DEVOPS-41 completed tests

Author: githubofkrishnadhas

.github/dependabot.yml

@@ -0,0 +1,29 @@
+version: 2
+updates:
+- package-ecosystem: "pip"
+  directory: /
+  schedule:
+    interval: weekly
+    day: wednesday
+  # Assignees to set on pull requests
+  assignees:
+  - "githubofkrishnadhas"
+  # prefix specifies a prefix for all commit messages. When you specify a prefix for commit messages,
+  # GitHub will automatically add a colon between the defined prefix and the commit message provided the
+  # defined prefix ends with a letter, number, closing parenthesis, or closing bracket.
+  commit-message:
+    prefix: "dependabot python package"
+  # Use reviewers to specify individual reviewers or teams of reviewers for all pull requests raised for a package manager.
+  reviewers:
+  - "devwithkrishna/admin"
+  # Raise pull requests for version updates to pip against the `main` branch
+  target-branch: "main"
+  # Labels on pull requests for version updates only
+  labels:
+  - "pip dependencies"
+  # Increase the version requirements for Composer only when required
+  versioning-strategy: increase-if-necessary
+  # Dependabot opens a maximum of five pull requests for version updates. Once there are five open pull requests from Dependabot,
+  # Dependabot will not open any new requests until some of those open requests are merged or closed.
+  # Use open-pull-requests-limit to change this limit.
+  open-pull-requests-limit: 10

.github/workflows/github-secrets-configuration-from-azure-keyvault.yaml

@@ -0,0 +1,44 @@
+name: github-get-secrets-from-azure-kv-and-configure-as-repo-secrets
+on:
+  workflow_dispatch:
+    inputs:
+      keyvault_name:
+        required: true
+        type: string
+        description: 'key vault name'
+        default: ''
+      repo_search_string:
+        required: true
+        type: string
+        description: 'github repo name search string'
+        default: ''
+
+jobs:
+  github-get-secrets-from-azure-kv-and-configure-as-repo-secrets:
+    runs-on: ubuntu-latest
+    env:
+      AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }}
+      AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }}
+      AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }}
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: set up python
+        uses: actions/setup-python@v5
+        with:
+          python-version: '3.11'
+
+      - name: package installations
+        run: |
+          pip install poetry
+          poetry install
+
+      - name: run python program
+        run: |
+          poetry run python3 main.py --keyvault_name ${{ github.event.inputs.keyvault_name }} \
+                                        --repo_search_string ${{ github.event.inputs.repo_search_string }}
+      - name: job completed
+        run: echo "Job is completed"
+

README.md

@@ -4,21 +4,61 @@ Fetch Specific Secrets from Azure key vault and configure as repo secrets
 
 # Mandatory Environment variables
 
-The below are used for authentication and programatical usage
+* The below one is used to determine the owner of repo. This is a environment variable provided by GitHub.
 
 ```commandline
-AZURE_CLIENT_ID
-AZURE_TENANT_ID
-AZURE_CLIENT_ID
+GITHUB_REPOSITORY_OWNER
 ```
 
-The below one is used to determine the owner of repo. This is a environment variable provided by GitHub.
+* GH_APP_TOKEN --> This is GitHub App installation token generated by using action `https://github.com/marketplace/actions/create-a-github-app-installation-access-token`
+This token is used for all API calls.
+
+
+# What is been done here
+
+* This is the proof of concept of updating github secrets from SECRETS present in azure KV
+
+* Specific SECRETS are pulled from keyvault and update in multiple repos in a single stretch
+
+* Here we are pulling secrets named ARM-CLIENT-ID and ARM-CLIENT-SECRET in a KV and update them in repo secrets.
+
+* Also TENANT ID and SUBSCRIPTION ID of the KEY vault are also added a github secrets
+
+
+| Secret name in Keyvault | GitHub Secret name |
+|-------------------------|--------------------|
+| ARM-CLIENT-ID           | ARM_CLIENT_ID |
+| ARM-CLIENT-SECRET       | ARM_CLIENT_SECRET |
+| Subscription ID         | ARM_SUBSCRIPTION_ID |
+| Tenant ID               | ARM_TENANT_ID |
+
+![repo-secrets.png](repo-secrets.png)
+
+* `pynacl` is used to encrypt the secrets
+
+* GitHub REST API is used to get details like repo names, repo public keys, repo public key ids etc.
+
+* Auth to GitHub is done using, GitHub App installation token generated by using action `https://github.com/marketplace/actions/create-a-github-app-installation-access-token`
+This token is used for all API calls.
+
+* Authentication to Azure is done using azure-identity package using service principal with secret as credentials.
+The below envrionment variables are used for authentication and programatical usage
 
 ```commandline
-GITHUB_REPOSITORY_OWNER
+AZURE_CLIENT_ID
+AZURE_TENANT_ID
+AZURE_CLIENT_SECRET
 ```
 
-GH_APP_TOKEN --> This is GitHub App installation token generated by using action `https://github.com/marketplace/actions/create-a-github-app-installation-access-token`
-This token is used for all API calls.
+# How code works
 
+1. First uses GitHub rest api repo end point to list out all the repositories and filters based on the the search string event
+2. Then loops over the repos matching the search input and gets the repo public key and repo public key id
+3. Once its done, it authentcates with azure gets the keyvault secrets ready for the above secrets `ARM-CLIENT-ID` & `ARM-CLIENT-SECRET`
+4. It will add the service principal to access policies to `secret permissions` - `get`, `list`, `set`
+5. Also in mean time it uses azure resource graph queries to get the subscription id, tenant id, key vault resource group etc.
+6. Using `public key`, `public key id` and the `secret value` fetched from keyvault using pynacl the secret value is encrypted which is passed to create repo secrets function.
+6. Once all the details are fetched like `ARM-CLIENT-ID`, `ARM-CLIENT-SECRET`, `SUBSCRIPTION ID` & `TENANT ID`, it prepares to 
+   create github secrets with names `ARM_CLIENT_ID`, `ARM_CLIENT_SECRET`, `ARM_SUBSCRIPTION_ID` & `ARM_TENANT_ID`
 
+![github-secrets-from-azure-kv.jpg](github-secrets-from-azure-kv.jpg)