Add get-repo-orgs-secrets-count (#76)

* Add get-repo-orgs-secrets-count List all non public repos and the number of organization secret available to each * Renamed get-repo-organizations-secrets-count.sh * reordered readme * yet another readme reorder
joshjohanning · May 17, 2024 · 23f2713 · 23f2713
1 parent d1c07c7
commit 23f2713
Show file tree

Hide file tree

Showing 2 changed files with 84 additions and 0 deletions.
diff --git a/gh-cli/README.md b/gh-cli/README.md
@@ -906,6 +906,25 @@ Generates a CSV with 4 columns:
 
 Get repositories not using actions, by files committed in the `.github/workflows` directory
 
+### get-repositories-organization-secrets-count.sh
+
+Gets the list of organization secrets that are available by repository (all repositories).
+
+Public repositories are ignored and not listed.
+
+A repository can only use a max of [100 organization secrets](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#limits-for-secrets) that are available to it. The purpose of this script is to get list of repositories and the number of organization secrets available to them mostly to figure out if you are hitting the limit and not all secrets are really available to the repository (only first 100 secrets sorted by secret name are available).
+
+usage:
+
+```shell
+get-repositories-organization-secrets-count.sh my-org-name
+Public repo i-am-public Skipping it
+
+Secrets count for my-org-name by repo:
+repo1: 102 secrets
+repo2: 103 secrets
+```
+
 ### get-repositories-using-actions.sh
 
 Get repositories using actions, by files committed in the `.github/workflows` directory

diff --git a/gh-cli/get-repositories-organization-secrets-count.sh b/gh-cli/get-repositories-organization-secrets-count.sh
@@ -0,0 +1,65 @@
+#!/bin/bash
+
+if [ -z "$1" ]; then
+    echo "Usage: $0 <org>"
+    exit 1
+fi
+
+org="$1"
+
+declare -A repos
+while IFS= read -r repo_json; do
+    visibility=$(echo "$repo_json" | jq -r '.visibility')
+    repo_name=$(echo "$repo_json" | jq -r '.name')
+
+    if [ "$visibility" = "public" ]; then
+        echo "Public repo $repo_name Skipping it"
+        continue
+    fi    
+
+    repos["$repo_name"]=0
+done < <(gh api "orgs/$org/repos" --paginate --jq '.[] | {name: .name, visibility: .visibility}')
+
+# Increment secrets count for all repos
+function incrementAllRepos() {
+    for repo in "${!repos[@]}"; do
+        ((repos["$repo"]++))
+    done
+}
+
+# Given a secret name increment secrets count for selected repos 
+function incrementSelectedRepos() {
+    secret_name="$1"
+
+    while IFS= read -r repo_json; do
+        repo_name=$(echo "$repo_json" | jq -r '.name')
+
+        repos["$repo_name"]=$((repos["$repo_name"] + 1))
+    done < <(gh api "orgs/$org/actions/secrets/$secret_name/repositories" --paginate --jq '.repositories[] | {name: .name}')
+}
+
+while read -r secret_json; do
+
+    secret_name=$(echo "$secret_json" | jq -r '.name')
+    visibility=$(echo "$secret_json" | jq -r '.visibility')
+
+    if [ "$visibility" = "public" ]; then
+        echo "$secret_name is available to public repos. Skipping it"
+        continue
+    fi
+
+    if [ "$visibility" = "private" ] || [ "$visibility" = "all" ]; then
+        incrementAllRepos
+    elif [ "$visibility" = "selected" ]; then
+        incrementSelectedRepos "$secret_name"
+    fi
+
+done < <(gh api "orgs/$org/actions/secrets" --paginate --jq '.secrets[] | {name: .name, visibility: .visibility}')
+
+# dump count of secrets for each repo
+
+echo -e "\nSecrets count for $org by repo:"
+for repo in "${!repos[@]}"; do
+    echo "$repo: ${repos["$repo"]} secrets"
+done
+