Skip to content

Commit

Permalink
Merge pull request #1 from philips-software/peter/convert-to-action
Browse files Browse the repository at this point in the history 
Convert script to Github Action
  • Loading branch information
@Plabick
Plabick committed Jul 22, 2021
2 parents 913e065 + aec5624 commit b30f838
Show file tree
Hide file tree
Showing 4 changed files with 94 additions and 48 deletions.
8 changes: 8 additions & 0 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
FROM python:3.9.6

WORKDIR /app
ADD ./entrypoint.sh /app/
ADD ./main.py /app/
RUN pip install requests pygithub
RUN chmod +x /app/entrypoint.sh
ENTRYPOINT ["/app/entrypoint.sh"]
93 changes: 45 additions & 48 deletions README.md
View file
Original file line number Diff line number Diff line change
@@ -1,61 +1,58 @@
# Github Secret Manager
This script is used to automate creating, updating, and deleting repository level [GitHub secrets](https://docs.github.com/en/actions/reference/encrypted-secrets) for repos belonging to a user or a team, leveraging GitHub's existing encrypted storage.
# Github Secret Manager Action
This action can be used to automate creating, updating, and deleting repository level [GitHub secrets](https://docs.github.com/en/actions/reference/encrypted-secrets) for repos belonging to a user or a team, leveraging GitHub's existing encrypted storage.

Currently, GitHub does not support storing secrets at the team level, only at the repository or organization level. This is inconvenient in case a team manages many repositories, as the secrets would otherwise need to be manually added to each repo or exposed to the entire organization.

## Dependencies
Python >= 3.5

[PyGithub](https://github.com/PyGithub/PyGithub) >= 1.55

## Parameters
**If no command-line arguments are provided, the tool will prompt for each value**
| Command | Description | Mandatory? |
| ---- | ---- | ---- |
|"create", "update", or "delete" | The action to be performed. If `create` is selected and the secret(s) already exist for a repo, they will not be updated. If `update` is selected, existing secrets will be updated to the new value. If a repository is missing a secret, it will be added. add If `delete` is selected and the secret does not exist it will not cause issues | Yes, as the first argument |
|--token| A [GitHub PAT](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) with permission to manage secrets | Yes |
|--names| A comma-separated list of secret name(s) | Yes |
|--values| A comma-separated list of secret value(s) | If "create" is selected |
|--team|If a team name is given, the secret will be added to all repositories in that team. If no team is specified, the secret will be added to all of the user's repositories|No|
|--interactive | If this parameter is provided, the tool will prompt before applying the action to each repository, allowing you to limit where the secrets go. | No |

Add or Update Secret(s)
|action|The action to be performed- "create", "update", or "delete". If `create` is selected and the secret(s) already exist for a repo, they will not be updated. If `update` is selected, existing secrets will be updated to the new value. If a repository is missing a secret, it will be added. add If `delete` is selected and the secret does not exist it will not cause issues | Yes, as the first argument |
|token| A [GitHub PAT](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) with permission to manage secrets. Can NOT be the GITHUB_TOKEN secret.| Yes |
|secret-names| A comma-separated list of secret name(s) to apply the action to | Yes |
|secret-values| A comma-separated list of secret value(s)| If "create" or "update" is selected |
|team|If a team name is given, the secret will be added to all repositories in that team. If no team is specified, the secret will be added to all of the user's repositories|No|

## Usage
### Add Secret(s)
```yaml
- name: Add Secret
uses: philips-software/Repo-Secret-Manager@master
with:
action: create
token: ${{ secrets.MY_GITHUB_PAT }}
secret-name: BLACKDUCK_TOKEN
secret-values: abc123

- name: Add Secrets to HELLO team Repos
uses: philips-software/Repo-Secret-Manager@master
with:
action: create
token: ${{ secrets.MY_GITHUB_PAT }}
secret-name: BLACKDUCK_TOKEN,FORTIFY_TOKEN
secret-values: abc123,123abc
team: hello

```
create --names <comma seperated list of secret names> --values <comma seperated list of secret values> --token <github PAT>
e.g. create --names BLACKDUCK_TOKEN,PACKAGE_FEED_TOKEN --values ABC,XYZ --token 12345 --team iX
e.g. update --names BLACKDUCK_TOKEN --values ABC --token 12345
### Update Existing Secret(s) with New Value
```yaml
- name: Update Secret
uses: philips-software/Repo-Secret-Manager@master
with:
action: update
token: ${{ secrets.MY_GITHUB_PAT }}
secret-name: BLACKDUCK_TOKEN
secret-values: xyz123
```

Delete Secret(s)
```
delete --names <comma seperated list of secret names> --token <github PAT>
e.g. delete --names BLACKDUCK_TOKEN,PACKAGE_FEED_TOKEN --token 12345
e.g. delete --names BLACKDUCK_TOKEN --token 12345 --team iX
### Delete Secret(s)
```yaml
- name: Delete Secret
uses: philips-software/Repo-Secret-Manager@master
with:
action: delete
token: ${{ secrets.MY_GITHUB_PAT }}
secret-name: BLACKDUCK_TOKEN
```

## Github Workflow
In addition to running locally, this script can be run through Github Actions. To do this, store the secret(s) you want to deploy as a repo secret and reference them from a workflow calling the tool. This will propagate the secret to other repositories without exposing it.

Example
``` YAML
name: Manage Secrets
on:
workflow_dispath:
jobs:
Manage-Secrets:
runs-on: [ubuntu-latest]
env:
SECRET_NAMES: BLACKDUCK_TOKEN
SECRET_VALUES: ${{ secrets.BLACKDUCK_TOKEN }}
TEAM_NAME: iX

steps:
- uses: actions/checkout@v2

- name: Install dependencies
run: pip install -r requirements.txt

- name: Run manage_secrets script
run: python3 ./main.py create --names ${{ env.SECRET_NAMES }} --values ${{ env.SECRET_VALUES }} --token ${{ secrets.IX_ACTIONS_PAT }} --team ${{ env.TEAM_NAME }}

```
33 changes: 33 additions & 0 deletions action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: 'Repo Secret Manager'
author: 'Philips'
description: ''
inputs:
action:
description: 'The action to be performed. `create`, `update`, or `delete`'
mandatory: True
team:
description: 'Apply the specified action to all repos belonging to this github team. If no team is specified, the secret will be added to all of the repositories the token can manage'
mandatory: False
default: ''
token:
description: 'A GitHub PAT with permission to manage secrets. Can NOT be the GITHUB_TOKEN secret.'
mandatory: True
secret-names:
description: 'A comma-separated list of secret name(s) to apply the action to'
mandatory: True
secret-values:
description: 'A comma-separated list of secret value(s). Only required if `create` or `update` is selected'
mandatory: False
default: ''
runs:
using: 'docker'
image: 'Dockerfile'
env:
ACTION: ${{ inputs.action }}
TEAM: ${{ inputs.team }}
TOKEN: ${{ inputs.token }}
NAMES: ${{ inputs.secret-names }}
VALUES: ${{ inputs.secret-values }}
branding:
icon: 'lock'
color: 'blue'
8 changes: 8 additions & 0 deletions entrypoint.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/bin/sh

if [ ${#TEAM} -gt 0 ]
then
python /app/main.py $ACTION --token $TOKEN --names $NAMES --values $VALUES --team $TEAM
else
python /app/main.py $ACTION --token $TOKEN --names $NAMES --values $VALUES
fi

0 comments on commit b30f838

Please sign in to comment.