npm - gh-secrets-sync - Versions diffs - 0.1.0 → 0.1.2 - Mend

gh-secrets-sync 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -12,14 +12,13 @@ A CLI tool to batch sync GitHub Actions secrets across multiple repositories. Sy
 Managing GitHub Actions secrets across multiple repositories can be tedious:
 - **Manual repetition**: You need to manually add the same secret to each repository
-- **Time-consuming**: Updating a secret across many repos requires visiting each one individually
 - **Error-prone**: Easy to forget to update a secret in one of the repositories
 This tool automates the process, allowing you to sync secrets across multiple repositories with a single command.
 ## Usage
-1. **Create a configuration file** (`secrets.config.yaml`) in your central repository:
+**Create a configuration file** (`secrets.config.yaml`) in your central repository or local directory:
 ```yaml
 repos:
@@ -30,9 +29,25 @@ envs:
   - OVSX_PAT
 ```
-> **Note**: The `repos` configuration supports regex patterns with `*` wildcards. The tool will fetch all repositories accessible by your GitHub token and filter them based on the regex patterns. For example, `owner/vscode-*` will match all repositories under the specified owner that start with "vscode-".
+> [!NOTE]
+> Both `repos` and `envs` support `*` wildcards. For `repos`, the tool lists all repositories accessible by your token and filters by the pattern (e.g., `owner/vscode-*`). For `envs`, wildcards are expanded by listing secrets from the central repository and matching by name. The central repository is auto-detected in GitHub Actions (from the checked-out repo); for local runs, pass `--repo <owner/repo>`.
-2. **Set up GitHub CI** in your central repository:
+### Local usage
+If GitHub CI feels too complex, you can simply run it locally:
+```bash
+# Set your token and secret values in env
+export GH_PAT=...
+export VSCE_PAT=...
+export OVSX_PAT=...
+npx gh-secrets-sync
+```
+### GitHub CI usage
+**Set up GitHub CI** in your central repository:
 ```yaml
 # .github/workflows/sync-secrets.yml
@@ -62,16 +77,17 @@ jobs:
           node-version: lts/*
       - name: Sync Secrets
-        run: npx gh-secrets-sync
+        # if regex patterns are used in `repos` or `secrets` must set `--yes` in GitHub Actions
+        run: npx gh-secrets-sync --yes
         env:
-          GITHUB_PAT: ${{secrets.GITHUB_PAT}}
+          GH_PAT: ${{secrets.GH_PAT}}
           VSCE_PAT: ${{secrets.VSCE_PAT}}
           OVSX_PAT: ${{secrets.OVSX_PAT}}
 ```
-3. **Configure secrets in your central repository**:
+**Configure secrets in your central repository**:
    - Go to your central repository Settings > Secrets and variables > Actions
-   - Add `GITHUB_PAT` as a repository secret (this is your GitHub Personal Access Token)
+   - Add `GH_PAT` as a repository secret (this is your GitHub Personal Access Token)
    - Add `VSCE_PAT` and `OVSX_PAT` as repository secrets
 ### How to Get Your GitHub Token
@@ -84,7 +100,7 @@ jobs:
    - Repository permissions > Actions: Read and write
    - Metadata
 5. Click "Generate token"
-6. Add the token as a repository secret named `GITHUB_PAT` in your central repository
+6. Add the token as a repository secret named `GH_PAT` in your central repository
 ## License

package/dist/cli.mjs CHANGED Viewed

@@ -1,7 +1,8 @@
 import process from 'node:process';
 import c from 'ansis';
 import { cac } from 'cac';
-import { readFileSync } from 'node:fs';
+import { readFile } from 'node:fs/promises';
+import * as p from '@clack/prompts';
 import { join } from 'pathe';
 import { parse } from 'yaml';
 import { Octokit } from '@octokit/core';
@@ -9,7 +10,7 @@ import Spinner from 'yocto-spinner';
 import sodium from 'libsodium-wrappers';
 const name = "gh-secrets-sync";
-const version = "0.1.0";
+const version = "0.1.2";
 const DEFAULT_SYNC_OPTIONS = {
   config: "./secrets.config.yaml",
@@ -18,10 +19,21 @@ const DEFAULT_SYNC_OPTIONS = {
   envPrefix: "",
   apiVersion: "2022-11-28",
   private: false,
+  baseUrl: "github.com",
+  repo: "",
   dry: false,
-  strict: true
+  strict: true,
+  yes: false
 };
+function createRegexFilter(options, field) {
+  const list = options.filter((i) => i.includes("*"));
+  if (list.length === 0 || list.includes("*"))
+    return () => true;
+  const regexes = list.map((r) => new RegExp(r));
+  return (i) => regexes.some((regex) => regex.test(i[field]));
+}
 async function encrypt(value, publicKey) {
   await sodium.ready;
   const binkey = sodium.from_base64(publicKey.key, sodium.base64_variants.ORIGINAL);
@@ -38,6 +50,27 @@ function parseRepo(repoPath) {
   return { owner, repo };
 }
+async function readTokenFromGitHubCli() {
