feat: Add audit log output

.eslintrc.json

@@ -11,7 +11,7 @@
       "eslint-comments/no-use": "off",
       "import/no-namespace": "off",
       "no-unused-vars": "off",
-      "@typescript-eslint/no-unused-vars": "error",
+      "@typescript-eslint/no-unused-vars": "off",
       "@typescript-eslint/explicit-member-accessibility": ["error", {"accessibility": "no-public"}],
       "@typescript-eslint/no-require-imports": "error",
       "@typescript-eslint/array-type": "error",

.github/workflows/ci.yml

@@ -5,7 +5,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
     - run: |
         npm i
         npm run all

.github/workflows/release.yml

@@ -7,7 +7,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v2
+    - uses: actions/checkout@v4
       with: 
         ref: 'master'
     - name: Keep dist up-to-date

README.md

@@ -54,6 +54,16 @@ If this value is set to the name of a valid environment in the target repositori
 
 Target where secrets should be stored: `actions` (default) or `dependabot`.
 
+### `audit_log_hashing_salt`
+
+Salt for hashing the secrets in the audit log.
+
+## Outputs
+
+### `audit_log`
+
+Audit log (JSON structure) describing which secrets have been updated in which repository.
+
 ## Usage
 
 ```yaml

__tests__/config.test.ts

@@ -37,6 +37,7 @@ describe("getConfig", () => {
   const RUN_DELETE = false;
   const ENVIRONMENT = "production";
   const TARGET = "actions";
+  const AUDIT_LOG_HASHING_SALT = "salt";
 
   // Must implement because operands for delete must be optional in typescript >= 4.0
   interface Inputs {
@@ -51,6 +52,7 @@ describe("getConfig", () => {
     INPUT_RUN_DELETE: string;
     INPUT_ENVIRONMENT: string;
     INPUT_TARGET: string;
+    INPUT_AUDIT_LOG_HASHING_SALT: string;
   }
   const inputs: Inputs = {
     INPUT_GITHUB_API_URL: String(GITHUB_API_URL),
@@ -64,6 +66,7 @@ describe("getConfig", () => {
     INPUT_RUN_DELETE: String(RUN_DELETE),
     INPUT_ENVIRONMENT: String(ENVIRONMENT),
     INPUT_TARGET: String(TARGET),
+    INPUT_AUDIT_LOG_HASHING_SALT: String(AUDIT_LOG_HASHING_SALT),
   };
 
   beforeEach(() => {
@@ -93,6 +96,7 @@ describe("getConfig", () => {
       RUN_DELETE,
       ENVIRONMENT,
       TARGET,
+      AUDIT_LOG_HASHING_SALT,
     });
   });
 

__tests__/github.test.ts

@@ -15,6 +15,7 @@
  */
 
 import * as config from "../src/config";
+import * as utils from "../src/utils";
 
 import {
   DefaultOctokit,
@@ -166,6 +167,8 @@ describe("setSecretForRepo", () => {
         return body;
       })
       .reply(200);
+
+    (utils.hash as jest.Mock) = jest.fn().mockImplementation(() => "hash");
   });
 
   test("setSecretForRepo with Actions target should retrieve public key for Actions", async () => {
@@ -176,7 +179,8 @@ describe("setSecretForRepo", () => {
       repo,
       "",
       true,
-      "actions"
+      "actions",
+      "salt"
     );
     expect(actionsPublicKeyMock.isDone()).toBeTruthy();
   });
@@ -189,7 +193,8 @@ describe("setSecretForRepo", () => {
       repo,
       "",
       true,
-      "dependabot"
+      "dependabot",
+      "salt"
     );
     expect(dependabotPublicKeyMock.isDone()).toBeTruthy();
   });
@@ -202,7 +207,8 @@ describe("setSecretForRepo", () => {
       repo,
       "",
       true,
-      "actions"
+      "actions",
+      "salt"
     );
     expect(actionsPublicKeyMock.isDone()).toBeTruthy();
     expect(setActionsSecretMock.isDone()).toBeFalsy();
@@ -216,7 +222,8 @@ describe("setSecretForRepo", () => {
       repo,
       "",
       false,
-      "actions"
+      "actions",
+      "salt"
     );
     expect(setActionsSecretMock.isDone()).toBeTruthy();
