@aspruyt/xfg 6.2.0 → 6.3.0

package/dist/config/validator.js

@@ -5,6 +5,8 @@ import { validateFileConfigFields, validateSettings, } from "./validators/shared
 import { validateGroups, validateConditionalGroups, } from "./validators/group-validator.js";
 import { validateRepoEntry } from "./validators/repo-entry-validator.js";
 const CONFIG_ID_PATTERN = /^[a-zA-Z0-9_-]+$/;
+const VARIABLE_NAME_PATTERN = /^[A-Za-z_][A-Za-z0-9_]*$/;
+const VARIABLE_RESERVED_KEYS = new Set(["deleteOrphaned", "inherit"]);
 const CONFIG_ID_MAX_LENGTH = 64;
 function validateConfigId(config) {
     if (!config.id || typeof config.id !== "string") {
@@ -42,6 +44,9 @@ function validateRootSettings(config) {
     if (config.settings.labels && "inherit" in config.settings.labels) {
         throw new ValidationError("'inherit' is a reserved key and cannot be used as a label name");
     }
+    if (config.settings.variables && "inherit" in config.settings.variables) {
+        throw new ValidationError("'inherit' is not allowed in root-level variables (nothing to inherit from)");
+    }
 }
 function validateGithubHosts(config) {
     if (config.githubHosts === undefined)
@@ -110,15 +115,18 @@ export function validateRawConfig(config) {
     const hasCondGrpFiles = hasConditionalGroupFiles(config);
     const hasCondGrpSettings = hasConditionalGroupSettingsPresent(config);
     const hasCondGrpPR = hasConditionalGroupPR(config);
+    const hasSecrets = isPlainObject(config.secrets) && Object.keys(config.secrets).length > 0;
     if (!hasFiles &&
         !hasSettings &&
         !hasGrpFiles &&
         !hasGrpSettings &&
         !hasCondGrpFiles &&
         !hasCondGrpSettings &&
-        !hasCondGrpPR) {
-        throw new ValidationError("Config requires at least one of: 'files' or 'settings'. " +
-            "Use 'files' to sync configuration files, or 'settings' to manage repository settings.");
+        !hasCondGrpPR &&
+        !hasSecrets) {
+        throw new ValidationError("Config requires at least one of: 'files', 'settings', or 'secrets'. " +
+            "Use 'files' to sync configuration files, 'settings' to manage repository settings, " +
+            "or 'secrets' to manage GitHub Actions secrets.");
     }
     validateRootFiles(config);
     if (config.deleteOrphaned !== undefined &&
@@ -159,8 +167,111 @@ export function validateForSync(config) {
         !hasCondGrpFiles &&
         !hasCondGrpSettings &&
         !hasCondGrpPR) {
-        throw new ValidationError("Config requires at least one of: 'files' or 'settings'. " +
-            "Use 'files' to sync configuration files, or 'settings' to manage repository settings.");
+        throw new ValidationError("Config requires at least one of: 'files' or 'settings' (rulesets, labels, variables, repo config). " +
+            "Use 'files' to sync configuration files, or 'settings' to manage repository settings. " +
+            "For secrets, use 'xfg secrets sync'.");
+    }
+    // Validate variable names across all settings
+    const allSettings = [
+        config.settings,
+        ...config.repos.map((r) => r.settings),
+        ...Object.values(config.groups ?? {}).map((g) => g.settings),
+        ...(config.conditionalGroups ?? []).map((cg) => cg.settings),
+    ];
+    for (const settings of allSettings) {
+        if (!settings?.variables)
+            continue;
+        const vars = settings.variables;
+        if (vars.deleteOrphaned !== undefined &&
+            typeof vars.deleteOrphaned !== "boolean") {
+            throw new ValidationError("variables.deleteOrphaned must be a boolean");
+        }
+        if (vars.inherit !== undefined && typeof vars.inherit !== "boolean") {
+            throw new ValidationError("variables.inherit must be a boolean");
+        }
