feat(secret): add/update repo allowlist (#608)

wass3r · wass3rw3rk · web-flow · commit 484d6948870c · 2025-05-23T13:28:28.000-05:00
Co-authored-by: David May &lt;49894298+wass3rw3rk@users.noreply.github.com&gt;
diff --git a/action/secret/add.go b/action/secret/add.go
@@ -54,6 +54,7 @@ func (c *Config) Add(client *vela.Client) error {
 		Name:              &c.Name,
 		Value:             &c.Value,
 		Images:            &c.Images,
+		RepoAllowlist:     &c.RepoAllowlist,
 		AllowCommand:      c.AllowCommand,
 		AllowSubstitution: c.AllowSubstitution,
 	}
diff --git a/action/secret/secret.go b/action/secret/secret.go
@@ -24,6 +24,7 @@ type Config struct {
 	Name              string
 	Value             string
 	Images            []string
+	RepoAllowlist     []string
 	AllowEvents       []string
 	AllowCommand      *bool
 	AllowSubstitution *bool
diff --git a/action/secret/update.go b/action/secret/update.go
@@ -52,6 +52,7 @@ func (c *Config) Update(client *vela.Client) error {
 		Name:              &c.Name,
 		Value:             &c.Value,
 		Images:            &c.Images,
+		RepoAllowlist:     &c.RepoAllowlist,
 		AllowCommand:      c.AllowCommand,
 		AllowSubstitution: c.AllowSubstitution,
 	}
diff --git a/command/secret/add.go b/command/secret/add.go
@@ -81,6 +81,12 @@ var CommandAdd = &cli.Command{
 			Aliases: []string{"i"},
 			Usage:   "Provide the image(s) that can access this secret",
 		},
+		&cli.StringSliceFlag{
+			Sources: cli.EnvVars("VELA_REPO_ALLOWLIST", "SECRET_REPO_ALLOWLIST"),
+			Name:    "repo-allowlist",
+			Aliases: []string{"ra"},
+			Usage:   "provide the repository allowlist for the secret",
+		},
 		&cli.StringSliceFlag{
 			Sources: cli.EnvVars("VELA_EVENTS", "SECRET_EVENTS"),
 			Name:    "event",
@@ -125,19 +131,21 @@ EXAMPLES:
      $ {{.FullName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value bar --commands false
    3. Add an organization secret.
      $ {{.FullName}} --secret.engine native --secret.type org --org MyOrg --name foo --value bar
-   4. Add a shared secret.
+   4. Add an organization secret and limit use to specific repositories.
+     $ {{.FullName}} --secret.engine native --secret.type org --org MyOrg --name foo --value bar ---repo-allowlist MyOrg/repo1,MyOrg/repo2
+   5. Add a shared secret.
      $ {{.FullName}} --secret.engine native --secret.type shared --org MyOrg --team octokitties --name foo --value bar
-   5. Add a repository secret with all event types enabled.
+   6. Add a repository secret with all event types enabled.
      $ {{.FullName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value bar --event comment --event deployment --event pull_request --event push --event tag
-   6. Add a repository secret with an image whitelist.
+   7. Add a repository secret with an image whitelist.
      $ {{.FullName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value bar --image alpine --image golang:* --image postgres:latest
-   7. Add a secret with value from a file.
+   8. Add a secret with value from a file.
      $ {{.FullName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value @secret.txt
-   8. Add a repository secret with json output.
+   9. Add a repository secret with json output.
      $ {{.FullName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value bar --output json
-   9. Add a secret or secrets from a file.
+  10. Add a secret or secrets from a file.
      $ {{.FullName}} --file secret.yml
-  10. Add a secret when config or environment variables are set.
+  11. Add a secret when config or environment variables are set.
      $ {{.FullName}} --org MyOrg --repo MyRepo --name foo --value bar
 
 DOCUMENTATION:
@@ -167,19 +175,20 @@ func add(_ context.Context, c *cli.Command) error {
 	//
 	// https://pkg.go.dev/github.com/go-vela/cli/action/secret?tab=doc#Config
 	s := &secret.Config{
-		Action:      internal.ActionAdd,
-		Engine:      c.String(internal.FlagSecretEngine),
-		Type:        c.String(internal.FlagSecretType),
-		Org:         c.String(internal.FlagOrg),
-		Repo:        c.String(internal.FlagRepo),
-		Team:        c.String("team"),
-		Name:        c.String("name"),
-		Value:       c.String("value"),
-		Images:      c.StringSlice("image"),
-		AllowEvents: c.StringSlice("event"),
-		File:        c.String("file"),
-		Output:      c.String(internal.FlagOutput),
-		Color:       output.ColorOptionsFromCLIContext(c),
+		Action:        internal.ActionAdd,
+		Engine:        c.String(internal.FlagSecretEngine),
+		Type:          c.String(internal.FlagSecretType),
+		Org:           c.String(internal.FlagOrg),
+		Repo:          c.String(internal.FlagRepo),
+		Team:          c.String("team"),
+		Name:          c.String("name"),
+		Value:         c.String("value"),
+		Images:        c.StringSlice("image"),
+		RepoAllowlist: c.StringSlice("repo-allowlist"),
+		AllowEvents:   c.StringSlice("event"),
+		File:          c.String("file"),
+		Output:        c.String(internal.FlagOutput),
+		Color:         output.ColorOptionsFromCLIContext(c),
 	}
 