+  try {
+    return await execCommand("gh", ["auth", "token"]);
+  } catch {
+    return "";
+  }
+}
+async function getGitHubRepo(baseUrl) {
+  const url = await execCommand("git", ["config", "--get", "remote.origin.url"]);
+  const escapedBaseUrl = baseUrl.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+  const regex = new RegExp(`${escapedBaseUrl}[/:]([\\w\\d._-]+?)\\/([\\w\\d._-]+?)(\\.git)?$`, "i");
+  const match = regex.exec(url);
+  if (!match)
+    throw new Error(`Can not parse GitHub repo from url ${url}`);
+  return `${match[1]}/${match[2]}`;
+}
+async function execCommand(cmd, args) {
+  const { execa } = await import('execa');
+  const res = await execa(cmd, args);
+  return res.stdout.trim();
+}
 async function getRepoPublicKey(repoPath, config) {
   const octokit = createOctokit(config);
   const { owner, repo } = parseRepo(repoPath);
@@ -123,6 +156,35 @@ async function getRepos(config) {
     }
   );
 }
+async function getRepoSecrets(config) {
+  const repoPath = config.repo || await getGitHubRepo(config.baseUrl);
+  if (!repoPath)
+    return [];
+  const octokit = createOctokit(config);
+  const { owner, repo } = parseRepo(repoPath);
+  const url = `GET /repos/${owner}/${repo}/actions/secrets`;
+  return withSpinner(
+    `Fetching secrets for ${repoPath}`,
+    `Secrets fetched successfully for ${repoPath}`,
+    `Failed to fetch secrets for ${repoPath}`,
+    `Fetch Secrets: ${c.yellow(url)}`,
+    [],
+    config,
+    async () => {
+      const { status, data } = await octokit.request(url, {
+        owner,
+        repo,
+        headers: {
+          "X-GitHub-Api-Version": config.apiVersion
+        }
+      });
+      if (status !== 200) {
+        throw new Error(`HTTP ${status}: ${JSON.stringify(data)}`);
+      }
+      return data.secrets;
+    }
+  );
+}
 function createOctokit(config) {
   return new Octokit({ auth: formatToken(config.token) });
 }
@@ -146,30 +208,29 @@ async function withSpinner(loadingText, successText, failedText, dryText, defaul
   return result;
 }
-function normalizeConfig(options) {
+async function normalizeConfig(options) {
   const cwd = options.cwd || process.cwd();
   if (typeof options.repos === "string")
     options.repos = [options.repos];
   if (typeof options.secrets === "string")
     options.secrets = [options.secrets];
   const config = { ...DEFAULT_SYNC_OPTIONS, ...options };
-  config.token = config.token || process.env.GITHUB_PAT || process.env.GITHUB_TOKEN || "";
+  config.token = config.token || process.env.GH_PAT || process.env.GITHUB_TOKEN || await readTokenFromGitHubCli();
   if (config.repos.length && config.secrets.length) {
     return config;
   }
-  const configContent = parse(readFileSync(join(cwd, config.config), "utf-8"));
+  const configContent = parse(await readFile(join(cwd, config.config), "utf-8"));
   config.repos = Array.isArray(configContent.repos) ? configContent.repos : [];
   config.secrets = Array.isArray(configContent.envs) ? configContent.envs : [];
   return config;
 }
 async function resolveConfig(options) {
-  const config = normalizeConfig(options);
+  const config = await normalizeConfig(options);
   if (config.repos.some((r) => r.includes("*"))) {
-    const repos = await getReposByRegex(config);
-    if (repos.length) {
-      config.repos = [.../* @__PURE__ */ new Set([...config.repos, ...repos])];
-    }
-    config.repos = config.repos.filter((r) => !r.includes("*"));
+    await resolveRepoPatterns(config);
+  }
+  if (config.secrets.some((s) => s.includes("*"))) {
+    await resolveSecretPatterns(config);
   }
   if (!config.token)
     throw new Error(c.red("Please provide a GitHub token"));
@@ -179,21 +240,62 @@ async function resolveConfig(options) {
     throw new Error(c.red("Please provide secrets to sync"));
   return config;
 }
-async function getReposByRegex(options) {
-  const _repos = options.repos.filter((r) => r.includes("*"));
-  const regexes = _repos.find((r) => r === "*") ? ["*"] : _repos.map((r) => new RegExp(r));
-  if (regexes.length === 0)
-    return [];
-  const list = await getRepos(options);
-  const repos = options.private ? list : list.filter((r) => !r.private);
-  if (regexes.find((r) => r === "*"))
-    return repos.map((r) => r.full_name);
-  return repos.filter((r) => regexes.some((regex) => regex.test(r.full_name))).map((r) => r.full_name);
+async function resolveRepoPatterns(options) {
+  const filter = createRegexFilter(options.repos, "full_name");
+  let repos = (await getRepos(options)).filter((i) => filter(i) && (options.private || !i.private)).map((i) => i.full_name);
+  if (repos.length) {