+        for (const [name, value] of Object.entries(vars)) {
+            if (VARIABLE_RESERVED_KEYS.has(name))
+                continue;
+            validateVariableName(name);
+            if (value !== false && typeof value !== "string") {
+                throw new ValidationError(`Variable '${name}' must have a string value (got ${typeof value}). Quote numeric values in YAML: "${String(value)}".`);
+            }
+        }
+        // Reject duplicate case-insensitive variable names
+        const seenVarNames = new Map();
+        for (const name of Object.keys(settings.variables)) {
+            if (VARIABLE_RESERVED_KEYS.has(name))
+                continue;
+            const upper = name.toUpperCase();
+            const existing = seenVarNames.get(upper);
+            if (existing) {
+                throw new ValidationError(`Duplicate variable name: '${name}' and '${existing}' collide (GitHub treats variable names case-insensitively).`);
+            }
+            seenVarNames.set(upper, name);
+        }
+    }
+    // Validate secret names and configs
+    validateSecretsConfig(config);
+    // Cross-validate: no overlap between global secret names and variable names
+    validateVariableSecretOverlaps(config);
+}
+export function validateVariableSecretOverlaps(config) {
+    if (!config.secrets)
+        return;
+    const { deleteOrphaned: _, ...secretEntries } = config.secrets;
+    // GitHub treats secret/variable names case-insensitively for collision purposes
+    const secretNames = new Set(Object.keys(secretEntries)
+        .filter((k) => typeof secretEntries[k] !== "boolean")
+        .map((n) => n.toUpperCase()));
+    if (secretNames.size === 0)
+        return;
+    // Check root-level variables
+    if (config.settings?.variables) {
+        const { deleteOrphaned: _rd, inherit: _ri, ...rootVarEntries } = config.settings.variables;
+        const rootVariableNames = Object.keys(rootVarEntries).filter((k) => typeof rootVarEntries[k] !== "boolean");
+        const overlapping = rootVariableNames.filter((n) => secretNames.has(n.toUpperCase()));
+        if (overlapping.length > 0) {
+            throw new ValidationError(`${overlapping.join(", ")} overlap between root variables and secrets. ` +
+                "GitHub does not allow variables and secrets with the same name.");
+        }
+    }
+    for (const repo of config.repos) {
+        const { deleteOrphaned: _d, inherit: _i, ...varEntries } = (repo.settings?.variables ?? {});
+        const variableNames = Object.keys(varEntries).filter((k) => typeof varEntries[k] !== "boolean");
+        const overlapping = variableNames.filter((n) => secretNames.has(n.toUpperCase()));
+        if (overlapping.length > 0) {
+            throw new ValidationError(`Repo '${repo.git}': ${overlapping.join(", ")} overlap between variables and secrets. ` +
+                "GitHub does not allow variables and secrets with the same name.");
+        }
+    }
+    // Check group-level variables
+    if (isPlainObject(config.groups)) {
+        for (const [groupName, group] of Object.entries(config.groups)) {
+            if (!group.settings?.variables)
+                continue;
+            const { deleteOrphaned: _gd, inherit: _gi, ...groupVarEntries } = group.settings.variables;
+            const groupVariableNames = Object.keys(groupVarEntries).filter((k) => typeof groupVarEntries[k] !== "boolean");
+            const overlapping = groupVariableNames.filter((n) => secretNames.has(n.toUpperCase()));
+            if (overlapping.length > 0) {
+                throw new ValidationError(`Group '${groupName}': ${overlapping.join(", ")} overlap between variables and secrets. ` +
+                    "GitHub does not allow variables and secrets with the same name.");
+            }
+        }
