[TASK] add possibility to add github repo secrets

Author: dmh

lib/cmd/init.js

@@ -3,6 +3,7 @@ import { checkIsOnline } from '../utils/check.js'
 import { checkGithubTokenEnv, checkGithubToken, getGithubOrgs } from '../github/auth.js'
 import { githubRepoFromTemplatePrompts, initType } from './init/prompts.js'
 import { createGithubRepoWithTemplate, updateGithubRepoSettings, updateGithubBranchProtection } from '../github/repo.js'
+import { addRepositorySecrets } from '../github/secrets.js'
 import { updateAndCommit } from '../github/commit.js'
 import { confirmNextSteps } from '../utils/prompts.js'
 import chalk from 'chalk'
@@ -30,9 +31,10 @@ async function init (data) {
     `You are about to create a new repository with the following settings:
   - New repo owner: ${chalk.blue(data.prompts?.repoFromTmpl?.newRepoOwner)}
   - New repo name: ${chalk.green(data.prompts?.repoFromTmpl?.newRepoName)}
-  - Private repo: ${chalk.bold.yellow(data.prompts?.repoFromTmpl?.isPrivate)}
   - Template owner: ${data.prompts?.repoFromTmpl?.templateRepoOwner}
-  - Template name: ${data.prompts?.repoFromTmpl?.templateRepoName}`
+  - Template name: ${data.prompts?.repoFromTmpl?.templateRepoName}
+  - Private repo: ${chalk.bold.yellow(data.prompts?.repoFromTmpl?.isPrivate)}
+  - Add secrets: ${chalk.bold.yellow(data.prompts?.repoFromTmpl?.isSecrets)}`
     )
     await createGithubRepoWithTemplate(data)
     await updateGithubRepoSettings(data, {
@@ -70,6 +72,9 @@ async function init (data) {
       required_linear_history: true,
       required_conversation_resolution: true
     })
+    if (data.prompts?.repoFromTmpl?.isSecrets) {
+      await addRepositorySecrets(data)
+    }
     await updateAndCommit(
       data.prompts?.repoFromTmpl?.newRepoOwner || '',
       data.prompts?.repoFromTmpl?.newRepoName || '',

lib/cmd/init/prompts.js

@@ -117,7 +117,7 @@ async function selectRepoTemplate () {
  * #### confirm if repo should be private
  * @async
  * @private
- * @returns {Promise<boolean>} - child theme
+ * @returns {Promise<boolean>} - is private
  */
 async function confirmRepoPrivacy () {
   const answer = await confirm({
@@ -126,6 +126,57 @@ async function confirmRepoPrivacy () {
   return answer
 }
 
+/**
+ * #### confirm if to add secrets to the repo
+ * @async
+ * @private
+ * @returns {Promise<boolean>} - is secrets
+ */
+async function confirmRepoSecrets () {
+  const answer = await confirm({
+    message: 'Add secrets to the repository?'
+  })
+  return answer
+}
+
+/**
+ * #### collect secrets data
+ * @async
+ * @private
+ * @returns {Promise<{hubspotPortalId: string, hubspotPersonalAccessKey: string}>} - repo secrets
+ */
+async function collectRepoSecrets () {
+  const hubspotPortalId = await input({
+    message: 'HUBSPOT_PORTAL_ID:',
+    validate: (input) => {
+      if (input.length < 1) {
+        return 'Please enter a HubSpot portal ID'
+      }
+      if (!/^[0-9]*$/.test(input)) {
+        return 'Please enter a valid HubSpot portal ID (numbers only)'
+      }
+      return true
+    }
+  })
+  const hubspotPersonalAccessKey = await input({
+    message: 'HUBSPOT_PERSONAL_ACCESS_KEY:',
+    validate: (input) => {
+      if (input.length < 1) {
+        return 'Please enter a HubSpot personal access key'
+      }
+      if (!/^[a-zA-Z0-9-_]*$/.test(input)) {
+        return 'Please enter a valid HubSpot personal access key (letters and numbers only)'
+      }
+      return true
+    }
+  })
+  const repoSecrets = {
+    hubspotPortalId,
+    hubspotPersonalAccessKey
+  }
+  return repoSecrets
+}
+
 /**
  * #### collect data for the new child theme
  * @param {LOCALDATA} data - env variables
@@ -136,14 +187,21 @@ async function githubRepoFromTemplatePrompts (data) {
   const projectName = await getProjectName()
   const repoOwner = await selectRepoOwner(data)
   const isPrivate = await confirmRepoPrivacy()
+  const isSecrets = await confirmRepoSecrets()
+  let repoSecrets
+  if (isSecrets) {
+    repoSecrets = await collectRepoSecrets()
+  }
   data.prompts = {
     repoFromTmpl: {
       newRepoOwner: repoOwner,
       newRepoName: `${projectName}-${childTheme}-${new Date().getFullYear()}`,
       newRepoLabel: `${projectName} theme`,
       templateRepoOwner: 'Resultify',
       templateRepoName: childTheme,
-      isPrivate
+      isPrivate,
+      isSecrets,
+      repoSecrets
     }
   }
 }