   });
@@ -229,10 +236,36 @@ describe("setSecretForRepo", () => {
       repo,
       "",
       false,
-      "dependabot"
+      "dependabot",
+      "salt"
     );
     expect(setDependabotSecretMock.isDone()).toBeTruthy();
   });
+
+  test("setSecretForRepo should return AuditLog", async () => {
+    const secret_name = "FOO";
+    const environment = "";
+    const dry_run = false;
+    const target = "actions";
+
+    const auditLog = await setSecretForRepo(
+      octokit,
+      secret_name,
+      secrets.FOO,
+      repo,
+      environment,
+      dry_run,
+      target,
+      "salt"
+    );
+    expect(auditLog.action).toEqual("set");
+    expect(auditLog.repo).toEqual(repo.full_name);
+    expect(auditLog.target).toEqual(target);
+    expect(auditLog.secret_name).toEqual(secret_name);
+    expect(auditLog.secret_hash).not.toBeNull();
+    expect(auditLog.environment).toEqual(environment);
+    expect(auditLog.dry_run).toEqual(dry_run);
+  });
 });
 
 describe("setSecretForRepo with environment", () => {
@@ -271,6 +304,8 @@ describe("setSecretForRepo with environment", () => {
         }
       )
       .reply(200);
+
+    (utils.hash as jest.Mock) = jest.fn().mockImplementation(() => "hash");
   });
 
   test("setSecretForRepo should retrieve public key", async () => {
@@ -281,7 +316,8 @@ describe("setSecretForRepo with environment", () => {
       repo,
       repoEnvironment,
       true,
-      "actions"
+      "actions",
+      "salt"
     );
     expect(environmentPublicKeyMock.isDone()).toBeTruthy();
   });
@@ -294,7 +330,8 @@ describe("setSecretForRepo with environment", () => {
       repo,
       repoEnvironment,
       true,
-      "actions"
+      "actions",
+      "salt"
     );
     expect(environmentPublicKeyMock.isDone()).toBeTruthy();
     expect(setEnvironmentSecretMock.isDone()).toBeFalsy();
@@ -308,7 +345,8 @@ describe("setSecretForRepo with environment", () => {
       repo,
       repoEnvironment,
       true,
-      "dependabot"
+      "dependabot",
+      "salt"
     );
     expect(environmentPublicKeyMock.isDone()).toBeTruthy();
     expect(setEnvironmentSecretMock.isDone()).toBeFalsy();
@@ -322,10 +360,35 @@ describe("setSecretForRepo with environment", () => {
       repo,
       repoEnvironment,
       false,
-      "actions"
+      "actions",
+      "salt"
     );
     expect(nock.isDone()).toBeTruthy();
   });
+
+  test("setSecretForRepo should return AuditLog", async () => {
+    const secret_name = "FOO";
+    const dry_run = false;
+    const target = "actions";
+
+    const auditLog = await setSecretForRepo(
+      octokit,
+      secret_name,
+      secrets.FOO,
+      repo,
+      repoEnvironment,
+      dry_run,
+      target,
+      "salt"
+    );
+    expect(auditLog.action).toEqual("set");
+    expect(auditLog.repo).toEqual(repo.full_name);
+    expect(auditLog.target).toEqual(target);
+    expect(auditLog.secret_name).toEqual(secret_name);
+    expect(auditLog.secret_hash).not.toBeNull();
+    expect(auditLog.environment).toEqual(repoEnvironment);
+    expect(auditLog.dry_run).toEqual(dry_run);
+  });
 });
 
 describe("deleteSecretForRepo", () => {
@@ -357,7 +420,8 @@ describe("deleteSecretForRepo", () => {
       repo,
       "",
       true,
-      "actions"
+      "actions",
+      "salt"
     );
     expect(deleteActionsSecretMock.isDone()).toBeFalsy();
   });
@@ -370,7 +434,8 @@ describe("deleteSecretForRepo", () => {
       repo,
       "",
       false,
-      "actions"
+      "actions",
+      "salt"
     );
     expect(deleteActionsSecretMock.isDone()).toBeTruthy();
   });