+    }
+    // Check conditional group-level variables
+    if (Array.isArray(config.conditionalGroups)) {
+        for (let i = 0; i < config.conditionalGroups.length; i++) {
+            const cg = config.conditionalGroups[i];
+            if (!cg.settings?.variables)
+                continue;
+            const { deleteOrphaned: _cd, inherit: _ci, ...cgVarEntries } = cg.settings.variables;
+            const cgVariableNames = Object.keys(cgVarEntries).filter((k) => typeof cgVarEntries[k] !== "boolean");
+            const overlapping = cgVariableNames.filter((n) => secretNames.has(n.toUpperCase()));
+            if (overlapping.length > 0) {
+                throw new ValidationError(`Conditional group ${i}: ${overlapping.join(", ")} overlap between variables and secrets. ` +
+                    "GitHub does not allow variables and secrets with the same name.");
+            }
+        }
     }
 }
 export function hasActionableSettings(settings) {
@@ -180,5 +291,63 @@ export function hasActionableSettings(settings) {
     if (settings.codeScanning) {
         return true;
     }
+    if (settings.variables) {
+        const { deleteOrphaned, inherit: _i, ...entries } = settings.variables;
+        if (Object.keys(entries).length > 0 || deleteOrphaned === true) {
+            return true;
+        }
+    }
     return false;
 }
+export function validateVariableName(name) {
+    if (!VARIABLE_NAME_PATTERN.test(name)) {
+        throw new ValidationError(`Variable name '${name}' contains invalid characters. Only alphanumeric and underscore allowed.`);
+    }
+    if (name.startsWith("GITHUB_")) {
+        throw new ValidationError(`Variable name '${name}' cannot start with 'GITHUB_' (reserved prefix).`);
+    }
+}
+export function validateSecretName(name) {
+    if (!VARIABLE_NAME_PATTERN.test(name)) {
+        throw new ValidationError(`Secret name '${name}' contains invalid characters. Only alphanumeric and underscore allowed.`);
+    }
+    if (name.startsWith("GITHUB_")) {
+        throw new ValidationError(`Secret name '${name}' cannot start with 'GITHUB_' (reserved prefix).`);
+    }
+}
+function validateSecretEntry(name, config) {
+    validateSecretName(name);
+    if (!config.env || typeof config.env !== "string") {
+        throw new ValidationError(`Secret '${name}' requires an 'env' field (string) specifying the environment variable source.`);
+    }
+}
+export function validateSecretsConfig(config) {
+    if (!config.secrets)
+        return;
+    const { deleteOrphaned, ...entries } = config.secrets;
+    // Reject 'deleteOrphaned' used as a secret name (it's a reserved peer key)
+    if (deleteOrphaned !== undefined && typeof deleteOrphaned !== "boolean") {
+        throw new ValidationError("'deleteOrphaned' is a reserved key in secrets config and cannot be used as a secret name.");
+    }
+    // Reject boolean true — only false (opt-out) is valid
+    for (const [name, value] of Object.entries(entries)) {
+        if (value === true) {
+            throw new ValidationError(`Secret '${name}' is set to true, which is not valid. Use false to opt out, or provide a SecretConfig object.`);
+        }
+    }
+    // Reject duplicate case-insensitive secret names
+    const seen = new Map();
+    for (const name of Object.keys(entries)) {
+        const upper = name.toUpperCase();
+        const existing = seen.get(upper);
+        if (existing) {
+            throw new ValidationError(`Duplicate secret name: '${name}' and '${existing}' collide (GitHub treats secret names case-insensitively).`);
+        }
+        seen.set(upper, name);
+    }
+    for (const [name, value] of Object.entries(entries)) {
+        if (typeof value === "boolean")
+            continue;
+        validateSecretEntry(name, value);
+    }
+}

