-
Notifications
You must be signed in to change notification settings - Fork 7
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1 from philips-software/peter/convert-to-action
Convert script to Github Action
- Loading branch information
Showing
4 changed files
with
94 additions
and
48 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
FROM python:3.9.6 | ||
|
||
WORKDIR /app | ||
ADD ./entrypoint.sh /app/ | ||
ADD ./main.py /app/ | ||
RUN pip install requests pygithub | ||
RUN chmod +x /app/entrypoint.sh | ||
ENTRYPOINT ["/app/entrypoint.sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,61 +1,58 @@ | ||
# Github Secret Manager | ||
This script is used to automate creating, updating, and deleting repository level [GitHub secrets](https://docs.github.com/en/actions/reference/encrypted-secrets) for repos belonging to a user or a team, leveraging GitHub's existing encrypted storage. | ||
# Github Secret Manager Action | ||
This action can be used to automate creating, updating, and deleting repository level [GitHub secrets](https://docs.github.com/en/actions/reference/encrypted-secrets) for repos belonging to a user or a team, leveraging GitHub's existing encrypted storage. | ||
|
||
Currently, GitHub does not support storing secrets at the team level, only at the repository or organization level. This is inconvenient in case a team manages many repositories, as the secrets would otherwise need to be manually added to each repo or exposed to the entire organization. | ||
|
||
## Dependencies | ||
Python >= 3.5 | ||
|
||
[PyGithub](https://github.com/PyGithub/PyGithub) >= 1.55 | ||
|
||
## Parameters | ||
**If no command-line arguments are provided, the tool will prompt for each value** | ||
| Command | Description | Mandatory? | | ||
| ---- | ---- | ---- | | ||
|"create", "update", or "delete" | The action to be performed. If `create` is selected and the secret(s) already exist for a repo, they will not be updated. If `update` is selected, existing secrets will be updated to the new value. If a repository is missing a secret, it will be added. add If `delete` is selected and the secret does not exist it will not cause issues | Yes, as the first argument | | ||
|--token| A [GitHub PAT](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) with permission to manage secrets | Yes | | ||
|--names| A comma-separated list of secret name(s) | Yes | | ||
|--values| A comma-separated list of secret value(s) | If "create" is selected | | ||
|--team|If a team name is given, the secret will be added to all repositories in that team. If no team is specified, the secret will be added to all of the user's repositories|No| | ||
|--interactive | If this parameter is provided, the tool will prompt before applying the action to each repository, allowing you to limit where the secrets go. | No | | ||
|
||
Add or Update Secret(s) | ||
|action|The action to be performed- "create", "update", or "delete". If `create` is selected and the secret(s) already exist for a repo, they will not be updated. If `update` is selected, existing secrets will be updated to the new value. If a repository is missing a secret, it will be added. add If `delete` is selected and the secret does not exist it will not cause issues | Yes, as the first argument | | ||
|token| A [GitHub PAT](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) with permission to manage secrets. Can NOT be the GITHUB_TOKEN secret.| Yes | | ||
|secret-names| A comma-separated list of secret name(s) to apply the action to | Yes | | ||
|secret-values| A comma-separated list of secret value(s)| If "create" or "update" is selected | | ||
|team|If a team name is given, the secret will be added to all repositories in that team. If no team is specified, the secret will be added to all of the user's repositories|No| | ||
|
||
## Usage | ||
### Add Secret(s) | ||
```yaml | ||
- name: Add Secret | ||
uses: philips-software/Repo-Secret-Manager@master | ||
