gh-secrets-sync 0.0.2 → 0.1.1

package/README.md

@@ -1,32 +1,53 @@
 # GitHub Secrets Sync
 
+[![npm version][npm-version-src]][npm-version-href]
+[![bundle][bundle-src]][bundle-href]
+[![JSDocs][jsdocs-src]][jsdocs-href]
+[![License][license-src]][license-href]
+
 A CLI tool to batch sync GitHub Actions secrets across multiple repositories. Sync secrets from a central repository to target repositories using GitHub CI.
 
-## Why Use This Tool?
+## Why?
 
 Managing GitHub Actions secrets across multiple repositories can be tedious:
 
 - **Manual repetition**: You need to manually add the same secret to each repository
-- **Time-consuming**: Updating a secret across many repos requires visiting each one individually
 - **Error-prone**: Easy to forget to update a secret in one of the repositories
 
 This tool automates the process, allowing you to sync secrets across multiple repositories with a single command.
 
 ## Usage
 
-1. **Create a configuration file** (`secrets.config.yaml`) in your central repository:
+**Create a configuration file** (`secrets.config.yaml`) in your central repository or local directory:
 
 ```yaml
 repos:
-  - owner/vscode-extension1
-  - owner/vscode-extension2
+  - owner/vscode-*
 
 envs:
   - VSCE_PAT
   - OVSX_PAT
 ```
 
-2. **Set up GitHub CI** in your central repository:
+> [!NOTE]
+> Both `repos` and `envs` support `*` wildcards. For `repos`, the tool lists all repositories accessible by your token and filters by the pattern (e.g., `owner/vscode-*`). For `envs`, wildcards are expanded by listing secrets from the central repository and matching by name. The central repository is auto-detected in GitHub Actions (from the checked-out repo); for local runs, pass `--repo <owner/repo>`.
+
+### Local usage
+
+If GitHub CI feels too complex, you can simply run it locally:
+
+```bash
+# Set your token and secret values in env
+export GITHUB_PAT=...
+export VSCE_PAT=...
+export OVSX_PAT=...
+
+npx gh-secrets-sync
+```
+
+### GitHub CI usage
+
+**Set up GitHub CI** in your central repository:
 
 ```yaml
 # .github/workflows/sync-secrets.yml
@@ -37,8 +58,10 @@ permissions:
 
 on:
   push:
-    branches:
-      - main
+    branches: [main]
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch:
 
 jobs:
   sync:
@@ -54,14 +77,15 @@ jobs:
           node-version: lts/*
 
       - name: Sync Secrets
-        run: npx gh-secrets-sync
+        # if regex patterns are used in `repos` or `secrets` must set `--yes` in GitHub Actions
+        run: npx gh-secrets-sync --yes
         env:
           GITHUB_PAT: ${{secrets.GITHUB_PAT}}
           VSCE_PAT: ${{secrets.VSCE_PAT}}
           OVSX_PAT: ${{secrets.OVSX_PAT}}
 ```
 
-3. **Configure secrets in your central repository**:
+**Configure secrets in your central repository**:
    - Go to your central repository Settings > Secrets and variables > Actions
    - Add `GITHUB_PAT` as a repository secret (this is your GitHub Personal Access Token)
    - Add `VSCE_PAT` and `OVSX_PAT` as repository secrets
@@ -81,3 +105,16 @@ jobs:
 ## License
 
 [MIT](./LICENSE) License © [jinghaihan](https://github.com/jinghaihan)
+
+<!-- Badges -->
+
+[npm-version-src]: https://img.shields.io/npm/v/gh-secrets-sync?style=flat&colorA=080f12&colorB=1fa669
+[npm-version-href]: https://npmjs.com/package/gh-secrets-sync
+[npm-downloads-src]: https://img.shields.io/npm/dm/gh-secrets-sync?style=flat&colorA=080f12&colorB=1fa669
+[npm-downloads-href]: https://npmjs.com/package/gh-secrets-sync
+[bundle-src]: https://img.shields.io/bundlephobia/minzip/gh-secrets-sync?style=flat&colorA=080f12&colorB=1fa669&label=minzip
+[bundle-href]: https://bundlephobia.com/result?p=gh-secrets-sync
+[license-src]: https://img.shields.io/badge/license-MIT-blue.svg?style=flat&colorA=080f12&colorB=1fa669
+[license-href]: https://github.com/jinghaihan/gh-secrets-sync/LICENSE
+[jsdocs-src]: https://img.shields.io/badge/jsdocs-reference-080f12?style=flat&colorA=080f12&colorB=1fa669
+[jsdocs-href]: https://www.jsdocs.io/package/gh-secrets-sync