 	// check if allow_command and allow_substitution are provided
diff --git a/command/secret/update.go b/command/secret/update.go
@@ -81,6 +81,12 @@ var CommandUpdate = &cli.Command{
 			Aliases: []string{"i"},
 			Usage:   "provide the image(s) that can access this secret",
 		},
+		&cli.StringSliceFlag{
+			Sources: cli.EnvVars("VELA_REPO_ALLOWLIST", "SECRET_REPO_ALLOWLIST"),
+			Name:    "repo-allowlist",
+			Aliases: []string{"ra"},
+			Usage:   "provide the repository allowlist for the secret",
+		},
 		&cli.StringSliceFlag{
 			Sources: cli.EnvVars("VELA_EVENTS", "SECRET_EVENTS"),
 			Name:    "event",
@@ -127,17 +133,19 @@ EXAMPLES:
      $ {{.FullName}} --secret.engine native --secret.type org --org MyOrg --name foo --value bar
    4. Update a shared secret.
      $ {{.FullName}} --secret.engine native --secret.type shared --org MyOrg --team octokitties --name foo --value bar
-   5. Update a repository secret with all event types enabled.
+   5. Update a shared secret to limit use to specific repositories.
+     $ {{.FullName}} --secret.engine native --secret.type shared --org MyOrg --team octokitties --name foo --repo-allowlist MyOrg/repo1,MyOrg/repo2
+   6. Update a repository secret with all event types enabled.
      $ {{.FullName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --event comment --event deployment --event pull_request --event push --event tag
-   6. Update a repository secret with an image whitelist.
+   7. Update a repository secret with an image whitelist.
      $ {{.FullName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --image alpine --image golang:* --image postgres:latest
-   7. Update a secret with value from a file.
+   8. Update a secret with value from a file.
      $ {{.FullName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value @secret.txt
-   8. Update a repository secret with json output.
+   9. Update a repository secret with json output.
      $ {{.FullName}} --secret.engine native --secret.type repo --org MyOrg --repo MyRepo --name foo --value bar --output json
-   9. Update a secret or secrets from a file.
+  10. Update a secret or secrets from a file.
      $ {{.FullName}} --file secret.yml
-  10. Update a secret when config or environment variables are set.
+  11. Update a secret when config or environment variables are set.
      $ {{.FullName}} --org MyOrg --repo MyRepo --name foo --value bar
 
 DOCUMENTATION:
@@ -167,19 +175,20 @@ func update(_ context.Context, c *cli.Command) error {
 	//
 	// https://pkg.go.dev/github.com/go-vela/cli/action/secret?tab=doc#Config
 	s := &secret.Config{
-		Action:      internal.ActionUpdate,
-		Engine:      c.String(internal.FlagSecretEngine),
-		Type:        c.String(internal.FlagSecretType),
-		Org:         c.String(internal.FlagOrg),
-		Repo:        c.String(internal.FlagRepo),
-		Team:        c.String("team"),
-		Name:        c.String("name"),
-		Value:       c.String("value"),
-		Images:      c.StringSlice("image"),
-		AllowEvents: c.StringSlice("event"),
-		File:        c.String("file"),
-		Output:      c.String(internal.FlagOutput),
-		Color:       output.ColorOptionsFromCLIContext(c),
+		Action:        internal.ActionUpdate,
+		Engine:        c.String(internal.FlagSecretEngine),
+		Type:          c.String(internal.FlagSecretType),
+		Org:           c.String(internal.FlagOrg),
+		Repo:          c.String(internal.FlagRepo),
+		Team:          c.String("team"),
+		Name:          c.String("name"),
+		Value:         c.String("value"),
+		Images:        c.StringSlice("image"),
+		RepoAllowlist: c.StringSlice("repo-allowlist"),
+		AllowEvents:   c.StringSlice("event"),
+		File:          c.String("file"),
+		Output:        c.String(internal.FlagOutput),
+		Color:         output.ColorOptionsFromCLIContext(c),
 	}
 
 	// check if allow_command and allow_substitution are provided

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,7 @@ func (c Config) Add(client vela.Client) error {`
`54`	`54`	`Name: &c.Name,`
`55`	`55`	`Value: &c.Value,`
`56`	`56`	`Images: &c.Images,`
	`57`	`+ RepoAllowlist: &c.RepoAllowlist,`
`57`	`58`	`AllowCommand: c.AllowCommand,`
`58`	`59`	`AllowSubstitution: c.AllowSubstitution,`
`59`	`60`	`}`
Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,7 @@ func (c Config) Update(client vela.Client) error {`
`52`	`52`	`Name: &c.Name,`
`53`	`53`	`Value: &c.Value,`
`54`	`54`	`Images: &c.Images,`
	`55`	`+ RepoAllowlist: &c.RepoAllowlist,`
`55`	`56`	`AllowCommand: c.AllowCommand,`
`56`	`57`	`AllowSubstitution: c.AllowSubstitution,`
`57`	`58`	`}`