with: | ||
action: create | ||
token: ${{ secrets.MY_GITHUB_PAT }} | ||
secret-name: BLACKDUCK_TOKEN | ||
secret-values: abc123 | ||
|
||
- name: Add Secrets to HELLO team Repos | ||
uses: philips-software/Repo-Secret-Manager@master | ||
with: | ||
action: create | ||
token: ${{ secrets.MY_GITHUB_PAT }} | ||
secret-name: BLACKDUCK_TOKEN,FORTIFY_TOKEN | ||
secret-values: abc123,123abc | ||
team: hello | ||
|
||
``` | ||
create --names <comma seperated list of secret names> --values <comma seperated list of secret values> --token <github PAT> | ||
e.g. create --names BLACKDUCK_TOKEN,PACKAGE_FEED_TOKEN --values ABC,XYZ --token 12345 --team iX | ||
e.g. update --names BLACKDUCK_TOKEN --values ABC --token 12345 | ||
### Update Existing Secret(s) with New Value | ||
```yaml | ||
- name: Update Secret | ||
uses: philips-software/Repo-Secret-Manager@master | ||
with: | ||
action: update | ||
token: ${{ secrets.MY_GITHUB_PAT }} | ||
secret-name: BLACKDUCK_TOKEN | ||
secret-values: xyz123 | ||
``` | ||
|
||
Delete Secret(s) | ||
``` | ||
delete --names <comma seperated list of secret names> --token <github PAT> | ||
e.g. delete --names BLACKDUCK_TOKEN,PACKAGE_FEED_TOKEN --token 12345 | ||
e.g. delete --names BLACKDUCK_TOKEN --token 12345 --team iX | ||
### Delete Secret(s) | ||
```yaml | ||
- name: Delete Secret | ||
uses: philips-software/Repo-Secret-Manager@master | ||
with: | ||
action: delete | ||
token: ${{ secrets.MY_GITHUB_PAT }} | ||
secret-name: BLACKDUCK_TOKEN | ||
``` | ||
|
||
## Github Workflow | ||
In addition to running locally, this script can be run through Github Actions. To do this, store the secret(s) you want to deploy as a repo secret and reference them from a workflow calling the tool. This will propagate the secret to other repositories without exposing it. | ||
|
||
Example | ||
``` YAML | ||
name: Manage Secrets | ||
on: | ||
workflow_dispath: | ||
jobs: | ||
Manage-Secrets: | ||
runs-on: [ubuntu-latest] | ||
env: | ||
SECRET_NAMES: BLACKDUCK_TOKEN | ||
SECRET_VALUES: ${{ secrets.BLACKDUCK_TOKEN }} | ||
TEAM_NAME: iX | ||
|
||
steps: | ||
- uses: actions/checkout@v2 | ||
|
||
- name: Install dependencies | ||
run: pip install -r requirements.txt | ||
|
||
- name: Run manage_secrets script | ||
run: python3 ./main.py create --names ${{ env.SECRET_NAMES }} --values ${{ env.SECRET_VALUES }} --token ${{ secrets.IX_ACTIONS_PAT }} --team ${{ env.TEAM_NAME }} | ||
|
||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
name: 'Repo Secret Manager' | ||
author: 'Philips' | ||
description: '' | ||
inputs: | ||
action: | ||
description: 'The action to be performed. `create`, `update`, or `delete`' | ||
mandatory: True | ||
team: | ||
description: 'Apply the specified action to all repos belonging to this github team. If no team is specified, the secret will be added to all of the repositories the token can manage' | ||
mandatory: False | ||
default: '' | ||
token: | ||
description: 'A GitHub PAT with permission to manage secrets. Can NOT be the GITHUB_TOKEN secret.' | ||
mandatory: True | ||
secret-names: | ||
description: 'A comma-separated list of secret name(s) to apply the action to' | ||
mandatory: True | ||
secret-values: | ||
description: 'A comma-separated list of secret value(s). Only required if `create` or `update` is selected' | ||
mandatory: False | ||
default: '' | ||
runs: | ||
using: 'docker' | ||
image: 'Dockerfile' | ||
env: | ||
ACTION: ${{ inputs.action }} | ||
TEAM: ${{ inputs.team }} | ||
TOKEN: ${{ inputs.token }} | ||
NAMES: ${{ inputs.secret-names }} | ||
VALUES: ${{ inputs.secret-values }} | ||
branding: | ||
icon: 'lock' | ||
color: 'blue' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
#!/bin/sh | ||
|
||
if [ ${#TEAM} -gt 0 ] | ||
then | ||
python /app/main.py $ACTION --token $TOKEN --names $NAMES --values $VALUES --team $TEAM | ||
else | ||
python /app/main.py $ACTION --token $TOKEN --names $NAMES --values $VALUES | ||
fi |