package/dist/cli.mjs

@@ -1,7 +1,8 @@
 import process from 'node:process';
 import c from 'ansis';
 import { cac } from 'cac';
-import { readFileSync } from 'node:fs';
+import { readFile } from 'node:fs/promises';
+import * as p from '@clack/prompts';
 import { join } from 'pathe';
 import { parse } from 'yaml';
 import { Octokit } from '@octokit/core';
@@ -9,43 +10,28 @@ import Spinner from 'yocto-spinner';
 import sodium from 'libsodium-wrappers';
 
 const name = "gh-secrets-sync";
-const version = "0.0.2";
+const version = "0.1.1";
 
 const DEFAULT_SYNC_OPTIONS = {
   config: "./secrets.config.yaml",
   repos: [],
   secrets: [],
   envPrefix: "",
+  apiVersion: "2022-11-28",
+  private: false,
+  baseUrl: "github.com",
+  repo: "",
   dry: false,
-  strict: true
+  strict: true,
+  yes: false
 };
-const GITHUB_API_VERSION = "2022-11-28";
 
-function resolveConfig(options) {
-  const getConfig = () => {
-    const cwd = options.cwd || process.cwd();
-    if (typeof options.repos === "string")
-      options.repos = [options.repos];
-    if (typeof options.secrets === "string")
-      options.secrets = [options.secrets];
-    const config2 = { ...DEFAULT_SYNC_OPTIONS, ...options };
-    config2.token = config2.token || process.env.GITHUB_PAT || process.env.GITHUB_TOKEN || "";
-    if (config2.repos.length && config2.secrets.length) {
-      return config2;
-    }
-    const configContent = parse(readFileSync(join(cwd, config2.config), "utf-8"));
-    config2.repos = Array.isArray(configContent.repos) ? configContent.repos : [];
-    config2.secrets = Array.isArray(configContent.envs) ? configContent.envs : [];
-    return config2;
-  };
-  const config = getConfig();
-  if (!config.token)
-    throw new Error(c.red("Please provide a GitHub token"));
-  if (!config.repos)
-    throw new Error(c.red("Please provide repos to sync"));
-  if (!config.secrets)
-    throw new Error(c.red("Please provide secrets to sync"));
-  return config;
+function createRegexFilter(options, field) {
+  const list = options.filter((i) => i.includes("*"));
+  if (list.length === 0 || list.includes("*"))
+    return () => true;
+  const regexes = list.map((r) => new RegExp(r));
+  return (i) => regexes.some((regex) => regex.test(i[field]));
 }
 
 async function encrypt(value, publicKey) {
@@ -59,85 +45,257 @@ async function encrypt(value, publicKey) {
 function formatToken(token) {
   return `Bearer ${token}`;
 }
+function parseRepo(repoPath) {
+  const [owner, repo] = repoPath.split("/");
+  return { owner, repo };
+}
 