package/dist/output/settings-report.d.ts

@@ -17,6 +17,11 @@ export interface SettingsReport {
             update: number;
             delete: number;
         };
+        variables?: {
+            create: number;
+            update: number;
+            delete: number;
+        };
     };
 }
 export interface RepoChanges {
@@ -24,6 +29,12 @@ export interface RepoChanges {
     settings: SettingChange[];
     rulesets: RulesetChange[];
     labels: LabelChange[];
+    variables?: {
+        name: string;
+        action: ActiveAction;
+        oldValue?: string;
+        newValue?: string;
+    }[];
     error?: string;
 }
 export interface SettingChange {

package/dist/output/settings-report.js

@@ -90,6 +90,13 @@ function formatSettingsSummary(totals) {
     ]);
     if (labelsEntry)
         parts.push(labelsEntry);
+    const variablesEntry = formatCountEntry("variable", "variables", [
+        { label: "to create", value: totals.variables?.create ?? 0 },
+        { label: "to update", value: totals.variables?.update ?? 0 },
+        { label: "to delete", value: totals.variables?.delete ?? 0 },
+    ]);
+    if (variablesEntry)
+        parts.push(variablesEntry);
     if (parts.length === 0) {
         return "No changes";
     }
@@ -112,6 +119,7 @@ export function formatSettingsReportCLI(report) {
         if (repo.settings.length === 0 &&
             repo.rulesets.length === 0 &&
             repo.labels.length === 0 &&
+            (repo.variables ?? []).length === 0 &&
             !repo.error) {
             continue;
         }
@@ -231,6 +239,21 @@ export function renderRepoSettingsDiffLines(repo, diffLines) {
             diffLines.push(`- label "${label.name}"`);
         }
     }
+    // Blank line before variables if there was content above
+    if ((repo.variables ?? []).length > 0 && diffLines.length > startLength) {
+        diffLines.push("");
+    }
+    for (const variable of repo.variables ?? []) {
+        if (variable.action === "create") {
+            diffLines.push(`+ variable "${variable.name}": ${formatValuePlain(variable.newValue)}`);
+        }
+        else if (variable.action === "update") {
+            diffLines.push(`! variable "${variable.name}": ${formatValuePlain(variable.oldValue)} → ${formatValuePlain(variable.newValue)}`);
+        }
+        else if (variable.action === "delete") {
+            diffLines.push(`- variable "${variable.name}"`);
+        }
+    }
     if (repo.error) {
         diffLines.push(`- Error: ${repo.error}`);
     }
@@ -252,6 +275,7 @@ export function formatSettingsReportMarkdown(report, dryRun) {
         if (repo.settings.length === 0 &&
             repo.rulesets.length === 0 &&
             repo.labels.length === 0 &&
+            (repo.variables ?? []).length === 0 &&
             !repo.error) {
             continue;
         }

package/dist/secrets/encryption.d.ts

@@ -0,0 +1,9 @@
+export interface ISecretEncryptor {
+    encrypt(value: string, publicKeyBase64: string): Promise<string>;
+}
+export declare class SodiumEncryptor implements ISecretEncryptor {
+    private sodium;
+    private initPromise;
+    private ensureInitialized;
+    encrypt(value: string, publicKeyBase64: string): Promise<string>;
+}

package/dist/secrets/encryption.js

@@ -0,0 +1,29 @@
+export class SodiumEncryptor {
+    sodium;
+    initPromise = null;
+    ensureInitialized() {
+        if (!this.initPromise) {
+            this.initPromise = (async () => {
+                try {
+                    const sodium = await import("libsodium-wrappers");
+                    await sodium.default.ready;
+                    this.sodium = sodium.default;
+                }
+                catch {
+                    throw new Error("Failed to load libsodium-wrappers. Install it: npm install libsodium-wrappers");
+                }
+            })().catch((err) => {
+                this.initPromise = null;
+                throw err;
+            });
+        }
+        return this.initPromise.then(() => this.sodium);
+    }
+    async encrypt(value, publicKeyBase64) {
+        const sodium = await this.ensureInitialized();
+        const messageBytes = sodium.from_string(value);
+        const publicKey = sodium.from_base64(publicKeyBase64, sodium.base64_variants.ORIGINAL);
+        const encrypted = sodium.crypto_box_seal(messageBytes, publicKey);
+        return sodium.to_base64(encrypted, sodium.base64_variants.ORIGINAL);
+    }
+}

package/dist/secrets/github-secrets-strategy.d.ts

@@ -0,0 +1,17 @@
+import type { ICommandExecutor } from "../shared/command-executor.js";
+import { type RepoInfo } from "../repo/index.js";
+import { type GhApiOptions } from "../shared/gh-api-utils.js";
+import type { ISecretsStrategy, GitHubSecret, GitHubPublicKey } from "./types.js";
+interface GitHubSecretsStrategyOptions {
+    retries?: number;
+    cwd: string;
+}
+export declare class GitHubSecretsStrategy implements ISecretsStrategy {
+    private api;
+    constructor(executor: ICommandExecutor, options: GitHubSecretsStrategyOptions);
+    list(repoInfo: RepoInfo, options?: GhApiOptions): Promise<GitHubSecret[]>;
+    getPublicKey(repoInfo: RepoInfo, options?: GhApiOptions): Promise<GitHubPublicKey>;
+    upsert(repoInfo: RepoInfo, name: string, encryptedValue: string, keyId: string, options?: GhApiOptions): Promise<void>;
+    delete(repoInfo: RepoInfo, name: string, options?: GhApiOptions): Promise<void>;
+}
+export {};

