adds initial .env support for secret 'syncing' from file #13

anomaly · Jan 28, 2021 · 7b48f28 · 7b48f28
1 parent f646f2f
commit 7b48f28
Show file tree

Hide file tree

Showing 7 changed files with 193 additions and 27 deletions.
diff --git a/.prettierrc b/.prettierrc
@@ -3,5 +3,6 @@
   "tabWidth": 2,
   "semi": false,
   "singleQuote": true,
-  "bracketSpacing": false
+  "bracketSpacing": false,
+  "arrowParens": "avoid"
 }
diff --git a/README.md b/README.md
@@ -25,7 +25,7 @@ $ npm install -g @anomalyhq/github-secrets-cli
 $ ghs COMMAND
 running command...
 $ ghs (-v|--version|version)
-@anomalyhq/github-secrets-cli/1.1.0 darwin-x64 node-v12.10.0
+@anomalyhq/github-secrets-cli/1.1.0 darwin-x64 node-v14.15.4
 $ ghs --help [COMMAND]
 USAGE
   $ ghs COMMAND
@@ -40,6 +40,7 @@ USAGE
 * [`ghs secrets:get`](#ghs-secretsget)
 * [`ghs secrets:remove`](#ghs-secretsremove)
 * [`ghs secrets:set`](#ghs-secretsset)
+* [`ghs secrets:sync [FILE]`](#ghs-secretssync-file)
 
 ## `ghs config:get`
 
@@ -141,6 +142,22 @@ OPTIONS
 ```
 
 _See code: [src/commands/secrets/set.ts](https://github.com/anomaly/github-secrets-cli/blob/v1.1.0/src/commands/secrets/set.ts)_
+
+## `ghs secrets:sync [FILE]`
+
+describe the command here
+
+```
+USAGE
+  $ ghs secrets:sync [FILE]
+
+OPTIONS
+  -f, --force
+  -h, --help       show CLI help
+  -n, --name=name  name to print
+```
+
+_See code: [src/commands/secrets/sync.ts](https://github.com/anomaly/github-secrets-cli/blob/v1.1.0/src/commands/secrets/sync.ts)_
 <!-- commandsstop -->
 
 

diff --git a/package.json b/package.json
@@ -11,10 +11,11 @@
     "@oclif/command": "^1",
     "@oclif/config": "^1",
     "@oclif/errors": "^1",
-    "@oclif/plugin-help": "^3",
-    "@octokit/request": "^5.4.5",
+    "@oclif/plugin-help": "^3.2.1",
+    "@octokit/request": "^5.4.13",
     "cli-ux": "^5.5.0",
-    "fs-extra": "^9.0.1",
+    "dotenv": "^8.2.0",
+    "fs-extra": "^9.1.0",
     "node-emoji": "^1.10.0",
     "tslib": "^1",
     "tweetsodium": "^0.0.5"
@@ -23,9 +24,9 @@
     "@oclif/dev-cli": "^1",
     "@oclif/test": "^1",
     "@types/chai": "^4",
-    "@types/fs-extra": "^9.0.1",
+    "@types/fs-extra": "^9.0.6",
     "@types/mocha": "^5",
-    "@types/node": "^14.0.20",
+    "@types/node": "^14.14.22",
     "@types/node-emoji": "^1.8.1",
     "chai": "^4",
     "eslint": "^5.13",

diff --git a/src/commands/secrets/set.ts b/src/commands/secrets/set.ts
@@ -110,10 +110,9 @@ export default class SecretsSet extends Command {
             key_id: token.key_id,
           }
         )
-        this.log('secret updated')
+        this.log(`Updated secret: ${flags.secret}`)
       } catch (error) {
-        this.error(error)
-        this.log('unable to update secret')
+        this.error(`Unable to update secret: ${flags.secret} \n${error}`)
       }
     } catch (error) {
       this.error(new CLIError(error), {exit: 1})

diff --git a/src/commands/secrets/sync.ts b/src/commands/secrets/sync.ts
