DEVOPS-49 added workflow encryptionand creating secret

Author: githubofkrishnadhas

.github/workflows/create_or_update_repository_secrets.yaml

@@ -0,0 +1,63 @@
+name: create_or_update_repository_secrets
+on:
+  workflow_dispatch:
+    inputs:
+      organization:
+        required: true
+        description: 'GitHub Organization name'
+        type: string
+      repository_name:
+        required: true
+        description: 'GitHub repository on which secret need to be created'
+        type: string
+      secret_name:
+        required: true
+        description: 'Repository Secret name'
+        type: string
+      secret_value:
+        required: true
+        description: 'secret content'
+
+run-name: ${{ github.actor }} creting or updating ${{ inputs.secret_name }} in ${{ inputs.repository_name }}
+jobs:
+  create_or_update_repository_secrets:
+  runs-on: ubuntu-latest
+  steps:
+    steps:
+      - name: git checkout
+        uses: actions/checkout@v4
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.11'
+      - name: package installations
+        run: |
+          pip install pipenv
+          pipenv install
+      - name: get public key
+        id: get-public-key
+        env:
+          GH_TOKEN: ${{ secrets.DEVWITHKRISHNA_PERSONAL_ACCESS_TOKEN }}
+        run: |
+          pipenv run python3 get_repository_public_key --organization ${{ inputs.organization }} \
+          --repository_name ${{ inputs.repository_name }}
+      - name: Encrypt secret
+        id: encrypt-secret
+        env:
+          REPOSITORY_PUBLIC_KEY: ${{ env.REPOSITORY_PUBLIC_KEY }}
+          SECRET_VALUE: ${{ inputs.secret_value }}
+        run: |
+          pipenv run python3 encrypt_using_libnacl.py
+      - name: create or update repository secret
+        env:
+          organization: ${{ inputs.organization }}
+          secret_name: ${{ inputs.secret_name }}
+          ENCRYPTED_SECRET: ${{ env.ENCRYPTED_SECRET }}
+          REPOSITORY_PUBLIC_KEY_ID: ${{ env.REPOSITORY_PUBLIC_KEY_ID }}
+          GH_TOKEN: ${{ secrets.DEVWITHKRISHNA_PERSONAL_ACCESS_TOKEN }}
+        run: |
+          pipenv run python3 create_or_update_repo_secret.py
+      - name: Completed
+        run: |
+          echo "program completed successfully"
+

Pipfile

@@ -7,6 +7,7 @@ name = "pypi"
 argparse = "=1.4.0"
 requests = "=2.31.0"
 pytz = "=2024.1"
+PyNaCl = "=1.5.0"
 
 [requires]
 python_version = "3"

Pipfile.lock

@@ -0,0 +1,61 @@
+import requests
+import os
+from datetime import datetime
+import pytz
+
+def current_ist_time():
+    """code to return time in IST"""
+    # Get the current time in IST
+    ist = pytz.timezone('Asia/Kolkata')
+    ist_now = datetime.now(ist)
+
+    # Format and print the current time in IST
+    ist_now_formatted = ist_now.strftime('%Y-%m-%d %H:%M:%S %Z%z')
+    return ist_now_formatted
+
+
+def create_or_update_organization_secret_github(organization: str, secret_name: str):
+    """
+    Create or update org level secret in GitHub
+    Ref https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#create-or-update-an-organization-secret
+
+    The token must have the following permission set: organization_secrets:write
+    """
+    encrypted_secret = os.getenv('ENCRYPTED_SECRET')
+    if not encrypted_secret:
+        print("ENCRYPTED_SECRET environment variable is not set or is empty.")
+    print(f'encrypted sec is: {encrypted_secret}')
+    ist_now_formatted = current_ist_time()
+    github_org_secret_endpoint = f"https://api.github.com/orgs/{organization}/actions/secrets/{secret_name}"
+
+    headers = {
+        "Accept": "application/vnd.github+json",
+        "Authorization": f"Bearer {os.getenv('GH_TOKEN')}",
+        "X-GitHub-Api-Version": "2022-11-28"
+    }
+    data = {
+        "encrypted_value": encrypted_secret,
+        "visibility": "all",
+        "key_id": os.getenv('PUBLIC_KEY_ID')
+    }
+    response = requests.put(github_org_secret_endpoint, headers=headers, json=data)
+    if response.status_code == '201':
+        print(f"Secret {secret_name} created {organization} at {ist_now_formatted}")
+    else:
+        print(f"Secret {secret_name} updated on {organization} at {ist_now_formatted}")
+
+
+def main():
+    """To test the code"""
+    # Configuring to read ENCRYPTED_SECRET
+    # encrypted_secret = os.getenv('ENCRYPTED_SECRET')
+    # organization = 'devwithkrishna'
+    # secret_name = 'noidea'
+    organization = os.getenv('organization')
+    secret_name = os.getenv('secret_name')
+
+    # Function call
+    create_or_update_organization_secret_github(organization, secret_name)
+
+if __name__ == "__main__":
+    main()

create_or_update_repo_secret.py

@@ -0,0 +1,40 @@
+# Python script includes a function, encrypt, designed to encrypt Unicode strings using public-key cryptography through the PyNaCl library.
+# To utilize this functionality, begin by importing the necessary libraries with the from base64 import b64encode and from nacl import encoding,
+# public statements. Subsequently, define and call the encrypt function, passing a Base64-encoded public key and a Unicode string as parameters.
+# The function then encrypts the provided value using the public key and returns the result in a Base64-encoded format.
+# For example, calling encrypt("aSBhbSBrcmlzaG5hZGhhcwo=", "aSBhbSBrcmlzaG5hZGhhcwo=") demonstrates how to encrypt a sample Unicode string using a specified public key.
+# Ensure proper handling and security of public keys and secret values within your application.
+
+from base64 import b64encode
+from nacl import encoding, public
+import os
+
+def encrypt(public_key: str, secret_value: str) -> str:
+    """Encrypt a Unicode string using the public key."""
+    public_key = public.PublicKey(public_key.encode("utf-8"), encoding.Base64Encoder())
+    sealed_box = public.SealedBox(public_key)
+    encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
+    return b64encode(encrypted).decode("utf-8")
+
+def main():
+    public_key = os.environ.get("PUBLIC_KEY")
+    secret_value = os.environ.get("SECRET_VALUE")
+    # public_key = "<public key here for local testing>"
+    # secret_value = "Krishnadhas"
+
+    if not (public_key and secret_value):
+        print("Please set PUBLIC_KEY and SECRET_VALUE environment variables.")
+        exit(1)
+
+    try:
+        encrypted_secret = encrypt(public_key, secret_value)
+        os.system(f'echo "ENCRYPTED_SECRET={encrypted_secret}" >> $GITHUB_ENV')
+        print(f"Encrypted Secret: {encrypted_secret}")
+        print(f"Encrypted secret added as a environment variable")
+        return encrypted_secret
+    except Exception as e:
+        print(f"Error encrypting secret: {e}")
+        exit(1)
+
+if __name__ == "__main__":
+    main()