package/dist/secrets/github-secrets-strategy.js

@@ -0,0 +1,38 @@
+import { assertGitHubRepo } from "../repo/index.js";
+import { GhApiClient } from "../shared/gh-api-utils.js";
+import { parseApiJson } from "../shared/json-utils.js";
+export class GitHubSecretsStrategy {
+    api;
+    constructor(executor, options) {
+        this.api = new GhApiClient(executor, options.retries ?? 3, options.cwd);
+    }
+    async list(repoInfo, options) {
+        assertGitHubRepo(repoInfo, "GitHub Secrets strategy");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/actions/secrets`;
+        const result = await this.api.call("GET", endpoint, {
+            options,
+            paginate: true,
+        });
+        const response = parseApiJson(result, "secrets response");
+        return response.secrets ?? [];
+    }
+    async getPublicKey(repoInfo, options) {
+        assertGitHubRepo(repoInfo, "GitHub Secrets strategy");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/actions/secrets/public-key`;
+        const result = await this.api.call("GET", endpoint, { options });
+        return parseApiJson(result, "public key response");
+    }
+    async upsert(repoInfo, name, encryptedValue, keyId, options) {
+        assertGitHubRepo(repoInfo, "GitHub Secrets strategy");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/actions/secrets/${encodeURIComponent(name)}`;
+        await this.api.call("PUT", endpoint, {
+            payload: { encrypted_value: encryptedValue, key_id: keyId },
+            options,
+        });
+    }
+    async delete(repoInfo, name, options) {
+        assertGitHubRepo(repoInfo, "GitHub Secrets strategy");
+        const endpoint = `/repos/${repoInfo.owner}/${repoInfo.repo}/actions/secrets/${encodeURIComponent(name)}`;
+        await this.api.call("DELETE", endpoint, { options });
+    }
+}

package/dist/secrets/index.d.ts

@@ -0,0 +1,5 @@
+export { SecretsProcessor } from "./processor.js";
+export type { SecretsProcessorOptions, SecretsProcessorResult, } from "./processor.js";
+export { GitHubSecretsStrategy } from "./github-secrets-strategy.js";
+export { SodiumEncryptor, type ISecretEncryptor } from "./encryption.js";
+export type { ISecretsStrategy, GitHubSecret, GitHubPublicKey, } from "./types.js";

package/dist/secrets/index.js

@@ -0,0 +1,3 @@
+export { SecretsProcessor } from "./processor.js";
+export { GitHubSecretsStrategy } from "./github-secrets-strategy.js";
+export { SodiumEncryptor } from "./encryption.js";

package/dist/secrets/processor.d.ts

@@ -0,0 +1,31 @@
+import { type RepoInfo } from "../repo/index.js";
+import type { ISecretsStrategy } from "./types.js";
+import type { ISecretEncryptor } from "./encryption.js";
+import type { IEnvResolver } from "../shared/env-resolver.js";
+import type { SecretConfig } from "../config/index.js";
+type SecretsConfig = Record<string, SecretConfig | boolean> & {
+    deleteOrphaned?: boolean;
+};
+export interface SecretsProcessorOptions {
+    dryRun?: boolean;
+    token?: string;
+    noDelete?: boolean;
+}
+export interface SecretsProcessorResult {
+    success: boolean;
+    repoName: string;
+    message: string;
+    skipped?: boolean;
+    dryRun?: boolean;
+    created: number;
+    updated: number;
+    deleted: number;
+}
+export declare class SecretsProcessor {
+    private readonly strategy;
+    private readonly encryptor;
+    private readonly envResolver;
+    constructor(strategy: ISecretsStrategy, encryptor: ISecretEncryptor, envResolver: IEnvResolver);
+    process(secretsConfig: SecretsConfig, repoInfo: RepoInfo, options: SecretsProcessorOptions): Promise<SecretsProcessorResult>;
+}
+export {};