+async function readTokenFromGitHubCli() {
+  try {
+    return await execCommand("gh", ["auth", "token"]);
+  } catch {
+    return "";
+  }
+}
+async function getGitHubRepo(baseUrl) {
+  const url = await execCommand("git", ["config", "--get", "remote.origin.url"]);
+  const escapedBaseUrl = baseUrl.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  const regex = new RegExp(`${escapedBaseUrl}[/:]([\\w\\d._-]+?)\\/([\\w\\d._-]+?)(\\.git)?$`, "i");
+  const match = regex.exec(url);
+  if (!match)
+    throw new Error(`Can not parse GitHub repo from url ${url}`);
+  return `${match[1]}/${match[2]}`;
+}
+async function execCommand(cmd, args) {
+  const { execa } = await import('execa');
+  const res = await execa(cmd, args);
+  return res.stdout.trim();
+}
 async function getRepoPublicKey(repoPath, config) {
-  const octokit = new Octokit({
-    auth: formatToken(config.token)
-  });
-  const spinner = Spinner({ text: c.blue(`Fetching public key for ${repoPath}`) }).start();
+  const octokit = createOctokit(config);
   const { owner, repo } = parseRepo(repoPath);
   const url = `GET /repos/${owner}/${repo}/actions/secrets/public-key`;
-  let res = { key: "", key_id: "" };
-  if (!config.dry) {
-    const { status, data } = await octokit.request(
-      url,
-      {
-        owner,
-        repo,
-        headers: {
-          "X-GitHub-Api-Version": GITHUB_API_VERSION
+  return withSpinner(
+    `Fetching public key for ${repoPath}`,
+    `Public key fetched successfully for ${repoPath}`,
+    `Failed to fetch public key for ${repoPath}`,
+    `Fetch Public Key: ${c.yellow(url)}`,
+    { key: "", key_id: "" },
+    config,
+    async () => {
+      const { status, data } = await octokit.request(
+        url,
+        {
+          owner,
+          repo,
+          headers: {
+            "X-GitHub-Api-Version": config.apiVersion
+          }
         }
+      );
+      if (status !== 200) {
+        throw new Error(`HTTP ${status}: ${JSON.stringify(data)}`);
       }
-    );
-    if (status !== 200) {
-      spinner.error(c.red(`Failed to fetch public key for ${repoPath}: ${status}`));
-      console.error(c.red(JSON.stringify(data, null, 2)));
-      process.exit(1);
+      return data;
     }
-    res = data;
-  } else {
-    console.log();
-    console.log(c.yellow(`Get a repository public key: ${repoPath}`));
-  }
-  spinner.success(c.green(`Public key fetched successfully for ${repoPath}`));
-  return res;
+  );
 }
 async function createOrUpdateRepoSecret(secretName, secretValue, publicKey, repoPath, config) {
-  const octokit = new Octokit({
-    auth: formatToken(config.token)
-  });
+  const octokit = createOctokit(config);
   secretName = `${config.envPrefix}${secretName}`;
-  const spinner = Spinner({ text: c.blue(`Create or update ${secretName} for ${repoPath}`) }).start();
   const { owner, repo } = parseRepo(repoPath);
   const url = `PUT /repos/${owner}/${repo}/actions/secrets/${secretName}`;
-  let res;
-  let operation = "create or update";
-  if (!config.dry) {
-    const { status, data } = await octokit.request(
-      url,
-      {
+  return withSpinner(
+    `Create or update ${secretName} for ${repoPath}`,
+    `${secretName} created/updated successfully for ${repoPath}`,
+    `Failed to create or update ${secretName} for ${repoPath}`,
+    `Create or Update Secret: ${c.yellow(url)}`,
+    void 0,
+    config,
+    async () => {
+      const { status, data } = await octokit.request(
+        url,
+        {
+          owner,
+          repo,
+          secret_name: secretName,
+          encrypted_value: await encrypt(secretValue, publicKey),
+          key_id: publicKey.key_id,
+          headers: {
+            "X-GitHub-Api-Version": config.apiVersion
+          }
+        }
+      );
+      if (status !== 201 && status !== 204) {
+        throw new Error(`HTTP ${status}: ${JSON.stringify(data)}`);
+      }
+      return data;
+    }
+  );
+}
+async function getRepos(config) {
+  const octokit = createOctokit(config);
+  const url = "GET /user/repos";
+  return withSpinner(
+    "Fetching repositories",
+    "Repositories fetched successfully",
+    "Failed to fetch repositories",
+    `Fetch Repositories: ${c.yellow(url)}`,
+    [],
+    config,
+    async () => {
+      const { status, data } = await octokit.request(url, {
+        headers: {
+          "X-GitHub-Api-Version": config.apiVersion
+        }
+      });
+      if (status !== 200) {
+        throw new Error(`HTTP ${status}: ${JSON.stringify(data)}`);
+      }
+      return data;
+    }
+  );
+}
+async function getRepoSecrets(config) {
+  const repoPath = config.repo || await getGitHubRepo(config.baseUrl);
+  if (!repoPath)
+    return [];
+  const octokit = createOctokit(config);
+  const { owner, repo } = parseRepo(repoPath);
+  const url = `GET /repos/${owner}/${repo}/actions/secrets`;
+  return withSpinner(
+    `Fetching secrets for ${repoPath}`,
+    `Secrets fetched successfully for ${repoPath}`,