@@ -0,0 +1,105 @@
+import {Command, flags} from '@oclif/command'
+import {CLIError} from '@oclif/errors'
+import dotenv from 'dotenv'
+import {request} from '@octokit/request'
+import fs from 'fs-extra'
+import sodium from 'tweetsodium'
+import {configuration} from '../../utils/config'
+
+export default class SecretsSync extends Command {
+  static description = 'describe the command here'
+
+  static flags = {
+    help: flags.help({char: 'h'}),
+    personalAccessToken: flags.string({
+      char: 't',
+      description: 'Your GitHub Personal Access Token.',
+      required: false,
+    }),
+    org: flags.string({
+      char: 'o',
+      description: 'Organisation the repo belongs to.',
+      required: false,
+    }),
+    repo: flags.string({
+      char: 'r',
+      description: 'Name of the repo.',
+      required: false,
+    }),
+    base64: flags.boolean({
+      char: 'b',
+      description: 'base64 the values before encoding.',
+      required: false,
+      default: false,
+    }),
+  }
+
+  static args = [{name: 'file'}]
+
+  async run() {
+    const {args, flags} = this.parse(SecretsSync)
+
+    try {
+      if (!args.file) {
+        this.error(new CLIError('Please provide a file'))
+      }
+      const messageString = fs.readFileSync(args.file)
+      const output = dotenv.parse(messageString, {debug: true})
+      this.log(typeof output, output)
+      if (Object.keys(output).length === 0 || output.constructor !== Object) {
+        this.error('File is either empty or not a valid .env format')
+      }
+
+      const conf = await configuration(this)
+
+      const requestWithAuth = request.defaults({
+        headers: {
+          authorization: `token ${
+            flags.personalAccessToken ?? conf.personalAccessToken
+          }`,
+        },
+      })
+
+      const {data: token} = await requestWithAuth(
+        'GET /repos/{owner}/{repo}/actions/secrets/public-key',
+        {
+          owner: flags.org ?? conf.org,
+          repo: flags.repo ?? conf.repo,
+        }
+      )
+
+      Object.keys(output).forEach(async key => {
+        let value = output[key]
+        if (flags.base64) {
+          value = btoa(value)
+        }
+
+        const messageBytes = Buffer.from(value)
+
+        const keyBytes = Buffer.from(token.key, 'base64')
+
+        const encryptedBytes = sodium.seal(messageBytes, keyBytes)
+
+        const encrypted = Buffer.from(encryptedBytes).toString('base64')
+
+        try {
+          await requestWithAuth(
+            'PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}',
+            {
+              owner: flags.org ?? conf.org,
+              repo: flags.repo ?? conf.repo,
+              secret_name: key,
+              encrypted_value: encrypted,
+              key_id: token.key_id,
+            }
+          )
+          this.log(`Updated secret: ${key}`)
+        } catch (error) {
+          this.error(`Unable to update secret: ${key} \n${error}`)