package/dist/secrets/processor.js

@@ -0,0 +1,115 @@
+import { isGitHubRepo, getRepoDisplayName, } from "../repo/index.js";
+export class SecretsProcessor {
+    strategy;
+    encryptor;
+    envResolver;
+    constructor(strategy, encryptor, envResolver) {
+        this.strategy = strategy;
+        this.encryptor = encryptor;
+        this.envResolver = envResolver;
+    }
+    async process(secretsConfig, repoInfo, options) {
+        const repoName = getRepoDisplayName(repoInfo);
+        if (!isGitHubRepo(repoInfo)) {
+            return {
+                success: true,
+                repoName,
+                message: "Skipped: not a GitHub repository",
+                skipped: true,
+                created: 0,
+                updated: 0,
+                deleted: 0,
+            };
+        }
+        const githubRepo = repoInfo;
+        const { deleteOrphaned: configDeleteOrphaned = false, ...rawEntries } = secretsConfig;
+        const { dryRun, token, noDelete } = options;
+        const deleteOrphaned = configDeleteOrphaned && !(noDelete ?? false);
+        const strategyOptions = { token, host: githubRepo.host };
+        const secretEntries = Object.entries(rawEntries).filter((entry) => typeof entry[1] !== "boolean");
+        let resolvedValues;
+        if (!dryRun && secretEntries.length > 0) {
+            resolvedValues = this.envResolver.resolveAll(secretEntries.map(([name, config]) => ({
+                name,
+                envVar: config.env,
+            })));
+        }
+        else {
+            resolvedValues = new Map();
+        }
+        const currentSecrets = await this.strategy.list(githubRepo, strategyOptions);
+        const currentByName = new Set(currentSecrets.map((s) => s.name.toUpperCase()));
+        const desiredNames = new Set(secretEntries.map(([name]) => name.toUpperCase()));
+        let created = 0;
+        let updated = 0;
+        let deleted = 0;
+        if (!dryRun) {
+            if (secretEntries.length > 0) {
+                const publicKey = await this.strategy.getPublicKey(githubRepo, strategyOptions);
+                for (const [name] of secretEntries) {
+                    const value = resolvedValues.get(name);
+                    const encrypted = await this.encryptor.encrypt(value, publicKey.key);
+                    await this.strategy.upsert(githubRepo, name, encrypted, publicKey.key_id, strategyOptions);
+                    if (currentByName.has(name.toUpperCase())) {
+                        updated++;
+                    }
+                    else {
+                        created++;
+                    }
+                }
+            }
+            if (deleteOrphaned) {
+                for (const current of currentSecrets) {
+                    if (!desiredNames.has(current.name.toUpperCase())) {
+                        await this.strategy.delete(githubRepo, current.name, strategyOptions);
+                        deleted++;
+                    }
+                }
+            }
+        }
+        else {
+            for (const [name] of secretEntries) {
+                if (currentByName.has(name.toUpperCase())) {
+                    updated++;
+                }
+                else {
+                    created++;
+                }
+            }
+            if (deleteOrphaned) {
+                for (const current of currentSecrets) {
+                    if (!desiredNames.has(current.name.toUpperCase())) {
+                        deleted++;
+                    }
+                }
+            }
+        }
+        const parts = [];
+        if (created > 0)
+            parts.push(`${created} created`);
+        if (updated > 0)
+            parts.push(`${updated} updated`);
+        if (deleted > 0)
+            parts.push(`${deleted} deleted`);
+        const summary = parts.length > 0 ? parts.join(", ") : "no changes";
+        if (dryRun) {
+            return {
+                success: true,
+                repoName,
+                message: `[DRY RUN] ${summary}`,
+                dryRun: true,
+                created,
+                updated,
+                deleted,
+            };
+        }
+        return {
+            success: true,
+            repoName,
+            message: summary,
+            created,
+            updated,
+            deleted,
+        };
+    }
+}

package/dist/secrets/types.d.ts

@@ -0,0 +1,21 @@
+import type { RepoInfo } from "../repo/index.js";
+import type { GhApiOptions } from "../shared/gh-api-utils.js";
+export interface GitHubSecret {
+    name: string;
+    created_at: string;
+    updated_at: string;
+}
+export interface GitHubSecretsListResponse {
+    total_count: number;
+    secrets: GitHubSecret[];
+}
+export interface GitHubPublicKey {
+    key_id: string;
+    key: string;
+}
+export interface ISecretsStrategy {
+    list(repoInfo: RepoInfo, options?: GhApiOptions): Promise<GitHubSecret[]>;
+    getPublicKey(repoInfo: RepoInfo, options?: GhApiOptions): Promise<GitHubPublicKey>;
+    upsert(repoInfo: RepoInfo, name: string, encryptedValue: string, keyId: string, options?: GhApiOptions): Promise<void>;
+    delete(repoInfo: RepoInfo, name: string, options?: GhApiOptions): Promise<void>;
+}

