fixup! feat(ncu-config): add support for partially encrypted config files

Author: aduh95

bin/ncu-config.js

@@ -7,10 +7,10 @@ import yargs from 'yargs';
 import { hideBin } from 'yargs/helpers';
 
 import {
-  getConfig, updateConfig, GLOBAL_CONFIG, PROJECT_CONFIG, LOCAL_CONFIG
+  getConfig, updateConfig, GLOBAL_CONFIG, PROJECT_CONFIG, LOCAL_CONFIG,
+  encryptValue
 } from '../lib/config.js';
 import { setVerbosityFromEnv } from '../lib/verbosity.js';
-import { runSync } from '../lib/run.js';
 
 setVerbosityFromEnv();
 
@@ -91,9 +91,7 @@ async function setHandler(argv) {
     console.warn('Passing sensitive config value via the shell is discouraged');
   }
   if (argv.encrypt) {
-    argv.value = runSync('gpg', ['--default-recipient-self', '--encrypt', '--armor'], {
-      input: argv.value
-    });
+    argv.value = await encryptValue(argv.value);
   }
   console.log(
     `Updating ${configName} configuration ` +

lib/auth.js

@@ -3,7 +3,7 @@ import { ClientRequest } from 'node:http';
 
 import ghauth from 'ghauth';
 
-import { clearCachedConfig, getMergedConfig, getNcurcPath } from './config.js';
+import { clearCachedConfig, encryptValue, getMergedConfig, getNcurcPath } from './config.js';
 
 export default lazy(auth);
 
@@ -83,7 +83,12 @@ async function auth(
         'see https://github.com/nodejs/node-core-utils/blob/main/README.md.\n');
       const credentials = await tryCreateGitHubToken(githubAuth);
       username = credentials.user;
-      token = credentials.token;
+      try {
+        token = await encryptValue(credentials.token);
+      } catch (err) {
+        console.warn('Failed encrypt token, storing unencrypted instead');
+        token = credentials.token;
+      }
       const json = JSON.stringify({ username, token }, null, 2);
       fs.writeFileSync(getNcurcPath(), json, {
         mode: 0o600 /* owner read/write */

lib/config.js

@@ -4,7 +4,7 @@ import os from 'node:os';
 import { readJson, writeJson } from './file.js';
 import { existsSync, mkdtempSync, rmSync } from 'node:fs';
 import { spawnSync } from 'node:child_process';
-import { runSync } from './run.js';
+import { forceRunAsync, runSync } from './run.js';
 
 export const GLOBAL_CONFIG = Symbol('globalConfig');
 export const PROJECT_CONFIG = Symbol('projectConfig');
@@ -33,6 +33,15 @@ export function clearCachedConfig() {
   mergedConfig = null;
 }
 
+export async function encryptValue(input) {
+  console.warn('Spawning gpg to encrypt the config value');
+  return forceRunAsync(process.env.GPG_BIN || 'gpg', ['--default-recipient-self', '--encrypt', '--armor'], {
+    captureStdout: true,
+    ignoreFailure: false,
+    spawnArgs: { input }
+  });
+}
+
 function setOwnProperty(target, key, value) {
   return Object.defineProperty(target, key, {
     __proto__: null,
@@ -42,13 +51,13 @@ function setOwnProperty(target, key, value) {
   });
 }
 function addEncryptedPropertyGetter(target, key, input) {
-  if (input.startsWith('-----BEGIN PGP MESSAGE-----\n')) {
+  if (input.startsWith?.('-----BEGIN PGP MESSAGE-----\n')) {
     return Object.defineProperty(target, key, {
       __proto__: null,
       configurable: true,
       get() {
         console.warn(`The config value for ${key} is encrypted, spawning gpg to decrypt it...`);
-        const value = runSync('gpg', ['--decrypt'], { input });
+        const value = runSync(process.env.GPG_BIN || 'gpg', ['--decrypt'], { input });
         setOwnProperty(target, key, value);
         return value;
       },