+        }
+      })
+    } catch (error) {
+      this.error(new CLIError(error), {exit: 1})
+    }
+  }
+}
diff --git a/test/commands/secrets/sync.test.ts b/test/commands/secrets/sync.test.ts
@@ -0,0 +1,17 @@
+import {expect, test} from '@oclif/test'
+
+describe('secrets:sync', () => {
+  test
+  .stdout()
+  .command(['secrets:sync'])
+  .it('runs hello', ctx => {
+    expect(ctx.stdout).to.contain('hello world')
+  })
+
+  test
+  .stdout()
+  .command(['secrets:sync', '--name', 'jeff'])
+  .it('runs hello --name jeff', ctx => {
+    expect(ctx.stdout).to.contain('hello jeff')
+  })
+})
diff --git a/yarn.lock b/yarn.lock
@@ -199,6 +199,22 @@
     widest-line "^3.1.0"
     wrap-ansi "^4.0.0"
 
+"@oclif/plugin-help@^3.2.1":
+  version "3.2.1"
+  resolved "https://registry.yarnpkg.com/@oclif/plugin-help/-/plugin-help-3.2.1.tgz#0265ef2a7a8a37b0ed64957fb4f1ddac4b457d61"
+  integrity sha512-vq7rn16TrQmjX3Al/k1Z5iBZWZ3HE8fDXs52OmDJmmTqryPSNvURH9WCAsqr0PODYCSR17Hy1VTzS0x7vVVLEQ==
+  dependencies:
+    "@oclif/command" "^1.5.20"
+    "@oclif/config" "^1.15.1"
+    "@oclif/errors" "^1.2.2"
+    chalk "^2.4.1"
+    indent-string "^4.0.0"
+    lodash.template "^4.4.0"
+    string-width "^4.2.0"
+    strip-ansi "^6.0.0"
+    widest-line "^3.1.0"
+    wrap-ansi "^4.0.0"
+
 "@oclif/screen@^1.0.3":
   version "1.0.4"
   resolved "https://registry.yarnpkg.com/@oclif/screen/-/screen-1.0.4.tgz#b740f68609dfae8aa71c3a6cab15d816407ba493"
@@ -234,10 +250,10 @@
     deprecation "^2.0.0"
     once "^1.4.0"
 
-"@octokit/request@^5.4.5":
-  version "5.4.12"
-  resolved "https://registry.yarnpkg.com/@octokit/request/-/request-5.4.12.tgz#b04826fa934670c56b135a81447be2c1723a2ffc"
-  integrity sha512-MvWYdxengUWTGFpfpefBBpVmmEYfkwMoxonIB3sUGp5rhdgwjXL1ejo6JbgzG/QD9B/NYt/9cJX1pxXeSIUCkg==
+"@octokit/request@^5.4.13":
+  version "5.4.13"
+  resolved "https://registry.yarnpkg.com/@octokit/request/-/request-5.4.13.tgz#eec5987b3e96f984fc5f41967e001170c6d23a18"
+  integrity sha512-WcNRH5XPPtg7i1g9Da5U9dvZ6YbTffw9BN2rVezYiE7couoSyaRsw0e+Tl8uk1fArHE7Dn14U7YqUDy59WaqEw==
   dependencies:
     "@octokit/endpoint" "^6.0.1"
     "@octokit/request-error" "^2.0.0"
@@ -266,10 +282,10 @@
   resolved "https://registry.yarnpkg.com/@types/eslint-visitor-keys/-/eslint-visitor-keys-1.0.0.tgz#1ee30d79544ca84d68d4b3cdb0af4f205663dd2d"
   integrity sha512-OCutwjDZ4aFS6PB1UZ988C4YgwlBHJd6wCeQqaLdmadZ/7e+w79+hbMUFC1QXDNCmdyoRfAFdm0RypzwR+Qpag==
 
-"@types/fs-extra@^9.0.1":
-  version "9.0.5"
-  resolved "https://registry.yarnpkg.com/@types/fs-extra/-/fs-extra-9.0.5.tgz#2afb76a43a4bef80a363b94b314d0ca1694fc4f8"
-  integrity sha512-wr3t7wIW1c0A2BIJtdVp4EflriVaVVAsCAIHVzzh8B+GiFv9X1xeJjCs4upRXtzp7kQ6lP5xvskjoD4awJ1ZeA==
+"@types/fs-extra@^9.0.6":
+  version "9.0.6"
+  resolved "https://registry.yarnpkg.com/@types/fs-extra/-/fs-extra-9.0.6.tgz#488e56b77299899a608b8269719c1d133027a6ab"
