#!/usr/bin/env bash # vim:ts=4:sts=4:sw=4:et # args: harisekhon/devops-bash-tools haritest=stuff haritest2=stuff2 # # Author: Hari Sekhon # Date: 2021-12-03 17:41:23 +0000 (Fri, 03 Dec 2021) # # https://github.com/HariSekhon/DevOps-Bash-tools # # License: see accompanying Hari Sekhon LICENSE file # # If you're using my code you're welcome to connect with me on LinkedIn and optionally send me feedback to help steer this or other code I publish # # https://www.linkedin.com/in/HariSekhon # # https://docs.github.com/ee/api/project_level_variables.html set -euo pipefail [ -n "${DEBUG:-}" ] && set -x srcdir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" # shellcheck disable=SC1090,SC1091 . "$srcdir/lib/github.sh" # shellcheck disable=SC2034,SC2154 usage_description=" Adds / updates GitHub repo-level secrets from key=value args or stdin, for use in GitHub Actions If 'owner/repo' isn't specified as the first argument, attempts to infer from the local git repo If no subsequent key=value pair arguments are given, reads environment variables from standard input, one per line in 'key=value' format or 'export key=value' shell format Examples: ${0##*/} HariSekhon/DevOps-Bash-tools AWS_ACCESS_KEY_ID=AKIA... echo AWS_ACCESS_KEY_ID=AKIA... | ${0##*/} HariSekhon/DevOps-Bash-tools echo AWS_ACCESS_KEY_ID=AKIA... | gh secret set -R HariSekhon/DevOps-Bash-tools -f - Loads both AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY via stdin: aws_csv_creds.sh credentials_exported.csv | ${0##*/} HariSekhon/DevOps-Bash-tools aws_csv_creds.sh credentials_exported.csv | gh secret set -R HariSekhon/DevOps-Bash-tools -f - Requires the GitHub CLI 'gh' to be installed and available in the \$PATH " # used by usage() in lib/utils.sh # shellcheck disable=SC2034 usage_args="[ = = ...]" help_usage "$@" # requires the GitHub CLI check_bin gh #min_args 1 "$@" if [ -n "${1:-}" ] && ! [[ "$1" =~ = ]]; then owner_repo="$1" shift || : fi owner_repo="${owner_repo:-$(get_github_repo)}" if ! is_github_owner_repo "$owner_repo"; then usage "owner_repo '$owner_repo' does not conform / format" fi # don't need to check for existing secrets as the API is a set (add/update) operation anyway #existing_secrets="$("$srcdir/github_api.sh" "/repos/$owner_repo/tonkasim/actions/secrets" | jq -r '.secrets[].name')" # needed to create an encrypted value against the repo's public key before upload #repo_public_key_data="$("$srcdir/github_api.sh" "/repos/$owner_repo/actions/secrets/public-key")" #repo_public_key="$(jq -r '.key' <<< "$repo_public_key_data")" #repo_public_key_id="$(jq -r '.key_id' <<< "$repo_public_key_data")" add_secret(){ local key_value="$1" parse_export_key_value "$key_value" # shellcheck disable=SC2154 timestamp "setting GitHub secret '$key' in repo '$owner_repo'" # https://docs.github.com/en/rest/reference/actions#create-or-update-a-repository-secret--code-samples # won't work, gets error: # { # "message": "Invalid request.\n\n\"key_id\" wasn't supplied.", # "documentation_url": "https://docs.github.com/rest/reference/actions#create-or-update-a-repository-secret" # } #"$srcdir/github_api.sh" "/repos/$owner_repo/actions/secrets/$key" \ # -X PUT \ # -H 'Accept: application/vnd.github.v3+json' \ # -d "{\"encrypted_value\":\"$value\"}" # XXX: no way to generate this encrypted value in Bash at this time, all language bindings but no Libsodium CLI so use GitHub CLI instead # # XXX: there is some kind of bug in GitHub CLI - the secret doesn't work when fed through stdin, only through --body # https://github.com/cli/cli/issues/5031 #command gh secret set -R "$owner_repo" "$key" <<< "$value" # shellcheck disable=SC2154 command gh secret set -R "$owner_repo" "$key" --body "$value" } if [ $# -gt 0 ]; then for arg in "$@"; do add_secret "$arg" done else while read -r line; do [ -n "$line" ] || continue add_secret "$line" done fi