chore/DO-1952: Create Pipe to Migrate Secret Variables

[porhkz]

Description of the proposed changes

• Created a pipe in python to migrate Secret Variables from Bitbucket to Github

Screenshots (if applicable)

Other solutions considered (if any)
N/A

Notes to PR author

• Dockerhub link https://hub.docker.com/r/aligent/migrate-secrets-pipe

⚠️ Please make sure the changes adhere to the guidelines mentioned in our contribution guide.

Notes to reviewers

ℹ️ When you've finished leaving feedback, please add a final comment to the PR tagging the author, letting them know that you have finished leaving feedback

[TheOrangePuff]

Small readme change

[TheOrangePuff]

Is the plan for the migration script to add this automatically? Cause that would be ideal 🤞

[porhkz]

Yeah that was the plan.

I haven't looked into the low level implementation, but we already parse through the Bitbucket Repo and curate a dict of Secret Variables for each Environment.

We can then use this dict, to write a new bitbucket-pipeline.yml file, following the example, and then push this pipeline to a new branch like migrate-secrets (labelling the old pipeline file with something like yml.bak). We can then get DO intervention to confirm the secrets and Github Repo destination to send the secrets to, and run the pipeline manually to send the secrets over. I feel like DO intervention here might be needed given the severity of some of the secrets being migrated?

In terms of the $GITHUB_TOKEN, I am currently scoping some Fine Grained permissions to strip it down to the required permissions, and we could potentially store it as a Bitbucket Organisation Var, but I feel that that's risky. On the other hand, the migrate.py script could just use the token from the DO to add to the Bitbucket repo as a Repo Variable, and then use that

[TheOrangePuff]

We can change the name of this to be aligent/migrate-secrets-pipe (provided that's what it's actually called in docker hub)