Add eas env:push and env:pull commands

[khamilowicz]

Why

User should be able to synchronise local environment variables with upstream.

• https://linear.app/expo/issue/ENG-11920/add-eas-envpush-command
• https://linear.app/expo/issue/ENG-11919/add-eas-envpull-command

How

• added eas env:pull and eas env:push commands
• eas env:pull handles sudo access to request values of sensitive variables

Test Plan

Tested manually

[linear]

ENG-11920 Add `eas env:push` command

[github-actions]

Size Change: +3.7 kB (+0.01%)

Total Size: 52.5 MB

Filename	Size	Change
./packages/eas-cli/dist/eas-linux-x64.tar.gz	52.5 MB	+3.7 kB (+0.01%)

_{compressed-size-action}

[codecov]

Codecov Report

Attention: Patch coverage is 23.88060% with 153 lines in your changes missing coverage. Please review.

Project coverage is 52.68%. Comparing base (27d0d42) to head (1f07455).

Files	Patch %	Lines
packages/eas-cli/src/commands/env/push.ts	16.86%	67 Missing and 7 partials ⚠️
packages/eas-cli/src/commands/env/pull.ts	36.12%	20 Missing and 3 partials ⚠️
packages/eas-cli/src/user/SessionManager.ts	17.86%	21 Missing and 2 partials ⚠️
packages/eas-cli/src/authUtils.ts	10.00%	8 Missing and 1 partial ⚠️
packages/eas-cli/src/commands/env/get.ts	10.00%	8 Missing and 1 partial ⚠️
...c/graphql/mutations/EnvironmentVariableMutation.ts	0.00%	3 Missing ⚠️
packages/eas-cli/src/commands/env/delete.ts	0.00%	2 Missing ⚠️
packages/eas-cli/src/commands/env/list.ts	0.00%	2 Missing ⚠️
...i/src/graphql/queries/EnvironmentVariablesQuery.ts	0.00%	2 Missing ⚠️
...ages/eas-cli/src/user/fetchSessionSecretAndUser.ts	33.34%	2 Missing ⚠️
... and 4 more

Additional details and impacted files

@@                                   Coverage Diff                                    @@
##           piotrekszeremeta/eng-11913-add-eas-envcreate-command    #2437      +/-   ##
========================================================================================
- Coverage                                                 52.94%   52.68%   -0.25%     
========================================================================================
  Files                                                       542      545       +3     
  Lines                                                     20063    20247     +184     
  Branches                                                   4101     4136      +35     
========================================================================================
+ Hits                                                      10620    10665      +45     
- Misses                                                     8630     8755     +125     
- Partials                                                    813      827      +14     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[szdziedzic]

I'm not an expert on our auth/sudo system. Let's ask for the @wschurman review as well.

[szdziedzic]

We need to figure out how to handle this case. We definitely want to allow SSO clients to pull env vars.

[wschurman]

Yep. This will need to do something similar to how SSO login is done in the CLI (using the website I believe). Can trace the SSO code in the CLI ssoLoginAsync to see how SSO auth works. Happy to dig deeper if necessary.

[wschurman]

Would be good to stack a PR on top of this that adds SSO and then land them together.

[wschurman]

Since eas-cli doesn't have feature gating and does continuous deployment it'd probably be best to have the SSO functionality ironed out in a stacked PR before landing this. Otherwise we'd risk deploying a broken experience. Though I guess since the command is new and hidden it's okay for now, we can just fast-follow with the SSO fix.

[wschurman]

Would be good to stack a PR on top of this that adds SSO and then land them together.

[khamilowicz]

@wschurman @szdziedzic Ok, I'll work on SSO. I think the flow will be similar to that of login via SSO and I'll reuse some of its logic

[szdziedzic]

Should we allow getting sensitive env vars values here as well?

[khamilowicz]

yes, we allow it here

[szdziedzic]

should we allow pulling sensitive env vars here as well?

[khamilowicz]

maybe with '--include-sensitive' flag? We'll save on decrypting values when user just want to know whether a variable is defined.

[szdziedzic]

I believe it doesn't respect --non-interactive mode, right?

[khamilowicz]

No, it wouldn't make sense to automatically reauthorize in non-interactive mode.

[github-actions]

❌ It looks like a changelog entry is missing for this PR. You have two options: you can add it manually, or you can use the changelog bot to do it for you.
🤖 To use the bot, simply comment on this PR with the command /changelog-entry [breaking-change|new-feature|bug-fix|chore] [message].
⏩ If this PR doesn't require a changelog entry, such as if it's an internal change that doesn't affect the user experience, you can add the "no changelog" label to the PR.

[szdziedzic]

Offline discussion feedback:

It seems like requiring sudo mode is problematic for now, it doesn't work for SSO auth and doesn't seem to work with --non-interactive mode, which is a big use case. For now, we decided to allow people to read sensitive env vars without sudo mode. This will require backend changes + dropping sudo logic from this PR.