feat: Add dependabot secrets (#12)

* feat: support dependabot secrets

This adds support for setting dependabot secrets

* docs: update example to include dependabot secret

* feat: support deleting dependabot

* feat: support diffing dependabot secrets

* ci: update workflows

Author: andrewthetechie

.github/workflows/codeql.yml

@@ -1,12 +1,8 @@
 name: "CodeQL"
 on:
   push:
-    branches: [ main ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ main ]
   schedule:
-    - cron: '0 0 * * 1'
+    - cron: "0 0 * * 1"
   workflow_dispatch:
 jobs:
   analyze:
@@ -17,19 +13,19 @@ jobs:
       contents: read
       security-events: write
     steps:
-    - name: Cancel Workflow Action
-      uses: styfle/[email protected]
-      with:
-        all_but_latest: true
-        access_token: ${{ secrets.THIS_PAT }}
-    - name: Checkout repository
-      uses: actions/checkout@v3
-      with:
+      - name: Cancel Workflow Action
+        uses: styfle/[email protected]
+        with:
+          all_but_latest: true
+          access_token: ${{ secrets.THIS_PAT }}
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
           token: ${{ secrets.GITHUB_TOKEN }}
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: Python
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: Python
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2

.github/workflows/generate-docs.yml

@@ -1,9 +1,6 @@
 name: Generate Docs
 on:
   push:
-    branches:
-      - main
-  pull_request:
 jobs:
   docs:
     name: Generate Docs

.github/workflows/integration.yml

@@ -1,9 +1,6 @@
 name: Integration Test
 on:
   push:
-    branches:
-      - main
-  pull_request:
 jobs:
   integration-testing:
     name: Integration Testing
@@ -12,7 +9,7 @@ jobs:
       - uses: actions/checkout@v3
         name: Checkout
         with:
-            token: ${{ secrets.GITHUB_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
       - name: Test action
         id: test-action
         # test with the local checkout of the action

.github/workflows/lint.yml

@@ -1,9 +1,6 @@
 name: Lint
 on:
   push:
-  pull_request:
-    branches:
-      - main
 jobs:
   lint-and-test:
     name: Lint and Test
@@ -20,7 +17,7 @@ jobs:
           python-version: "3.9.2"
       - uses: actions/setup-go@v3
         with:
-          go-version: '>=1.17.0'
+          go-version: ">=1.17.0"
       - run: go install github.com/rhysd/actionlint/cmd/actionlint@latest
       - uses: actions/checkout@v3
         with:

Dockerfile

@@ -1,3 +1,17 @@
-# This file is generated from Docker/ActionDockerfile.j2 as part of the release ci
-# Don't modify it directly
-FROM andrewthetechie/gha-repo-manager:v1.1.0
+# Distroless runs python 3.9.2
+FROM python:3.9.2-slim AS builder
+ADD Docker/builder/rootfs /
+ADD repo_manager /app/repo_manager
+ADD main.py /app/main.py
+WORKDIR /app
+
+# We are installing a dependency here directly into our app source dir
+RUN pip install --target=/app -r /requirements.txt
+
+# A distroless container image with Python and some basics like SSL certificates
+# https://github.com/GoogleContainerTools/distroless
+FROM gcr.io/distroless/python3
+COPY --from=builder /app /app
+WORKDIR /app
+ENV PYTHONPATH /app
+CMD ["/app/main.py"]

examples/settings.yml

@@ -21,9 +21,9 @@ settings:
 
   # A list of strings to apply as topics on the repo. Set to an empty string to clear topics. Omit or set to null to leave what repo already has
   topics:
-   - gha
-   - foo
-   - bar
+    - gha
+    - foo
+    - bar
 
   # Either `true` to make the repository private, or `false` to make it public.
   private: false
@@ -75,7 +75,7 @@ labels:
 
   - name: feature
     # If including a `#`, make sure to wrap it with quotes!
-    color: '#336699'
+    color: "#336699"
     description: New functionality.
 
