forked from gliech/create-github-secret-action
-
Notifications
You must be signed in to change notification settings - Fork 0
/
index.js
114 lines (100 loc) · 3.67 KB
/
index.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
const core = require("@actions/core")
const github = require("@actions/github")
const sodium = require("tweetsodium")
class GithubLocation {
constructor(location_input, environment_input) {
this.type = "repository"
this.short_type = "Repo"
if (environment_input) {
this.type = "environment"
this.short_type = "Environment"
}
if (!location_input) {
const context = github.context
this.data = context.repo
} else if (location_input.includes("/")) {
const [owner, repo] = location_input.split("/")
this.data = {owner, repo}
} else {
this.type = "organization"
this.short_type = "Org"
this.data = {org: location_input}
}
}
toString() {
return Object.values(this.data).join("/")
}
}
async function run() {
try {
// Get all inputs
const input_name = core.getInput("name")
const input_value = core.getInput("value")
const input_location = core.getInput("location")
const input_environment = core.getInput("environment")
const secret_target = new GithubLocation(input_location, input_environment)
const input_pat = core.getInput("pa_token")
const octokit = github.getOctokit(input_pat)
const get_public_key = octokit.rest.actions[`get${secret_target.short_type}PublicKey`]
const upsert_secret = octokit.rest.actions[`createOrUpdate${secret_target.short_type}Secret`]
let org_arguments = {}
if (secret_target.type == "organization") {
const input_visibility = core.getInput("org_visibility")
if (["all", "private"].includes(input_visibility)) {
org_arguments = { visibility: input_visibility }
} else {
org_arguments = {
visibility: "selected",
selected_repository_ids: input_visibility.split(",").map(i => parseInt(i.trim()))
}
}
}
// Add arguments needed for environment secrets
let environment_arguments = {}
if (secret_target.type == "environment") {
const { data: {id: repo_id }} = await octokit.rest.repos.get(secret_target.data);
core.info(`Found repo id ${repo_id} for '${secret_target}'`)
environment_arguments = {
repository_id: repo_id,
environment_name: input_environment
}
}
// Retrieve repository public key and encrypt secret value
core.info(`Retrieving public key for ${secret_target.type} '${secret_target}'`)
const { data: public_key } = await get_public_key({...secret_target.data, ...environment_arguments})
core.info("Encrypting secret value")
const plain_value_bytes = Buffer.from(input_value)
const public_key_bytes = Buffer.from(public_key.key, "base64")
const secret_value_bytes = sodium.seal(plain_value_bytes, public_key_bytes)
const signed_secret_value = Buffer.from(secret_value_bytes).toString("base64")
// Create or update secret
core.info(`Setting ${secret_target.type} secret '${input_name}'`)
const { status } = await upsert_secret({
...secret_target.data,
secret_name: input_name,
encrypted_value: signed_secret_value,
key_id: public_key.key_id,
...org_arguments,
...environment_arguments
})
const response_codes = {
201: "created",
204: "updated"
}
if (status in response_codes) {
core.info(
`Successfully ${response_codes[status]} secret '${input_name}' in ` +
`${secret_target.type} '${secret_target}'`
)
} else {
core.warn(
`Encountered unexpected HTTP status code while creating secret ` +
`'${input_name}'. Epected one of '201', '204' but got '${status}'`
)
}
core.setOutput("status", status)
} catch (err) {
core.setFailed(err.message)
}
}
run()