+    `Failed to fetch secrets for ${repoPath}`,
+    `Fetch Secrets: ${c.yellow(url)}`,
+    [],
+    config,
+    async () => {
+      const { status, data } = await octokit.request(url, {
         owner,
         repo,
-        secret_name: secretName,
-        encrypted_value: await encrypt(secretValue, publicKey),
-        key_id: publicKey.key_id,
         headers: {
-          "X-GitHub-Api-Version": GITHUB_API_VERSION
+          "X-GitHub-Api-Version": config.apiVersion
         }
+      });
+      if (status !== 200) {
+        throw new Error(`HTTP ${status}: ${JSON.stringify(data)}`);
       }
-    );
-    if (status !== 201 && status !== 204) {
-      spinner.error(c.red(`Failed to create or update ${secretName} for ${repoPath}`));
-      console.error(c.red(JSON.stringify(data, null, 2)));
+      return data.secrets;
+    }
+  );
+}
+function createOctokit(config) {
+  return new Octokit({ auth: formatToken(config.token) });
+}
+async function withSpinner(loadingText, successText, failedText, dryText, defaultValue, config, request) {
+  const spinner = Spinner({ text: c.blue(loadingText) }).start();
+  let result;
+  if (!config.dry) {
+    try {
+      result = await request();
+      spinner.success(c.green(successText));
+    } catch (error) {
+      spinner.error(c.red(failedText));
+      console.error(c.red(JSON.stringify(error, null, 2)));
       process.exit(1);
     }
-    operation = status === 201 ? "created" : "updated";
-    res = data;
   } else {
     console.log();
-    console.log(c.yellow(`Create or update ${secretName} for ${repoPath}`));
+    console.log(c.yellow(dryText));
+    result = defaultValue;
   }
-  spinner.success(c.green(`${secretName} ${operation} successfully for ${repoPath}`));
-  return res;
+  return result;
 }
-function parseRepo(repoPath) {
-  const [owner, repo] = repoPath.split("/");
-  return { owner, repo };
+
+async function normalizeConfig(options) {
+  const cwd = options.cwd || process.cwd();
+  if (typeof options.repos === "string")
+    options.repos = [options.repos];
+  if (typeof options.secrets === "string")
+    options.secrets = [options.secrets];
+  const config = { ...DEFAULT_SYNC_OPTIONS, ...options };
+  config.token = config.token || process.env.GITHUB_PAT || process.env.GITHUB_TOKEN || await readTokenFromGitHubCli();
+  if (config.repos.length && config.secrets.length) {
+    return config;
+  }
+  const configContent = parse(await readFile(join(cwd, config.config), "utf-8"));
+  config.repos = Array.isArray(configContent.repos) ? configContent.repos : [];
+  config.secrets = Array.isArray(configContent.envs) ? configContent.envs : [];
+  return config;
+}
+async function resolveConfig(options) {
+  const config = await normalizeConfig(options);
+  if (config.repos.some((r) => r.includes("*"))) {
+    await resolveRepoPatterns(config);
+  }
+  if (config.secrets.some((s) => s.includes("*"))) {
+    await resolveSecretPatterns(config);
+  }
+  if (!config.token)
+    throw new Error(c.red("Please provide a GitHub token"));
+  if (!config.repos)
+    throw new Error(c.red("Please provide repos to sync"));
+  if (!config.secrets)
+    throw new Error(c.red("Please provide secrets to sync"));
+  return config;
+}
+async function resolveRepoPatterns(options) {
+  const filter = createRegexFilter(options.repos, "full_name");
+  let repos = (await getRepos(options)).filter((i) => filter(i) && (options.private || !i.private)).map((i) => i.full_name);
+  if (repos.length) {
+    repos = [.../* @__PURE__ */ new Set([...options.repos, ...repos])];
+  }
+  repos = repos.filter((i) => !i.includes("*"));
+  if (options.yes || !repos.length) {
+    options.repos = repos;
+    return;
+  }
+  const result = await p.multiselect({
+    message: "Select repos to sync",
+    options: repos.map((i) => ({ label: i, value: i })),
+    initialValues: repos
+  });
+  if (p.isCancel(result)) {
+    console.error(c.red("aborting"));
+    process.exit(1);
+  }
+  if (typeof result === "symbol") {
+    console.error(c.red("invalid repo selection"));
+    process.exit(1);
+  }
+  options.repos = result;
+}
+async function resolveSecretPatterns(options) {
+  const filter = createRegexFilter(options.secrets, "name");
+  let secrets = (await getRepoSecrets(options)).filter((i) => filter(i)).map((i) => i.name);
+  if (secrets.length) {
+    secrets = [.../* @__PURE__ */ new Set([...options.secrets, ...secrets])];
+  }
+  secrets = secrets.filter((i) => !i.includes("*"));
+  if (options.yes || !secrets.length) {
+    options.secrets = secrets;
+    return;
+  }
+  const result = await p.multiselect({
+    message: "Select secrets to sync",
+    options: secrets.map((i) => ({ label: i, value: i })),
+    initialValues: secrets
+  });
+  if (p.isCancel(result)) {
+    console.error(c.red("aborting"));
+    process.exit(1);
+  }
+  if (typeof result === "symbol") {
+    console.error(c.red("invalid secret selection"));
+    process.exit(1);
+  }
+  options.secrets = result;
 }
 
