npm - gh-secrets-sync - Versions diffs - 0.0.2 → 0.1.0 - Mend

gh-secrets-sync 0.0.2 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -1,8 +1,13 @@
 # GitHub Secrets Sync
+[![npm version][npm-version-src]][npm-version-href]
+[![bundle][bundle-src]][bundle-href]
+[![JSDocs][jsdocs-src]][jsdocs-href]
+[![License][license-src]][license-href]
 A CLI tool to batch sync GitHub Actions secrets across multiple repositories. Sync secrets from a central repository to target repositories using GitHub CI.
-## Why Use This Tool?
+## Why?
 Managing GitHub Actions secrets across multiple repositories can be tedious:
@@ -18,14 +23,15 @@ This tool automates the process, allowing you to sync secrets across multiple re
 ```yaml
 repos:
-  - owner/vscode-extension1
-  - owner/vscode-extension2
+  - owner/vscode-*
 envs:
   - VSCE_PAT
   - OVSX_PAT
 ```
+> **Note**: The `repos` configuration supports regex patterns with `*` wildcards. The tool will fetch all repositories accessible by your GitHub token and filter them based on the regex patterns. For example, `owner/vscode-*` will match all repositories under the specified owner that start with "vscode-".
 2. **Set up GitHub CI** in your central repository:
 ```yaml
@@ -37,8 +43,10 @@ permissions:
 on:
   push:
-    branches:
-      - main
+    branches: [main]
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
 jobs:
   sync:
@@ -81,3 +89,16 @@ jobs:
 ## License
 [MIT](./LICENSE) License © [jinghaihan](https://github.com/jinghaihan)
+<!-- Badges -->
+[npm-version-src]: https://img.shields.io/npm/v/gh-secrets-sync?style=flat&colorA=080f12&colorB=1fa669
+[npm-version-href]: https://npmjs.com/package/gh-secrets-sync
+[npm-downloads-src]: https://img.shields.io/npm/dm/gh-secrets-sync?style=flat&colorA=080f12&colorB=1fa669
+[npm-downloads-href]: https://npmjs.com/package/gh-secrets-sync
+[bundle-src]: https://img.shields.io/bundlephobia/minzip/gh-secrets-sync?style=flat&colorA=080f12&colorB=1fa669&label=minzip
+[bundle-href]: https://bundlephobia.com/result?p=gh-secrets-sync
+[license-src]: https://img.shields.io/badge/license-MIT-blue.svg?style=flat&colorA=080f12&colorB=1fa669
+[license-href]: https://github.com/jinghaihan/gh-secrets-sync/LICENSE
+[jsdocs-src]: https://img.shields.io/badge/jsdocs-reference-080f12?style=flat&colorA=080f12&colorB=1fa669
+[jsdocs-href]: https://www.jsdocs.io/package/gh-secrets-sync

package/dist/cli.mjs CHANGED Viewed

@@ -9,44 +9,18 @@ import Spinner from 'yocto-spinner';
 import sodium from 'libsodium-wrappers';
 const name = "gh-secrets-sync";
-const version = "0.0.2";
+const version = "0.1.0";
 const DEFAULT_SYNC_OPTIONS = {
   config: "./secrets.config.yaml",
   repos: [],
   secrets: [],
   envPrefix: "",
+  apiVersion: "2022-11-28",
+  private: false,
   dry: false,
   strict: true
 };
-const GITHUB_API_VERSION = "2022-11-28";
-function resolveConfig(options) {
-  const getConfig = () => {
-    const cwd = options.cwd || process.cwd();
-    if (typeof options.repos === "string")
-      options.repos = [options.repos];
-    if (typeof options.secrets === "string")
-      options.secrets = [options.secrets];
-    const config2 = { ...DEFAULT_SYNC_OPTIONS, ...options };
-    config2.token = config2.token || process.env.GITHUB_PAT || process.env.GITHUB_TOKEN || "";
-    if (config2.repos.length && config2.secrets.length) {
-      return config2;
-    }
-    const configContent = parse(readFileSync(join(cwd, config2.config), "utf-8"));
-    config2.repos = Array.isArray(configContent.repos) ? configContent.repos : [];
-    config2.secrets = Array.isArray(configContent.envs) ? configContent.envs : [];
-    return config2;
-  };
-  const config = getConfig();
-  if (!config.token)
-    throw new Error(c.red("Please provide a GitHub token"));
-  if (!config.repos)
-    throw new Error(c.red("Please provide repos to sync"));
-  if (!config.secrets)
-    throw new Error(c.red("Please provide secrets to sync"));
-  return config;
-}
 async function encrypt(value, publicKey) {
   await sodium.ready;
@@ -59,85 +33,167 @@ async function encrypt(value, publicKey) {
 function formatToken(token) {
   return `Bearer ${token}`;
 }
+function parseRepo(repoPath) {
+  const [owner, repo] = repoPath.split("/");
+  return { owner, repo };
+}
 async function getRepoPublicKey(repoPath, config) {
-  const octokit = new Octokit({
