PowerShellForGitHub icon indicating copy to clipboard operation
PowerShellForGitHub copied to clipboard
verified publisher icon microsoft

First attempt at GitHub Secrets

Open TylerLeonhardt opened this issue 5 years ago • 10 comments

This adds the following cmdlets:

  • Get-GitHubRepositoryPublicKey - https://developer.github.com/v3/actions/secrets/#get-a-repository-public-key
  • Get-GitHubSecretInfo - https://developer.github.com/v3/actions/secrets/#list-repository-secrets and https://developer.github.com/v3/actions/secrets/#get-a-repository-secret
  • Set-GitHubSecret - https://developer.github.com/v3/actions/secrets/#create-or-update-a-repository-secret
  • New-GitHubSecret - https://developer.github.com/v3/actions/secrets/#create-or-update-a-repository-secret but with an "exists" check
  • Remove-GitHubSecret - https://developer.github.com/v3/actions/secrets/#delete-a-repository-secret

This does take a dependency on a module I created for this use-case: PSSodium https://www.powershellgallery.com/packages/PSSodium/0.2.0

which just exposes a

ConvertTo-SodiumEncryptedString -Text <securestring> -PublicKey <string>

~I'll get that in its own repo soon-ish.~ Done: https://github.com/TylerLeonhardt/PSSodium

Open questions

  • Some operations depend on others... so the output looks silly and this text appears multiple times...
Telemetry is currently enabled.  It can be disabled by calling "Set-GitHubConfiguration -DisableTelemetry". Refer to USAGE.md#telemetry for more information. Stop seeing this message in the future by calling "Set-GitHubConfiguration -SuppressTelemetryReminder".                                                                                             
Telemetry is currently enabled.  It can be disabled by calling "Set-GitHubConfiguration -DisableTelemetry". Refer to USAGE.md#telemetry for more information. Stop seeing this message in the future by calling "Set-GitHubConfiguration -SuppressTelemetryReminder".                                                                                             
Telemetry is currently enabled.  It can be disabled by calling "Set-GitHubConfiguration -DisableTelemetry". Refer to USAGE.md#telemetry for more information. Stop seeing this message in the future by calling "Set-GitHubConfiguration -SuppressTelemetryReminder".

any way I can avoid that?

  • How can I test this? Ideally in GitHub Actions in a full E2E way but I'll need your help enabling that

TylerLeonhardt avatar May 27 '20 01:05 TylerLeonhardt

cc @HowardWolosky

TylerLeonhardt avatar May 27 '20 01:05 TylerLeonhardt

I considered adding support for the Org-level secrets but put that on hold for now: https://developer.github.com/v3/actions/secrets/#list-organization-secrets

TylerLeonhardt avatar May 27 '20 01:05 TylerLeonhardt

So, something I was thinking about... since PowerShellForGitHub exposes Invoke-GHRestMethod and Invoke-GHRestMethodMultipleResult I was thinking about refactoring this PR to only include:

  • Get-GitHubRepositoryPublicKey - https://developer.github.com/v3/actions/secrets/#get-a-repository-public-key
  • Get-GitHubSecretInfo - https://developer.github.com/v3/actions/secrets/#list-repository-secrets and https://developer.github.com/v3/actions/secrets/#get-a-repository-secret
  • Remove-GitHubSecret - https://developer.github.com/v3/actions/secrets/#delete-a-repository-secret

Then I'll make my own module called CreateGitHubSecrets or something that depends on PSSodium and PowerShellForGitHub that will implement:

  • Set-GitHubSecret - https://developer.github.com/v3/actions/secrets/#create-or-update-a-repository-secret
  • New-GitHubSecret - https://developer.github.com/v3/actions/secrets/#create-or-update-a-repository-secret but with an "exists" check

TylerLeonhardt avatar Jul 20 '20 03:07 TylerLeonhardt

I think that would totally unblock this in the short term, and provides an easy path towards moving New/Set back into here at some point in the future (since they would have already been built on-top of Invoke-GHRestMethod) should it become more clear that taking on external dependencies makes sense.

HowardWolosky avatar Jul 20 '20 16:07 HowardWolosky

Alright I removed those but to write tests I need you to add a couple test secrets to either one of the test repos or to this repo. Let me know when you do that - I can't get the value so set that to whatever. The name can be whatever you want but share those here for me.

TylerLeonhardt avatar Jul 21 '20 05:07 TylerLeonhardt

Would an organization secret work? A secret stored in this repository won't help, because the accounts that are used while running CI don't have access to this repo. And there currently is no repo that is guaranteed to exist in any of the test accounts...but the organization is guaranteed to be available, so I could add a secret to the test organizations.

If you do this though, you should add a comment to the tests (and to the CONTRIBUTING.md documentation in the tests section) to indicate that there is the expectation for those secrets to exist in the test organization in order for those tests to succeed...

HowardWolosky avatar Jul 21 '20 05:07 HowardWolosky

No I don't think org secrets will work. That's a separate API and should be tested in and of itself.

TylerLeonhardt avatar Jul 21 '20 13:07 TylerLeonhardt

@HowardWolosky if this gets completed and merged I would happily contribute a Powershell SecretManagement Provider that would leverage this API to easily fetch repository secrets. https://github.com/powershell/secretmanagement

JustinGrote avatar Jan 16 '21 23:01 JustinGrote

@JustinGrote the problem is that there's no way to retrieve the value of secrets. You can set them and list meta data about them, but you can't get them.

TylerLeonhardt avatar Jan 17 '21 03:01 TylerLeonhardt