 try {
   const cli = cac("gh-secrets-sync");
-  cli.command("").option("--config <config>", "secrets config file", { default: "./secrets.config.yaml" }).option("--secrets <secrets...>", "secrets name to sync", { default: [] }).option("--token <token>", "GitHub token").option("--env-prefix <prefix>", "environment variable prefix", { default: "" }).option("--strict", "Throw error if secret is not found in the environment variables", { default: true }).option("--dry", "Dry run", { default: false }).allowUnknownOptions().action(async (options) => {
+  cli.command("").option("--config <config>", "secrets config file", { default: "./secrets.config.yaml" }).option("--secrets <secrets...>", "secrets name to sync", { default: [] }).option("--token <token>", "GitHub token").option("--api-version <version>", "GitHub API version", { default: "2022-11-28" }).option("--private", "Detect private repositories", { default: false }).option("--env-prefix <prefix>", "environment variable prefix", { default: "" }).option("--repo <repo>", "central GitHub repository").option("--strict", "Throw error if secret is not found in the environment variables", { default: true }).option("--yes", "Prompt to confirm resolved matches when regex patterns are used in repos or secrets", { default: false }).option("--dry", "Dry run", { default: false }).allowUnknownOptions().action(async (options) => {
     console.log(`${c.yellow(name)} ${c.dim(`v${version}`)}`);
     console.log();
     const config = await resolveConfig(options);

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "gh-secrets-sync",
   "type": "module",
-  "version": "0.0.2",
+  "version": "0.1.1",
   "description": "CLI tool to batch sync GitHub Actions secrets across multiple repositories.",
   "author": "jinghaihan",
   "license": "MIT",
@@ -35,13 +35,13 @@
     "dist"
   ],
   "dependencies": {
+    "@clack/prompts": "^0.11.0",
     "@octokit/core": "^7.0.3",
     "ansis": "^4.1.0",
     "cac": "^6.7.14",
     "execa": "^9.6.0",
     "libsodium-wrappers": "^0.7.15",
     "pathe": "^2.0.3",
-    "unconfig": "^7.3.2",
     "yaml": "^2.8.1",
     "yocto-spinner": "^1.0.0"
   },