-    auth: formatToken(config.token)
-  });
-  const spinner = Spinner({ text: c.blue(`Fetching public key for ${repoPath}`) }).start();
+  const octokit = createOctokit(config);
   const { owner, repo } = parseRepo(repoPath);
   const url = `GET /repos/${owner}/${repo}/actions/secrets/public-key`;
-  let res = { key: "", key_id: "" };
-  if (!config.dry) {
-    const { status, data } = await octokit.request(
-      url,
-      {
-        owner,
-        repo,
-        headers: {
-          "X-GitHub-Api-Version": GITHUB_API_VERSION
+  return withSpinner(
+    `Fetching public key for ${repoPath}`,
+    `Public key fetched successfully for ${repoPath}`,
+    `Failed to fetch public key for ${repoPath}`,
+    `Fetch Public Key: ${c.yellow(url)}`,
+    { key: "", key_id: "" },
+    config,
+    async () => {
+      const { status, data } = await octokit.request(
+        url,
+        {
+          owner,
+          repo,
+          headers: {
+            "X-GitHub-Api-Version": config.apiVersion
+          }
         }
+      );
+      if (status !== 200) {
+        throw new Error(`HTTP ${status}: ${JSON.stringify(data)}`);
       }
-    );
-    if (status !== 200) {
-      spinner.error(c.red(`Failed to fetch public key for ${repoPath}: ${status}`));
-      console.error(c.red(JSON.stringify(data, null, 2)));
-      process.exit(1);
+      return data;
     }
-    res = data;
-  } else {
-    console.log();
-    console.log(c.yellow(`Get a repository public key: ${repoPath}`));
-  }
-  spinner.success(c.green(`Public key fetched successfully for ${repoPath}`));
-  return res;
+  );
 }
 async function createOrUpdateRepoSecret(secretName, secretValue, publicKey, repoPath, config) {
-  const octokit = new Octokit({
-    auth: formatToken(config.token)
-  });
+  const octokit = createOctokit(config);
   secretName = `${config.envPrefix}${secretName}`;
-  const spinner = Spinner({ text: c.blue(`Create or update ${secretName} for ${repoPath}`) }).start();
   const { owner, repo } = parseRepo(repoPath);
   const url = `PUT /repos/${owner}/${repo}/actions/secrets/${secretName}`;
-  let res;
-  let operation = "create or update";
-  if (!config.dry) {
-    const { status, data } = await octokit.request(
-      url,
-      {
-        owner,
-        repo,
-        secret_name: secretName,
-        encrypted_value: await encrypt(secretValue, publicKey),
-        key_id: publicKey.key_id,
+  return withSpinner(
+    `Create or update ${secretName} for ${repoPath}`,
+    `${secretName} created/updated successfully for ${repoPath}`,
+    `Failed to create or update ${secretName} for ${repoPath}`,
+    `Create or Update Secret: ${c.yellow(url)}`,
+    void 0,
+    config,
+    async () => {
+      const { status, data } = await octokit.request(
+        url,
+        {
+          owner,
+          repo,
+          secret_name: secretName,
+          encrypted_value: await encrypt(secretValue, publicKey),
+          key_id: publicKey.key_id,
+          headers: {
+            "X-GitHub-Api-Version": config.apiVersion
+          }
+        }
+      );
+      if (status !== 201 && status !== 204) {
+        throw new Error(`HTTP ${status}: ${JSON.stringify(data)}`);
+      }
+      return data;
+    }
+  );
+}
+async function getRepos(config) {
+  const octokit = createOctokit(config);
+  const url = "GET /user/repos";
+  return withSpinner(
+    "Fetching repositories",
+    "Repositories fetched successfully",
+    "Failed to fetch repositories",
+    `Fetch Repositories: ${c.yellow(url)}`,
+    [],
+    config,
+    async () => {
+      const { status, data } = await octokit.request(url, {
         headers: {
-          "X-GitHub-Api-Version": GITHUB_API_VERSION
+          "X-GitHub-Api-Version": config.apiVersion
         }
+      });
+      if (status !== 200) {
+        throw new Error(`HTTP ${status}: ${JSON.stringify(data)}`);
       }
-    );
-    if (status !== 201 && status !== 204) {
-      spinner.error(c.red(`Failed to create or update ${secretName} for ${repoPath}`));
-      console.error(c.red(JSON.stringify(data, null, 2)));
+      return data;
+    }
+  );
+}
+function createOctokit(config) {
+  return new Octokit({ auth: formatToken(config.token) });
+}
+async function withSpinner(loadingText, successText, failedText, dryText, defaultValue, config, request) {
+  const spinner = Spinner({ text: c.blue(loadingText) }).start();
