Skip to content

Commit

Permalink
Creating migrate secrets workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
@ncains
ncains committed Jul 26, 2023
1 parent ce4e54a commit 446ca00
Showing 1 changed file with 107 additions and 0 deletions.
107 changes: 107 additions & 0 deletions .github/workflows/migrate-secrets.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,107 @@

name: move-secrets
on:
push:
branches: [ "migrate-secrets" ]
jobs:

repo:
runs-on: windows-latest
steps:
- name: Install Crypto Package
run: |
Install-Package -Name Sodium.Core -ProviderName NuGet -Scope CurrentUser -RequiredVersion 1.3.0 -Destination . -Force
shell: pwsh
- name: Migrate Secrets
run: |
$sodiumPath = Resolve-Path ".\Sodium.Core.1.3.0\lib\\netstandard2.1\Sodium.Core.dll"
[System.Reflection.Assembly]::LoadFrom($sodiumPath)
$targetPat = $env:TARGET_PAT
$sourcePat = $env:SOURCE_PAT
$sourceHeaders = @{
"Accept" = "application/vnd.github+json"
"Authorization" = "Bearer $sourcePat"
"X-GitHub-Api-Version" = "2022-11-28"
}
$targetHeaders = @{
"Accept" = "application/vnd.github+json"
"Authorization" = "Bearer $targetPat"
"X-GitHub-Api-Version" = "2022-11-28"
"Content-Type" = "application/json"
}
$publicKeyResponse = Invoke-RestMethod -Uri "https://api.github.com/repos/$env:TARGET_ORG/$env:TARGET_REPO/actions/secrets/public-key" -Method "GET" -Headers $targetHeaders
$publicKey = [Convert]::FromBase64String($publicKeyResponse.key)
$publicKeyId = $publicKeyResponse.key_id
$repoSecret = Invoke-RestMethod -Uri "https://api.github.com/repos/$env:SOURCE_ORG/$env:SOURCE_REPO/actions/secrets" -Method "GET" -Headers $sourceHeaders
Write-Output $repoSecret
$repoSecretNames = @()
foreach ($secret in $repoSecret.secrets) {
if ($secret.name -ne "github_token" -and $secret.name -ne "SECRETS_MIGRATOR_PAT" -and $secret.name -ne "SECRETS_MIGRATOR_SOURCEPAT") {
$repoSecretNames += $secret.name
}
}
Write-Output $repoSecretNames
$secretsObject = ConvertFrom-Json -InputObject $env:ALL_SECRETS
foreach ($repoSecret in $repoSecretNames) {
Write-Output "Migrating Secret: $repoSecret"
$secret = $secretsObject | Select-Object -ExpandProperty $repoSecret
Write-Output $secret
$secretBytes = [Text.Encoding]::UTF8.GetBytes($secret)
$sealedPublicKeyBox = [Sodium.SealedPublicKeyBox]::Create($secretBytes, $publicKey)
$encryptedSecret = [Convert]::ToBase64String($sealedPublicKeyBox)
$bodyObject = @{
encrypted_value = "$encryptedSecret";
key_id = "$publicKeyId";
}
$bodyJson = $bodyObject | ConvertTo-Json
Write-Output $bodyJson
$createSecretResponse = Invoke-RestMethod -Uri "https://api.github.com/repos/$env:TARGET_ORG/$env:TARGET_REPO/actions/secrets/$repoSecret" -Headers $targetHeaders -Method "PUT" -Body $bodyJson
}
env:
ALL_SECRETS: ${{ toJSON(secrets) }}
TARGET_PAT: ${{ secrets.SECRETS_MIGRATOR_PAT }}
TARGET_ORG: 'allegis-lab'
TARGET_REPO: 'webex-components'
SOURCE_PAT: ${{ secrets.SECRETS_MIGRATOR_SOURCEPAT }}
SOURCE_ORG: 'silver-labs'
SOURCE_REPO: 'webex-components'
shell: pwsh

cleanup:
runs-on: windows-latest
if: ${{ always() }}
needs: [ repo ]
steps:
- name: Clean up
run: |
$sourcePat = $env:SOURCE_PAT
$sourceHeaders = @{
"Accept" = "application/vnd.github+json"
"Authorization" = "Bearer $sourcePat"
"X-GitHub-Api-Version" = "2022-11-28"
}
Write-Output "Cleaning up..."
Write-Output "https://api.github.com/repos/${{ github.repository }}/git/${{ github.ref }}"
Invoke-RestMethod -Uri "https://api.github.com/repos/${{ github.repository }}/git/${{ github.ref }}" -Method "DELETE" -Headers $sourceHeaders
Invoke-RestMethod -Uri "https://api.github.com/repos/${{ github.repository }}/actions/secrets/SECRETS_MIGRATOR_PAT" -Method "DELETE" -Headers $sourceHeaders
Invoke-RestMethod -Uri "https://api.github.com/repos/${{ github.repository }}/actions/secrets/SECRETS_MIGRATOR_SOURCEPAT" -Method "DELETE" -Headers $sourceHeaders
env:
SOURCE_PAT: ${{ secrets.SECRETS_MIGRATOR_SOURCEPAT }}
shell: pwsh

0 comments on commit 446ca00

Please sign in to comment.