Secrets Sync Github Action
Last week I wrote a simple Github Action(google/secrets-sync-action) to copy secrets to many different repositories. The motivation was simple, as a maintainer of a Github organization with many repositories, I wanted a way to copy a token for the googlemaps-bot to all of the necessary repositories.
It was a surprisingly pleasant experience except for the lack of TypeScript definitions for the Github client library, octokit/rest.js. Lucky for me, there are fixtures available, so I didn’t have to come up with those myself.
The most difficult part of the implementation was the issue with Jest, testing framework, breaking the Buffer implementation! Buffer is used in the encryption of the secret value using the acquired public key seen below. A fix is to use jest-environment-uint8array.
A few more tests and some addition mocks using Nock and we are there!
I don’t always advocate for 100% test coverage, but it isn’t that difficult to do if the code is written in a way to be testable. And now I can feel much more confident accepting a pull request from an outside contributor.
It quite simple, below is an example.
This example reads the
GITHUB_TOKEN_REPO into the environment variables as
SYNCED_GITHUB_TOKEN_REPO. I add the prefix so I know the secret was set by the action. The implementation then finds all secrets matching the
^SYNCED_ regex and all repositories matching the
^googlemaps regex that the user(from the token) is authorized to write. Finally, I run it on a cron every ten minutes.
If it sounds like something you would use, you can find it in the marketplace.