   - name: Help Wanted
@@ -109,10 +109,10 @@ branch_protections:
       #   # Require branches to be up to date before merging.
       #   strict: true
       #   # The list of status checks to require in order to merge into this branch
-        # checks:
-        #   - lint
-        #   - test
-        #   - docker
+      # checks:
+      #   - lint
+      #   - test
+      #   - docker
       # Enforce all configured restrictions for administrators. Set to true to enforce required status checks for repository administrators. Set to null to disable.
       enforce_admins: true
       # Prevent merge commits from being pushed to matching branches
@@ -141,6 +141,10 @@ secrets:
     # pull the value from an environment variable. If this variable is not found in the env, throw an error and fail the run
     # Set env vars on the github action job from secrets in your repo to sync screts across repos
     env: SECRET_VALUE
+    # Set a dependabot secret on the repo
+  - key: SECRET_KEY
+    env: SECRET_VALUE
+    type: dependabot
   - key: ANOTHER_SECRET
     # set a value directly in your yaml, probably not a good idea for things that are actually a secret
     value: bar
@@ -176,9 +180,9 @@ files:
   - src_file: remote://README.md
     dest_file: README.rst
     move: true
-    commit_msg: 'move readme'
+    commit_msg: "move readme"
   # This removes OLDDOC.md in the dev branch. If OLDDOC.md doesn't exist, the workflow will emit a warning
   - dest_file: OLDDOC.md
     exists: false
     branch: dev
-    commit_msg: 'remove OLDDOC.md from dev'
+    commit_msg: "remove OLDDOC.md from dev"

main.py

@@ -14,6 +14,8 @@
 from repo_manager.github.labels import check_repo_labels
 from repo_manager.github.labels import update_label
 from repo_manager.github.secrets import check_repo_secrets
+from repo_manager.github.secrets import create_secret
+from repo_manager.github.secrets import delete_secret
 from repo_manager.github.settings import check_repo_settings
 from repo_manager.github.settings import update_settings
 from repo_manager.schemas import load_config
@@ -65,7 +67,9 @@ def main():  # noqa: C901
             for secret in config.secrets:
                 if secret.exists:
                     try:
-                        inputs["repo_object"].create_secret(secret.key, secret.expected_value)
+                        create_secret(
+                            inputs["repo_object"], secret.key, secret.expected_value, secret.type == "dependabot"
+                        )
                         actions_toolkit.info(f"Set {secret.key} to expected value")
                     except Exception as exc:  # this should be tighter
                         errors.append(
@@ -77,7 +81,7 @@ def main():  # noqa: C901
                         )
                 else:
                     try:
-                        inputs["repo_object"].delete_secret(secret.key)
+                        delete_secret(inputs["repo_object"], secret.key, secret.type == "dependabot")
                         actions_toolkit.info(f"Deleted {secret.key}")
                     except Exception as exc:  # this should be tighter
                         errors.append(

repo_manager/github/secrets.py

@@ -2,6 +2,7 @@
 from typing import Any
 from typing import Dict
 from typing import List
+from typing import Set
 from typing import Tuple
 from typing import Union
 
@@ -10,8 +11,38 @@
 from repo_manager.schemas.secret import Secret
 
 
-def upsert_secret(repo: Repository, secret_key: str, secret_config: Secret):
-    ...
+def create_secret(repo: Repository, secret_name: str, unencrypted_value: str, is_dependabot: bool = False) -> bool:
+    """
+    :calls: `PUT /repos/{owner}/{repo}/actions/secrets/{secret_name} <https://docs.github.com/en/rest/reference/actions#get-a-repository-secret>`_
+
+    Copied from https://github.com/PyGithub/PyGithub/blob/master/github/Repository.py#L1428 in order to support dependabot
+    :param secret_name: string
+    :param unencrypted_value: string
+    :rtype: bool
+    """
+    public_key = repo.get_public_key()
+    payload = public_key.encrypt(unencrypted_value)
+    put_parameters = {
+        "key_id": public_key.key_id,
+        "encrypted_value": payload,
+    }
+    secret_type = "actions" if not is_dependabot else "dependabot"
+    status, headers, data = repo._requester.requestJson(
+        "PUT", f"{repo.url}/actions/{secret_type}/{secret_name}", input=put_parameters
+    )
+    return status == 201
+
+
+def delete_secret(repo: Repository, secret_name: str, is_dependabot: bool = False) -> bool:
+    """
+    Copied from https://github.com/PyGithub/PyGithub/blob/master/github/Repository.py#L1448 to add support for dependabot
+    :calls: `DELETE /repos/{owner}/{repo}/actions/secrets/{secret_name} <https://docs.github.com/en/rest/reference/actions#delete-a-repository-secret>`_
+    :param secret_name: string
+    :rtype: bool
+    """
+    secret_type = "actions" if not is_dependabot else "dependabot"
+    status, headers, data = repo._requester.requestJson("DELETE", f"{repo.url}/{secret_type}/secrets/{secret_name}")
+    return status == 204
 