lib/github/secrets.js

@@ -0,0 +1,127 @@
+import * as TYPES from '../types/types.js' // eslint-disable-line
+import { request } from '@octokit/request'
+import chalk from 'chalk'
+import ora from 'ora'
+import _sodium from 'libsodium-wrappers'
+
+/**
+* @ignore
+* @typedef {TYPES.LOCALDATA} LOCALDATA {@link LOCALDATA}
+*/
+
+/**
+ * #### add repository secrets
+ * @async
+ * @memberof GITHUB
+ * @param {LOCALDATA} data - data object
+ * @returns undefined
+ */
+async function addRepositorySecrets (data) {
+  const spinner = ora('Add repository secrets').start()
+  try {
+    const { hubspotPortalIdSecret, hubspotPersonalAccessKeySecret, publicKeyId } = await encryptSecrets(data)
+    await request('PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}', {
+      headers: {
+        authorization: `token ${process.env.GITHUB_TOKEN}`
+      },
+      owner: data.prompts?.repoFromTmpl?.newRepoOwner || '',
+      repo: data.prompts?.repoFromTmpl?.newRepoName || '',
+      secret_name: 'HUBSPOT_PORTAL_ID',
+      encrypted_value: hubspotPortalIdSecret,
+      key_id: publicKeyId
+    })
+    await request('PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}', {
+      headers: {
+        authorization: `token ${process.env.GITHUB_TOKEN}`
+      },
+      owner: data.prompts?.repoFromTmpl?.newRepoOwner || '',
+      repo: data.prompts?.repoFromTmpl?.newRepoName || '',
+      secret_name: 'HUBSPOT_PERSONAL_ACCESS_KEY',
+      encrypted_value: hubspotPersonalAccessKeySecret,
+      key_id: publicKeyId
+    })
+    spinner.succeed()
+  } catch (error) {
+    spinner.fail()
+    console.error(`${chalk.red('Error:')} ${error.message}`)
+    if (process.env.RH_MODE === 'debug') {
+      console.error(error)
+    }
+    process.exit(1)
+  }
+}
+
+/**
+ * #### get a repository public key
+ * @async
+ * @private
+ * @memberof GITHUB
+ * @param {LOCALDATA} data - data object
+ * @returns {Promise<{publicKey: string, publicKeyId: string}>} - public key
+ */
+async function getRepositoryPublicKey (data) {
+  const spinner = ora('Get repository public key').start()
+  try {
+    const publicKeyResponce = await request('GET /repos/{owner}/{repo}/actions/secrets/public-key', {
+      headers: {
+        authorization: `token ${process.env.GITHUB_TOKEN}`
+      },
+      owner: data.prompts?.repoFromTmpl?.newRepoOwner || '',
+      repo: data.prompts?.repoFromTmpl?.newRepoName || ''
+    })
+    const publicKey = publicKeyResponce.data.key
+    const publicKeyId = publicKeyResponce.data.key_id
+    spinner.succeed()
+    return { publicKey, publicKeyId }
+  } catch (error) {
+    spinner.fail()
+    console.error(`${chalk.red('Error:')} ${error.message}`)
+    if (process.env.RH_MODE === 'debug') {
+      console.error(error)
+    }
+    process.exit(1)
+  }
+}
+
+/**
+ * #### Encrypt secrets for the REST API
+ * @async
+ * @private
+ * @memberof GITHUB
+ * @param {LOCALDATA} data - data object
+ * @returns {Promise<{hubspotPortalIdSecret: string, hubspotPersonalAccessKeySecret: string, publicKeyId: string}>} - encrypted secrets and public key ID
+ */
+async function encryptSecrets (data) {
+  const spinner = ora('Encrypting secret').start()
+  try {
+    const hubspotPortalIdSecretVal = data.prompts?.repoFromTmpl?.repoSecrets?.hubspotPortalId || ''
+    const hubspotPersonalAccessKeySecretVal = data.prompts?.repoFromTmpl?.repoSecrets?.hubspotPersonalAccessKey || ''
+    const publicKey = await getRepositoryPublicKey(data)
+    await _sodium.ready
+    const sodium = _sodium
+
+    // Convert the secret and key to a Uint8Array.
+    const binkey = sodium.from_base64(publicKey.publicKey, sodium.base64_variants.ORIGINAL)
+    const binHubspotPortalIdSecret = sodium.from_string(hubspotPortalIdSecretVal)
+    const binHubspotPersonalAccessKeySecret = sodium.from_string(hubspotPersonalAccessKeySecretVal)
+
+    // Encrypt the secret using libsodium
+    const encryptHubspotPortalIdSecret = sodium.crypto_box_seal(binHubspotPortalIdSecret, binkey)
+    const encryptHubspotPersonalAccessKeySecret = sodium.crypto_box_seal(binHubspotPersonalAccessKeySecret, binkey)
+
+    // Convert the encrypted Uint8Array to Base64
+    const hubspotPortalIdSecret = sodium.to_base64(encryptHubspotPortalIdSecret, sodium.base64_variants.ORIGINAL)
+    const hubspotPersonalAccessKeySecret = sodium.to_base64(encryptHubspotPersonalAccessKeySecret, sodium.base64_variants.ORIGINAL)
+    spinner.succeed()
+    return { hubspotPortalIdSecret, hubspotPersonalAccessKeySecret, publicKeyId: publicKey.publicKeyId }
+  } catch (error) {
+    spinner.fail()
+    console.error(`${chalk.red('Error:')} ${error.message}`)
+    if (process.env.RH_MODE === 'debug') {
+      console.error(error)
+    }
+    process.exit(1)
+  }
+}
+
+export { addRepositorySecrets }

lib/types/types.js

@@ -87,6 +87,10 @@
  * @property {string} templateRepoOwner - template repo owner
  * @property {string} templateRepoName - template repo name
  * @property {boolean} isPrivate - is private repo
+ * @property {boolean} isSecrets - confirm adding secrets
+ * @property {Object} [repoSecrets] - is private repo
+ * @property {string} repoSecrets.hubspotPortalId - is private repo
+ * @property {string} repoSecrets.hubspotPersonalAccessKey - is private repo
  */
 
 /**

package-lock.json

@@ -51,13 +51,15 @@
     "git-url-parse": "14.0.0",
     "globby": "14.0.2",
     "is-online": "10.0.0",
+    "libsodium-wrappers": "0.7.13",
     "minimist": "1.2.8",
     "ora": "8.0.1",
     "semver": "7.6.2",
     "signal-exit": "4.1.0"
   },
   "devDependencies": {
     "@types/git-url-parse": "~9.0.3",
+    "@types/libsodium-wrappers": "^0.7.14",
     "@types/minimist": "~1.2.5",
     "@types/node": "~20.14.9",
     "@types/semver": "~7.5.8",