+    repos = [.../* @__PURE__ */ new Set([...options.repos, ...repos])];
+  }
+  repos = repos.filter((i) => !i.includes("*"));
+  if (options.yes || !repos.length) {
+    options.repos = repos;
+    return;
+  }
+  const result = await p.multiselect({
+    message: "Select repos to sync",
+    options: repos.map((i) => ({ label: i, value: i })),
+    initialValues: repos
+  });
+  if (p.isCancel(result)) {
+    console.error(c.red("aborting"));
+    process.exit(1);
+  }
+  if (typeof result === "symbol") {
+    console.error(c.red("invalid repo selection"));
+    process.exit(1);
+  }
+  options.repos = result;
+}
+async function resolveSecretPatterns(options) {
+  const filter = createRegexFilter(options.secrets, "name");
+  let secrets = (await getRepoSecrets(options)).filter((i) => filter(i)).map((i) => i.name);
+  if (secrets.length) {
+    secrets = [.../* @__PURE__ */ new Set([...options.secrets, ...secrets])];
+  }
+  secrets = secrets.filter((i) => !i.includes("*"));
+  if (options.yes || !secrets.length) {
+    options.secrets = secrets;
+    return;
+  }
+  const result = await p.multiselect({
+    message: "Select secrets to sync",
+    options: secrets.map((i) => ({ label: i, value: i })),
+    initialValues: secrets
+  });
+  if (p.isCancel(result)) {
+    console.error(c.red("aborting"));
+    process.exit(1);
+  }
+  if (typeof result === "symbol") {
+    console.error(c.red("invalid secret selection"));
+    process.exit(1);
+  }
+  options.secrets = result;
 }
 try {
   const cli = cac("gh-secrets-sync");
-  cli.command("").option("--config <config>", "secrets config file", { default: "./secrets.config.yaml" }).option("--secrets <secrets...>", "secrets name to sync", { default: [] }).option("--token <token>", "GitHub token").option("--api-version <version>", "GitHub API version", { default: "2022-11-28" }).option("--private", "Detect private repositories", { default: false }).option("--env-prefix <prefix>", "environment variable prefix", { default: "" }).option("--strict", "Throw error if secret is not found in the environment variables", { default: true }).option("--dry", "Dry run", { default: false }).allowUnknownOptions().action(async (options) => {
+  cli.command("").option("--config <config>", "secrets config file", { default: "./secrets.config.yaml" }).option("--secrets <secrets...>", "secrets name to sync", { default: [] }).option("--token <token>", "GitHub token").option("--api-version <version>", "GitHub API version", { default: "2022-11-28" }).option("--private", "Detect private repositories", { default: false }).option("--env-prefix <prefix>", "environment variable prefix", { default: "" }).option("--repo <repo>", "central GitHub repository").option("--strict", "Throw error if secret is not found in the environment variables", { default: true }).option("--yes", "Prompt to confirm resolved matches when regex patterns are used in repos or secrets", { default: false }).option("--dry", "Dry run", { default: false }).allowUnknownOptions().action(async (options) => {
     console.log(`${c.yellow(name)} ${c.dim(`v${version}`)}`);
     console.log();
     const config = await resolveConfig(options);

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "gh-secrets-sync",
   "type": "module",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "CLI tool to batch sync GitHub Actions secrets across multiple repositories.",
   "author": "jinghaihan",
   "license": "MIT",
@@ -35,29 +35,29 @@
     "dist"
   ],
   "dependencies": {
+    "@clack/prompts": "^0.11.0",
     "@octokit/core": "^7.0.3",
     "ansis": "^4.1.0",
     "cac": "^6.7.14",
     "execa": "^9.6.0",
     "libsodium-wrappers": "^0.7.15",
     "pathe": "^2.0.3",
-    "unconfig": "^7.3.2",
     "yaml": "^2.8.1",
     "yocto-spinner": "^1.0.0"
   },
   "devDependencies": {
-    "@antfu/eslint-config": "^5.2.0",
+    "@antfu/eslint-config": "^5.2.1",
     "@types/libsodium-wrappers": "^0.7.14",
-    "@types/node": "^24.2.0",
-    "bumpp": "^10.2.2",
-    "eslint": "^9.32.0",
-    "lint-staged": "^16.1.4",
-    "pncat": "^0.4.1",
+    "@types/node": "^24.3.0",
+    "bumpp": "^10.2.3",
+    "eslint": "^9.33.0",
+    "lint-staged": "^16.1.5",
+    "pncat": "^0.4.2",
     "simple-git-hooks": "^2.13.1",
-    "taze": "^19.1.0",
-    "tsx": "^4.20.3",
+    "taze": "^19.3.0",
+    "tsx": "^4.20.4",
     "typescript": "^5.9.2",
-    "unbuild": "^3.6.0",
+    "unbuild": "^3.6.1",
     "vitest": "^3.2.4"
   },
   "simple-git-hooks": {
@@ -69,7 +69,7 @@
   "scripts": {
     "start": "tsx ./src/cli.ts",
     "build": "unbuild",
-    "typecheck": "tsc",
+    "typecheck": "tsc --noEmit",
     "test": "vitest",
     "lint": "eslint",
     "deps": "taze major -I",