+  let result;
+  if (!config.dry) {
+    try {
+      result = await request();
+      spinner.success(c.green(successText));
+    } catch (error) {
+      spinner.error(c.red(failedText));
+      console.error(c.red(JSON.stringify(error, null, 2)));
       process.exit(1);
     }
-    operation = status === 201 ? "created" : "updated";
-    res = data;
   } else {
     console.log();
-    console.log(c.yellow(`Create or update ${secretName} for ${repoPath}`));
+    console.log(c.yellow(dryText));
+    result = defaultValue;
   }
-  spinner.success(c.green(`${secretName} ${operation} successfully for ${repoPath}`));
-  return res;
+  return result;
 }
-function parseRepo(repoPath) {
-  const [owner, repo] = repoPath.split("/");
-  return { owner, repo };
+function normalizeConfig(options) {
+  const cwd = options.cwd || process.cwd();
+  if (typeof options.repos === "string")
+    options.repos = [options.repos];
+  if (typeof options.secrets === "string")
+    options.secrets = [options.secrets];
+  const config = { ...DEFAULT_SYNC_OPTIONS, ...options };
+  config.token = config.token || process.env.GITHUB_PAT || process.env.GITHUB_TOKEN || "";
+  if (config.repos.length && config.secrets.length) {
+    return config;
+  }
+  const configContent = parse(readFileSync(join(cwd, config.config), "utf-8"));
+  config.repos = Array.isArray(configContent.repos) ? configContent.repos : [];
+  config.secrets = Array.isArray(configContent.envs) ? configContent.envs : [];
+  return config;
+}
+async function resolveConfig(options) {
+  const config = normalizeConfig(options);
+  if (config.repos.some((r) => r.includes("*"))) {
+    const repos = await getReposByRegex(config);
+    if (repos.length) {
+      config.repos = [.../* @__PURE__ */ new Set([...config.repos, ...repos])];
+    }
+    config.repos = config.repos.filter((r) => !r.includes("*"));
+  }
+  if (!config.token)
+    throw new Error(c.red("Please provide a GitHub token"));
+  if (!config.repos)
+    throw new Error(c.red("Please provide repos to sync"));
+  if (!config.secrets)
+    throw new Error(c.red("Please provide secrets to sync"));
+  return config;
+}
+async function getReposByRegex(options) {
+  const _repos = options.repos.filter((r) => r.includes("*"));
+  const regexes = _repos.find((r) => r === "*") ? ["*"] : _repos.map((r) => new RegExp(r));
+  if (regexes.length === 0)
+    return [];
+  const list = await getRepos(options);
+  const repos = options.private ? list : list.filter((r) => !r.private);
+  if (regexes.find((r) => r === "*"))
+    return repos.map((r) => r.full_name);
+  return repos.filter((r) => regexes.some((regex) => regex.test(r.full_name))).map((r) => r.full_name);
 }
 try {
   const cli = cac("gh-secrets-sync");
-  cli.command("").option("--config <config>", "secrets config file", { default: "./secrets.config.yaml" }).option("--secrets <secrets...>", "secrets name to sync", { default: [] }).option("--token <token>", "GitHub token").option("--env-prefix <prefix>", "environment variable prefix", { default: "" }).option("--strict", "Throw error if secret is not found in the environment variables", { default: true }).option("--dry", "Dry run", { default: false }).allowUnknownOptions().action(async (options) => {
+  cli.command("").option("--config <config>", "secrets config file", { default: "./secrets.config.yaml" }).option("--secrets <secrets...>", "secrets name to sync", { default: [] }).option("--token <token>", "GitHub token").option("--api-version <version>", "GitHub API version", { default: "2022-11-28" }).option("--private", "Detect private repositories", { default: false }).option("--env-prefix <prefix>", "environment variable prefix", { default: "" }).option("--strict", "Throw error if secret is not found in the environment variables", { default: true }).option("--dry", "Dry run", { default: false }).allowUnknownOptions().action(async (options) => {
     console.log(`${c.yellow(name)} ${c.dim(`v${version}`)}`);
     console.log();
     const config = await resolveConfig(options);

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "gh-secrets-sync",
   "type": "module",
-  "version": "0.0.2",
+  "version": "0.1.0",
   "description": "CLI tool to batch sync GitHub Actions secrets across multiple repositories.",
   "author": "jinghaihan",
   "license": "MIT",