+  integrity sha512-ecNRHw4clCkowNOBJH1e77nvbPxHYnWIXMv1IAoG/9+MYGkgoyr3Ppxr7XYFNL41V422EDhyV4/4SSK8L2mlig==
   dependencies:
     "@types/node" "*"
 
@@ -311,10 +327,10 @@
   resolved "https://registry.yarnpkg.com/@types/node/-/node-14.14.12.tgz#0b1d86f8c40141091285dea02e4940df73bba43f"
   integrity sha512-ASH8OPHMNlkdjrEdmoILmzFfsJICvhBsFfAum4aKZ/9U4B6M6tTmTPh+f3ttWdD74CEGV5XvXWkbyfSdXaTd7g==
 
-"@types/node@^14.0.20":
-  version "14.14.13"
-  resolved "https://registry.yarnpkg.com/@types/node/-/node-14.14.13.tgz#9e425079799322113ae8477297ae6ef51b8e0cdf"
-  integrity sha512-vbxr0VZ8exFMMAjCW8rJwaya0dMCDyYW2ZRdTyjtrCvJoENMpdUHOT/eTzvgyA5ZnqRZ/sI0NwqAxNHKYokLJQ==
+"@types/node@^14.14.22":
+  version "14.14.22"
+  resolved "https://registry.yarnpkg.com/@types/node/-/node-14.14.22.tgz#0d29f382472c4ccf3bd96ff0ce47daf5b7b84b18"
+  integrity sha512-g+f/qj/cNcqKkc3tFqlXOYjrmZA+jNBiDzbP3kH+B+otKFqAdPgVTGP1IeKRdMml/aE69as5S4FqtxAbl+LaMw==
 
 "@types/sinon@*":
   version "9.0.9"
@@ -850,6 +866,11 @@ doctrine@^3.0.0:
   dependencies:
     esutils "^2.0.2"
 
+dotenv@^8.2.0:
+  version "8.2.0"
+  resolved "https://registry.yarnpkg.com/dotenv/-/dotenv-8.2.0.tgz#97e619259ada750eea3e4ea3e26bceea5424b16a"
+  integrity sha512-8sJ78ElpbDJBHNeBzUbUVLsqKdccaa/BXF1uPTw3GrvQTBgrQrtObr2mUrE38vzYd8cEv+m/JBfDLioYcfXoaw==
+
 "emoji-regex@>=6.0.0 <=6.1.1":
   version "6.1.1"
   resolved "https://registry.yarnpkg.com/emoji-regex/-/emoji-regex-6.1.1.tgz#c6cd0ec1b0642e2a3c67a1137efc5e796da4f88e"
@@ -1270,15 +1291,15 @@ fs-extra@^8.1:
     jsonfile "^4.0.0"
     universalify "^0.1.0"
 
-fs-extra@^9.0.1:
-  version "9.0.1"
-  resolved "https://registry.yarnpkg.com/fs-extra/-/fs-extra-9.0.1.tgz#910da0062437ba4c39fedd863f1675ccfefcb9fc"
-  integrity sha512-h2iAoN838FqAFJY2/qVpzFXy+EBxfVE220PalAqQLDVsFOHLJrZvut5puAbCdNv6WJk+B8ihI+k0c7JK5erwqQ==
+fs-extra@^9.1.0:
+  version "9.1.0"
+  resolved "https://registry.yarnpkg.com/fs-extra/-/fs-extra-9.1.0.tgz#5954460c764a8da2094ba3554bf839e6b9a7c86d"
+  integrity sha512-hcg3ZmepS30/7BSFqRvoo3DOMQu7IjqxO5nCDt+zM9XWjb33Wg7ziNT+Qvqbuc3+gWpzO02JubVyk2G4Zvo1OQ==
   dependencies:
     at-least-node "^1.0.0"
     graceful-fs "^4.2.0"
     jsonfile "^6.0.1"
-    universalify "^1.0.0"
+    universalify "^2.0.0"
 
 fs.realpath@^1.0.0:
   version "1.0.0"
@@ -2924,6 +2945,11 @@ universalify@^1.0.0:
   resolved "https://registry.yarnpkg.com/universalify/-/universalify-1.0.0.tgz#b61a1da173e8435b2fe3c67d29b9adf8594bd16d"
   integrity sha512-rb6X1W158d7pRQBg5gkR8uPaSfiids68LTJQYOtEUhoJUWBdaQHsuT/EUduxXYxcrt4r5PJ4fuHW1MHT6p0qug==
 
+universalify@^2.0.0:
+  version "2.0.0"
+  resolved "https://registry.yarnpkg.com/universalify/-/universalify-2.0.0.tgz#75a4984efedc4b08975c5aeb73f530d02df25717"
+  integrity sha512-hAZsKq7Yy11Zu1DE0OzWjw7nnLZmJZYTDZZyEFHZdUhV8FkH5MCfoU1XMaxXovpyW5nq5scPqq0ZDP9Zyl04oQ==
+
 uri-js@^4.2.2:
   version "4.2.2"
   resolved "https://registry.yarnpkg.com/uri-js/-/uri-js-4.2.2.tgz#94c540e1ff772956e2299507c010aea6c8838eb0"