId({owner, repo})
+      return octokit.request('GET /repositories/{repository_id}/environments/{environment_name}/secrets/public-key', {
+        repository_id: repoId,
+        environment_name: environment,
+      })
+    }
+
+    return octokit.request('GET /repos/{owner}/{repo}/actions/secrets/public-key', {
+      owner,
+      repo,
+    })
+  },
+  async updateSecret({owner, repo, secret_name, encrypted_value, key_id, environment}:{owner:string, repo:string, secret_name:string, encrypted_value:string, key_id:string, environment?:string}):Promise<updateSecretResponse> {
+    const octokit = await octokitClient({org: owner})
+
+    if (environment) {
+      const repoId = await this.getRepositoryId({owner, repo})
+
+      return octokit.request('PUT /repositories/{repository_id}/environments/{environment_name}/secrets/{secret_name}', {
+        repository_id: repoId,
+        environment_name: environment,
+        secret_name,
+        encrypted_value,
+        key_id,
+        headers: {
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      })
+    }
+
+    return octokit.request('PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}', {
+      owner,
+      repo,
+      secret_name,
+      encrypted_value,
+      key_id,
+      headers: {
+        'X-GitHub-Api-Version': '2022-11-28',
+      },
+    })
+  },
+  async removeSecret({owner, repo, secret_name, environment}:{owner:string, repo:string, secret_name:string, environment?:string}):Promise<removeSecretResponse> {
+    const octokit = await octokitClient({org: owner})
+
+    if (environment) {
+      const repoId = await this.getRepositoryId({owner, repo})
+
+      return octokit.request('DELETE /repositories/{repository_id}/environments/{environment_name}/secrets/{secret_name}', {
+        repository_id: repoId,
+        environment_name: environment,
+        secret_name,
+        headers: {
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      })
+    }
+
+    return octokit.request('DELETE /repos/{owner}/{repo}/actions/secrets/{secret_name}', {
+      owner,
+      repo,
+      secret_name,
+      headers: {
+        'X-GitHub-Api-Version': '2022-11-28',
+      },
+    })
+  },
+
 }

src/set-secret-helpers/encrypt-secret.ts

@@ -1,21 +1,18 @@
-import {getPublicEnvKey} from './get-public-env-key'
-import {getPublicKey} from './get-public-key'
 import * as tweetnacl from 'tweetnacl-ts'
 interface EncryptSecretsArgs{
-  token:string;
   value: string;
-  org: string;
-  repo: string;
-  name:string;
-  environment?:string;
+  publicKey:{
+    key_id: string;
+    key: string;
+  }
 }
-const encryptSecrets = async ({token, value, org, repo, name, environment}:EncryptSecretsArgs): Promise<{encryptedValue: string;keyId: string; name: string; value:string; org:string; repo: string}> => {
-  const {key, key_id: keyId} = environment ? await getPublicEnvKey(token, org, repo, environment) : await getPublicKey(token, org, repo)
+const encryptSecrets = async ({value, publicKey}:EncryptSecretsArgs): Promise<string> => {
+  const {key} = publicKey
   const messageBytes = Buffer.from(value)
   const keyBytes = Buffer.from(key, 'base64')
   const encryptedBytes = tweetnacl.sealedbox(messageBytes, keyBytes)
   const encryptedValue = Buffer.from(encryptedBytes).toString('base64')
-  return {encryptedValue, keyId, name, value, org, repo}
+  return encryptedValue
 }
 
 export default encryptSecrets