package/dist/secrets/types.js

@@ -0,0 +1 @@
+export {};

package/dist/settings/index.d.ts

@@ -3,3 +3,4 @@ export { type PropertyDiff, type RulesetPlanEntry, RulesetProcessor, type IRules
 export { RepoSettingsProcessor, type IRepoSettingsProcessor, type RepoSettingsPlanEntry, GitHubRepoSettingsStrategy, } from "./repo-settings/index.js";
 export { type LabelsPlanEntry, LabelsProcessor, type ILabelsProcessor, GitHubLabelsStrategy, } from "./labels/index.js";
 export { type CodeScanningPlanEntry, CodeScanningProcessor, type ICodeScanningProcessor, GitHubCodeScanningStrategy, } from "./code-scanning/index.js";
+export { type VariablesPlanEntry, VariablesProcessor, type IVariablesProcessor, GitHubVariablesStrategy, } from "./variables/index.js";

package/dist/settings/index.js

@@ -8,3 +8,5 @@ export { RepoSettingsProcessor, GitHubRepoSettingsStrategy, } from "./repo-setti
 export { LabelsProcessor, GitHubLabelsStrategy, } from "./labels/index.js";
 // Code scanning
 export { CodeScanningProcessor, GitHubCodeScanningStrategy, } from "./code-scanning/index.js";
+// Variables
+export { VariablesProcessor, GitHubVariablesStrategy, } from "./variables/index.js";

package/dist/settings/variables/diff.d.ts

@@ -0,0 +1,10 @@
+import type { GitHubVariable } from "./types.js";
+import type { SettingsAction } from "../base-processor.js";
+export type VariableAction = SettingsAction;
+export interface VariableChange {
+    action: VariableAction;
+    name: string;
+    oldValue?: string;
+    newValue?: string;
+}
+export declare function diffVariables(current: GitHubVariable[], desired: Record<string, string>, deleteOrphaned: boolean): VariableChange[];

package/dist/settings/variables/diff.js

@@ -0,0 +1,39 @@
+export function diffVariables(current, desired, deleteOrphaned) {
+    const changes = [];
+    const currentByName = new Map();
+    for (const v of current) {
+        currentByName.set(v.name.toUpperCase(), v);
+    }
+    const desiredUpper = new Set(Object.keys(desired).map((n) => n.toUpperCase()));
+    for (const [name, desiredValue] of Object.entries(desired)) {
+        const currentVar = currentByName.get(name.toUpperCase());
+        if (!currentVar) {
+            changes.push({ action: "create", name, newValue: desiredValue });
+        }
+        else if (currentVar.value !== desiredValue) {
+            changes.push({
+                action: "update",
+                name: currentVar.name,
+                oldValue: currentVar.value,
+                newValue: desiredValue,
+            });
+        }
+        else {
+            changes.push({ action: "unchanged", name: currentVar.name });
+        }
+    }
+    if (deleteOrphaned) {
+        for (const [nameUpper, currentVar] of currentByName) {
+            if (!desiredUpper.has(nameUpper)) {
+                changes.push({ action: "delete", name: currentVar.name });
+            }
+        }
+    }
+    const actionOrder = {
+        delete: 0,
+        update: 1,
+        create: 2,
+        unchanged: 3,
+    };
+    return changes.sort((a, b) => actionOrder[a.action] - actionOrder[b.action]);
+}

package/dist/settings/variables/formatter.d.ts

@@ -0,0 +1,16 @@
+import type { VariableChange, VariableAction } from "./diff.js";
+export interface VariablesPlanEntry {
+    name: string;
+    action: VariableAction;
+    oldValue?: string;
+    newValue?: string;
+}
+export interface VariablesPlanResult {
+    lines: string[];
+    creates: number;
+    updates: number;
+    deletes: number;
+    unchanged: number;
+    entries: VariablesPlanEntry[];
+}
+export declare function formatVariablesPlan(changes: VariableChange[]): VariablesPlanResult;