@@ -383,7 +448,8 @@ describe("deleteSecretForRepo", () => {
       repo,
       "",
       false,
-      "dependabot"
+      "dependabot",
+      "salt"
     );
     expect(deleteDependabotSecretMock.isDone()).toBeTruthy();
   });
@@ -416,7 +482,8 @@ describe("deleteSecretForRepo with environment", () => {
       repo,
       repoEnvironment,
       true,
-      "actions"
+      "actions",
+      "salt"
     );
     expect(deleteSecretMock.isDone()).toBeFalsy();
   });
@@ -429,7 +496,8 @@ describe("deleteSecretForRepo with environment", () => {
       repo,
       repoEnvironment,
       true,
-      "dependabot"
+      "dependabot",
+      "salt"
     );
     expect(deleteSecretMock.isDone()).toBeFalsy();
   });
@@ -442,8 +510,33 @@ describe("deleteSecretForRepo with environment", () => {
       repo,
       repoEnvironment,
       false,
-      "actions"
+      "actions",
+      "salt"
     );
     expect(nock.isDone()).toBeTruthy();
   });
+
+  test("deleteSecretForRepo should return AuditLog", async () => {
+    const secret_name = "FOO";
+    const dry_run = false;
+    const target = "actions";
+
+    const auditLog = await deleteSecretForRepo(
+      octokit,
+      secret_name,
+      secrets.FOO,
+      repo,
+      repoEnvironment,
+      dry_run,
+      target,
+      "salt"
+    );
+    expect(auditLog.action).toEqual("delete");
+    expect(auditLog.repo).toEqual(repo.full_name);
+    expect(auditLog.target).toEqual(target);
+    expect(auditLog.secret_name).toEqual(secret_name);
+    expect(auditLog.secret_hash).not.toBeNull();
+    expect(auditLog.environment).toEqual(repoEnvironment);
+    expect(auditLog.dry_run).toEqual(dry_run);
+  });
 });

__tests__/main.test.ts

@@ -22,6 +22,7 @@ import * as secrets from "../src/secrets";
 import fixture from "@octokit/fixtures/scenarios/api.github.com/get-repository/normalized-fixture.json";
 import nock from "nock";
 import { run } from "../src/main";
+import { setFailed } from "@actions/core";
 
 nock.disableNetConnect();
 

__tests__/utils.test.ts

@@ -14,10 +14,36 @@
  * limitations under the License.
  */
 
-import { encrypt } from "../src/utils";
+import { encrypt, hash } from "../src/utils";
 
 const key = "HRkzRZD1+duhfvNvY8eiCPb+ihIjbvkvRyiehJCs8Vc=";
 
 test("encrypt should return a value", () => {
   expect(encrypt("baz", key)).toBeTruthy();
 });
+
+test("hashing algorithm golden standard", async () => {
+  const value = "baz";
+  const salt = "salt";
+  const hashed_value = hash(value, salt);
+
+  // After making changes to the hashing algorithm, this output should stay intact.
+  expect(hashed_value).toEqual("b6c1ba0fdd");
+});
+
+test("hashing the same value should return the same result", async () => {
+  const value = "baz";
+  const salt = "salt";
+  const hashed_value_1 = hash(value, salt);
+  const hashed_value_2 = hash(value, salt);
+
+  expect(hashed_value_1).toEqual(hashed_value_2);
+});
+
+test("hashing a different value should return a different result", async () => {
+  const salt = "salt";
+  const hashed_value_1 = hash("bar", salt);
+  const hashed_value_2 = hash("baz", salt);
+
+  expect(hashed_value_1).not.toEqual(hashed_value_2);
+});

action.yml

@@ -67,6 +67,14 @@ inputs:
       Target where secrets should be stored: `actions` (default) or `dependabot`.
     default: "actions"
     required: false
+  audit_log_hashing_salt:
+    default: ""
+    description: |
+      Salt for hashing the secrets in the audit log.
+outputs:
+  audit_log:
+    description: |
+      Audit log (JSON structure) describing which secrets have been updated in which repository.
 runs:
   using: 'node16'
   main: 'dist/index.js'