gh-secrets-sync 0.0.1

package/LICENSE.md

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Jing Haihan
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,83 @@
+# GitHub Secrets Sync
+
+A CLI tool to batch sync GitHub Actions secrets across multiple repositories. Sync secrets from a central repository to target repositories using GitHub CI.
+
+## Why Use This Tool?
+
+Managing GitHub Actions secrets across multiple repositories can be tedious:
+
+- **Manual repetition**: You need to manually add the same secret to each repository
+- **Time-consuming**: Updating a secret across many repos requires visiting each one individually
+- **Error-prone**: Easy to forget to update a secret in one of the repositories
+
+This tool automates the process, allowing you to sync secrets across multiple repositories with a single command.
+
+## Usage
+
+1. **Create a configuration file** (`secrets.config.yaml`) in your central repository:
+
+```yaml
+repos:
+  - owner/vscode-extension1
+  - owner/vscode-extension2
+
+envs:
+  - VSCE_PAT
+  - OVSX_PAT
+```
+
+2. **Set up GitHub CI** in your central repository:
+
+```yaml
+# .github/workflows/sync-secrets.yml
+name: Sync Secrets
+
+permissions:
+  contents: write
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Set node
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+
+      - name: Sync Secrets
+        run: npx gh-secrets-sync
+        env:
+          GITHUB_PAT: ${{secrets.GITHUB_PAT}}
+          VSCE_PAT: ${{secrets.VSCE_PAT}}
+          OVSX_PAT: ${{secrets.OVSX_PAT}}
+```
+
+3. **Configure secrets in your central repository**:
+   - Go to your central repository Settings > Secrets and variables > Actions
+   - Add `GITHUB_PAT` as a repository secret (this is your GitHub Personal Access Token)
+   - Add `VSCE_PAT` and `OVSX_PAT` as repository secrets
+
+### How to Get Your GitHub Token
+
+1. Go to [GitHub Personal Access Tokens](https://github.com/settings/personal-access-tokens)
+2. Click "Generate new token"
+3. Give it a descriptive name like "Secrets Sync Tool"
+4. Select the required scopes:
+   - Repository permissions > Secrets: Read and write
+   - Repository permissions > Actions: Read and write
+   - Metadata
+5. Click "Generate token"
+6. Add the token as a repository secret named `GITHUB_PAT` in your central repository
+
+## License
+
+[MIT](./LICENSE) License © [jinghaihan](https://github.com/jinghaihan)

package/bin/gh-secrets-sync.mjs

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+'use strict'
+import '../dist/cli.mjs'

package/dist/cli.d.mts

@@ -0,0 +1,2 @@
+
+export { };

package/dist/cli.mjs

@@ -0,0 +1,171 @@
+import process from 'node:process';
+import c from 'ansis';
+import { cac } from 'cac';
+import { readFileSync } from 'node:fs';
+import { join } from 'pathe';
+import { parse } from 'yaml';
+import { Octokit } from '@octokit/core';
+import Spinner from 'yocto-spinner';
+import sodium from 'libsodium-wrappers';
+
+const name = "gh-secrets-sync";
+const version = "0.0.1";
+
+const DEFAULT_SYNC_OPTIONS = {
+  config: "./secrets.config.yaml",
+  repos: [],
+  secrets: [],
+  envPrefix: "",
+  dry: false,
+  strict: true
+};
+const GITHUB_API_VERSION = "2022-11-28";
+
+function resolveConfig(options) {
+  const getConfig = () => {
+    const cwd = options.cwd || process.cwd();
+    if (typeof options.repos === "string")
+      options.repos = [options.repos];
+    if (typeof options.secrets === "string")
+      options.secrets = [options.secrets];
+    const config2 = { ...DEFAULT_SYNC_OPTIONS, ...options };
+    config2.token = config2.token || process.env.GITHUB_PAT || process.env.GITHUB_TOKEN || "";
+    if (config2.repos.length && config2.secrets.length) {
+      return config2;
+    }
+    const configContent = parse(readFileSync(join(cwd, config2.config), "utf-8"));
+    config2.repos = Array.isArray(configContent.repos) ? configContent.repos : [];
+    config2.secrets = Array.isArray(configContent.envs) ? configContent.envs : [];
+    return config2;
+  };
+  const config = getConfig();
+  if (!config.token)
+    throw new Error(c.red("Please provide a GitHub token"));
+  if (!config.repos)
+    throw new Error(c.red("Please provide repos to sync"));
+  if (!config.secrets)
+    throw new Error(c.red("Please provide secrets to sync"));
+  return config;
+}
+
+async function encrypt(value, publicKey) {
+  await sodium.ready;
+  const binkey = sodium.from_base64(publicKey.key, sodium.base64_variants.ORIGINAL);
+  const binsec = sodium.from_string(value);
+  const encrypted = sodium.crypto_box_seal(binsec, binkey);
+  return sodium.to_base64(encrypted, sodium.base64_variants.ORIGINAL);
+}
+
+function formatToken(token) {
+  return `Bearer ${token}`;
+}
+
+async function getRepoPublicKey(repoPath, config) {
+  const octokit = new Octokit({
+    auth: formatToken(config.token)
+  });
+  const spinner = Spinner({ text: c.blue(`Fetching public key for ${repoPath}`) }).start();
+  const { owner, repo } = parseRepo(repoPath);
+  const url = `GET /repos/${owner}/${repo}/actions/secrets/public-key`;
+  let res = { key: "", key_id: "" };
+  if (!config.dry) {
+    const { status, data } = await octokit.request(
+      url,
+      {
+        owner,
+        repo,
+        headers: {
+          "X-GitHub-Api-Version": GITHUB_API_VERSION
+        }
+      }
+    );
+    if (status !== 200) {
+      spinner.error(c.red(`Failed to fetch public key for ${repoPath}: ${status}`));
+      console.error(c.red(JSON.stringify(data, null, 2)));
+      process.exit(1);
+    }
+    res = data;
+  } else {
+    console.log();
+    console.log(c.yellow(`Get a repository public key: ${repoPath}`));
+  }
+  spinner.success(c.green(`Public key fetched successfully for ${repoPath}`));
+  return res;
+}
+async function createOrUpdateRepoSecret(secretName, secretValue, publicKey, repoPath, config) {
+  const octokit = new Octokit({
+    auth: formatToken(config.token)
+  });
+  const spinner = Spinner({ text: c.blue(`Create or update ${secretName} for ${repoPath}`) }).start();
+  const { owner, repo } = parseRepo(repoPath);
+  const url = `PUT /repos/${owner}/${repo}/actions/secrets/${secretName}`;
+  let res;
+  let operation = "create or update";
+  if (!config.dry) {
+    const { status, data } = await octokit.request(
+      url,
+      {
+        owner,
+        repo,
+        secret_name: secretName,
+        encrypted_value: await encrypt(secretValue, publicKey),
+        key_id: publicKey.key_id,
+        headers: {
+          "X-GitHub-Api-Version": GITHUB_API_VERSION
+        }
+      }
+    );
+    if (status !== 201 && status !== 204) {
+      spinner.error(c.red(`Failed to create or update ${secretName} for ${repoPath}`));
+      console.error(c.red(JSON.stringify(data, null, 2)));
+      process.exit(1);
+    }
+    operation = status === 201 ? "created" : "updated";
+    res = data;
+  } else {
+    console.log();
+    console.log(c.yellow(`Create or update ${secretName} for ${repoPath}`));
+  }
+  spinner.success(c.green(`${secretName} ${operation} successfully for ${repoPath}`));
+  return res;
+}
+function parseRepo(repoPath) {
+  const [owner, repo] = repoPath.split("/");
+  return { owner, repo };
+}
+
+try {
+  const cli = cac("gh-secrets-sync");
+  cli.command("").option("--config <config>", "secrets config file", { default: "./secrets.config.yaml" }).option("--secrets <secrets...>", "secrets name to sync", { default: [] }).option("--token <token>", "GitHub token").option("--env-prefix <prefix>", "environment variable prefix", { default: "" }).option("--strict", "Throw error if secret is not found in the environment variables", { default: true }).option("--dry", "Dry run", { default: false }).allowUnknownOptions().action(async (options) => {
+    console.log(`${c.yellow(name)} ${c.dim(`v${version}`)}`);
+    console.log();
+    const config = await resolveConfig(options);
+    for (const repo of config.repos) {
+      const publicKey = await getRepoPublicKey(repo, config);
+      for (const secretKey of config.secrets) {
+        const secretValue = getEnv(secretKey, config.strict);
+        if (!secretValue)
+          continue;
+        await createOrUpdateRepoSecret(secretKey, secretValue, publicKey, repo, config);
+      }
+    }
+    console.log(c.green("Done"));
+  });
+  cli.help();
+  cli.version(version);
+  cli.parse();
+} catch (error) {
+  console.error(error);
+  process.exit(1);
+}
+function getEnv(name2, strict) {
+  const value = process.env[name2];
+  if (!value) {
+    const error = c.red(`Secret ${name2} not found in environment variables`);
+    if (strict)
+      throw new Error(error);
+    else
+      console.warn(c.yellow(error));
+  }
+  return value;
+}

package/dist/index.d.mts

@@ -0,0 +1,2 @@
+
+export { };

package/dist/index.mjs

@@ -0,0 +1 @@
+

package/package.json

@@ -0,0 +1,81 @@
+{
+  "name": "gh-secrets-sync",
+  "type": "module",
+  "version": "0.0.1",
+  "description": "CLI tool to batch sync GitHub Actions secrets across multiple repositories.",
+  "author": "jinghaihan",
+  "license": "MIT",
+  "homepage": "https://github.com/jinghaihan/gh-secrets-sync#readme",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/jinghaihan/gh-secrets-sync.git"
+  },
+  "bugs": {
+    "url": "https://github.com/jinghaihan/gh-secrets-sync/issues"
+  },
+  "keywords": [
+    "github",
+    "actions",
+    "secrets",
+    "sync"
+  ],
+  "exports": {
+    ".": "./dist/index.mjs",
+    "./cli": "./dist/cli.mjs",
+    "./package.json": "./package.json"
+  },
+  "main": "./dist/index.mjs",
+  "module": "./dist/index.mjs",
+  "types": "./dist/index.d.mts",
+  "bin": {
+    "gh-secrets-sync": "./bin/gh-secrets-sync.mjs"
+  },
+  "files": [
+    "bin",
+    "dist"
+  ],
+  "dependencies": {
+    "@octokit/core": "^7.0.3",
+    "ansis": "^4.1.0",
+    "cac": "^6.7.14",
+    "execa": "^9.6.0",
+    "libsodium-wrappers": "^0.7.15",
+    "pathe": "^2.0.3",
+    "unconfig": "^7.3.2",
+    "yaml": "^2.8.1",
+    "yocto-spinner": "^1.0.0"
+  },
+  "devDependencies": {
+    "@antfu/eslint-config": "^5.2.0",
+    "@types/libsodium-wrappers": "^0.7.14",
+    "@types/node": "^24.2.0",
+    "bumpp": "^10.2.2",
+    "eslint": "^9.32.0",
+    "lint-staged": "^16.1.4",
+    "pncat": "^0.4.1",
+    "simple-git-hooks": "^2.13.1",
+    "taze": "^19.1.0",
+    "tsx": "^4.20.3",
+    "typescript": "^5.9.2",
+    "unbuild": "^3.6.0",
+    "vitest": "^3.2.4"
+  },
+  "simple-git-hooks": {
+    "pre-commit": "pnpm lint-staged"
+  },
+  "lint-staged": {
+    "*": "eslint --fix"
+  },
+  "scripts": {
+    "start": "tsx ./src/cli.ts",
+    "build": "unbuild",
+    "typecheck": "tsc",
+    "test": "vitest",
+    "lint": "eslint",
+    "deps": "taze major -I",
+    "release": "bumpp && pnpm publish --no-git-checks",
+    "catalog": "pncat",
+    "bootstrap": "pnpm install",
+    "preinstall": "npx only-allow pnpm"
+  }
+}