 
 def check_repo_secrets(
@@ -26,24 +57,23 @@ def check_repo_secrets(
     Returns:
         Tuple[bool, Optional[List[str]]]: [description]
     """
-    status, headers, raw_data = repo._requester.requestJson("GET", f"{repo.url}/actions/secrets")
-    if status != 200:
-        raise Exception(f"Unable to get repo's secrets {status}")
-    try:
-        secret_data = json.loads(raw_data)
-    except json.JSONDecodeError as exc:
-        raise Exception(f"Github apu returned invalid json {exc}")
-
+    actions_secrets_names = _get_repo_secret_names(repo)
+    dependabot_secret_names = _get_repo_secret_names(repo, "dependabot")
+    secrets_dict = {secret.key: secret for secret in secrets}
     checked = True
 
-    repo_secret_names = [secret["name"] for secret in secret_data["secrets"]]
-    secrets_dict = {secret.key: secret for secret in secrets}
-    expected_secret_names = [secret.key for secret in secrets if secret.exists]
+    actions_expected_secrets_names = {secret.key for secret in secrets if (secret.exists and secret.type == "actions")}
+    dependabot_expected_secret_names = {
+        secret.key for secret in secrets if (secret.exists and secret.type == "dependabot")
+    }
     diff = {
-        "missing": list(set(expected_secret_names) - set(repo_secret_names)),
+        "missing": list(actions_expected_secrets_names - (actions_secrets_names))
+        + list((dependabot_expected_secret_names) - (dependabot_secret_names)),
         "extra": [],
     }
-    extra_secret_names = list(set(repo_secret_names) - set(expected_secret_names))
+    extra_secret_names = (list((actions_secrets_names) - (actions_expected_secrets_names))) + (
+        list(dependabot_secret_names - dependabot_expected_secret_names)
+    )
     for secret_name in extra_secret_names:
         secret_config = secrets_dict.get(secret_name, None)
         if secret_config is None:
@@ -56,3 +86,15 @@ def check_repo_secrets(
         checked = False
 
     return checked, diff
+
+
+def _get_repo_secret_names(repo: Repository, type: str = "actions") -> Set[str]:
+    status, headers, raw_data = repo._requester.requestJson("GET", f"{repo.url}/{type}/secrets")
+    if status != 200:
+        raise Exception(f"Unable to get repo's secrets {status}")
+    try:
+        secret_data = json.loads(raw_data)
+    except json.JSONDecodeError as exc:
+        raise Exception(f"Github apu returned invalid json {exc}")
+
+    return {secret["name"] for secret in secret_data["secrets"]}

repo_manager/schemas/secret.py

@@ -14,6 +14,7 @@ class SecretEnvError(Exception):
 
 
 class Secret(BaseModel):
+    type: OptStr = Field(None, description="Type of secret, can be `dependabot` or `actions`")
     key: OptStr = Field(None, description="Secret's name.")
     env: OptStr = Field(None, description="Environment variable to pull the secret from")
     value: OptStr = Field(None, description="Value to set this secret to")
@@ -23,6 +24,12 @@ class Secret(BaseModel):
     )
     exists: OptBool = Field(True, description="Set to false to delete a secret")
 
+    @validator("type")
+    def validate_type(cls, v):
+        if v not in ["dependabot", "actions"]:
+            raise ValueError("Secret type must be either `dependabot` or `actions`")
+        return v
+
     @validator("value", always=True)
     def validate_value(cls, v, values) -> OptStr:
         if v is None: