otterdog icon indicating copy to clipboard operation
otterdog copied to clipboard

Published 20 hours ago verified publisher icon eclipse-csi

Default secret visibility not applied when property is unspecified

Open heurtematte opened this issue 8 months ago • 3 comments

Description

When creating manually a secret in GitHub, the default visibility is set to "Private and Internal Repositories". However, if no visibility setting is explicitly specified in the configuration, the expected default value from otterdog-defaults.libsonnet is not applied. Instead, GitHub retains its own default setting.

Steps to Reproduce

  1. Manually create a secret with the default visibility: "Private and Internal Repositories".
  2. Import the organization configuration using: otterdog import eclipse-<project_id>
  3. Modify the configuration, without explicitly specifying the secret's visibility (removing "private" visibility).
  4. Apply the changes using: otterdog apply eclipse-<project_id>

Expected

If the visibility property is not explicitly defined, the system should apply the default value from otterdog-defaults.libsonnet.

Actual behavior

When no visibility is specified, GitHub’s default setting ("Private and Internal Repositories") remains in effect, instead of using the value defined in otterdog-defaults.libsonnet. https://github.com/EclipseFdn/otterdog-defaults/blob/main/otterdog-defaults.libsonnet#L233

heurtematte avatar Mar 18 '25 09:03 heurtematte

I just tested it and it works fine. However, you need to make sure that the secret does not have a dummy value assigned (********) as in this case the secret will be skipped from processing.

The reason for that is that you cant make changes to a secret unless you provide the secret value again to it. See the documentation here: https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#create-or-update-an-organization-secret

So we cant update the visibility of a secret without knowing its value.

netomi avatar Mar 18 '25 13:03 netomi

It was exactly that use case. sorry for not mentioning it.

you cant make changes to a secret unless you provide the secret value again to it

From the UI it is possible. maybe it is different from the API.

I would at least expect a warning message showing the difference between the configuration and the visibility of these secrets.

heurtematte avatar Mar 19 '25 08:03 heurtematte

actually that is tracked by #263

netomi avatar May 07 '25 12:05 netomi