github

package
v0.1.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 3, 2026 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Overview

Package github wraps the upstream go-github SDK with the narrow surface ghsecretman needs: list repo Actions variables (with values), list repo Actions secret names, and list repo Dependabot secret names.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type Backend 

type Backend interface {
	// GetOwnerType reports whether owner is a GitHub organization or a
	// user account. The runner uses it to pick the repo-enumeration
	// endpoint and to skip org-level scope for user accounts.
	GetOwnerType(ctx context.Context, owner string) (OwnerType, error)

	ListOrgRepos(ctx context.Context, org string) ([]string, error)

	// ListUserRepos returns the names of every repository owned by the
	// authenticated user that belongs to owner. Private repos are
	// included. It is the user-account counterpart to ListOrgRepos.
	ListUserRepos(ctx context.Context, owner string) ([]string, error)

	ListRepoVariables(ctx context.Context, owner, repo string) (map[string]string, error)
	ListRepoSecrets(ctx context.Context, owner, repo string) ([]string, error)
	ListRepoDependabotSecrets(ctx context.Context, owner, repo string) ([]string, error)

	GetRepoPublicKey(ctx context.Context, owner, repo string) (*PublicKey, error)
	GetRepoDependabotPublicKey(ctx context.Context, owner, repo string) (*PublicKey, error)

	SetRepoVariable(ctx context.Context, owner, repo, name, value string) error
	SetRepoSecret(ctx context.Context, owner, repo, name string, key *PublicKey, plaintext string) error
	SetRepoDependabotSecret(ctx context.Context, owner, repo, name string, key *PublicKey, plaintext string) error

	DeleteRepoVariable(ctx context.Context, owner, repo, name string) error
	DeleteRepoSecret(ctx context.Context, owner, repo, name string) error
	DeleteRepoDependabotSecret(ctx context.Context, owner, repo, name string) error

	// Org-level operations. Org secrets, variables, and Dependabot secrets
	// are a different GitHub object class from their repo-level counterparts
	// and use a separate public key for encryption.
	ListOrgVariables(ctx context.Context, org string) (map[string]string, error)
	ListOrgSecrets(ctx context.Context, org string) ([]string, error)
	ListOrgDependabotSecrets(ctx context.Context, org string) ([]string, error)

	GetOrgPublicKey(ctx context.Context, org string) (*PublicKey, error)
	GetOrgDependabotPublicKey(ctx context.Context, org string) (*PublicKey, error)

	SetOrgVariable(ctx context.Context, org, name, value, visibility string, selectedRepoIDs []int64) error
	SetOrgSecret(ctx context.Context, org, name string, key *PublicKey, plaintext, visibility string, selectedRepoIDs []int64) error
	SetOrgDependabotSecret(ctx context.Context, org, name string, key *PublicKey, plaintext, visibility string, selectedRepoIDs []int64) error

	DeleteOrgVariable(ctx context.Context, org, name string) error
	DeleteOrgSecret(ctx context.Context, org, name string) error
	DeleteOrgDependabotSecret(ctx context.Context, org, name string) error

	// GetRepoID resolves a repo name to its numeric GitHub ID. Used to
	// translate `repos:` lists from configuration into the
	// `selected_repository_ids` payload expected by the org-level secret
	// and variable APIs.
	GetRepoID(ctx context.Context, org, repo string) (int64, error)
}

Backend is the interface the runner consumes; satisfied by *Client and by test fakes.

type Client 

type Client struct {
	// contains filtered or unexported fields
}

Client is the live GitHub backend.

func NewClientFromEnv 

func NewClientFromEnv() (*Client, error)

NewClientFromEnv builds a Client authenticated from GITHUB_TOKEN (preferred) or GH_TOKEN (fallback).

func NewClientFromGoGithub 

func NewClientFromGoGithub(gh *gogithub.Client) *Client

NewClientFromGoGithub wraps an existing go-github client. Useful for tests that need to point at httptest.

func (*Client) DeleteOrgDependabotSecret 

func (c *Client) DeleteOrgDependabotSecret(ctx context.Context, org, name string) error

DeleteOrgDependabotSecret deletes an org Dependabot secret.

func (*Client) DeleteOrgSecret 

func (c *Client) DeleteOrgSecret(ctx context.Context, org, name string) error

DeleteOrgSecret deletes an org Actions secret.

func (*Client) DeleteOrgVariable 

func (c *Client) DeleteOrgVariable(ctx context.Context, org, name string) error

DeleteOrgVariable deletes an org Actions variable.

func (*Client) DeleteRepoDependabotSecret 

func (c *Client) DeleteRepoDependabotSecret(ctx context.Context, owner, repo, name string) error

DeleteRepoDependabotSecret deletes a repo Dependabot secret.

func (*Client) DeleteRepoSecret 

func (c *Client) DeleteRepoSecret(ctx context.Context, owner, repo, name string) error

DeleteRepoSecret deletes a repo Actions secret.

func (*Client) DeleteRepoVariable 

func (c *Client) DeleteRepoVariable(ctx context.Context, owner, repo, name string) error

DeleteRepoVariable deletes a repo Actions variable.

func (*Client) GetOrgDependabotPublicKey 

func (c *Client) GetOrgDependabotPublicKey(ctx context.Context, org string) (*PublicKey, error)

GetOrgDependabotPublicKey fetches the public key used to encrypt org Dependabot secrets.

func (*Client) GetOrgPublicKey 

func (c *Client) GetOrgPublicKey(ctx context.Context, org string) (*PublicKey, error)

GetOrgPublicKey fetches the public key used to encrypt org Actions secrets.

func (*Client) GetOwnerType added in v0.1.2 

func (c *Client) GetOwnerType(ctx context.Context, owner string) (OwnerType, error)

GetOwnerType resolves whether owner is a GitHub organization or a user account by reading the `type` field of the public account record. Any type other than "User" (notably "Organization") is treated as an org.

func (*Client) GetRepoDependabotPublicKey 

func (c *Client) GetRepoDependabotPublicKey(ctx context.Context, owner, repo string) (*PublicKey, error)

GetRepoDependabotPublicKey fetches the public key used to encrypt repo Dependabot secrets.

func (*Client) GetRepoID 

func (c *Client) GetRepoID(ctx context.Context, org, repo string) (int64, error)

GetRepoID resolves a repo name to its numeric GitHub ID.

func (*Client) GetRepoPublicKey 

func (c *Client) GetRepoPublicKey(ctx context.Context, owner, repo string) (*PublicKey, error)

GetRepoPublicKey fetches the public key used to encrypt repo Actions secrets.

func (*Client) ListOrgDependabotSecrets 

func (c *Client) ListOrgDependabotSecrets(ctx context.Context, org string) ([]string, error)

ListOrgDependabotSecrets returns the names of org-level Dependabot secrets.

func (*Client) ListOrgRepos 

func (c *Client) ListOrgRepos(ctx context.Context, org string) ([]string, error)

ListOrgRepos returns the names of every repository in the org. Pages through the list until exhausted.

func (*Client) ListOrgSecrets 

func (c *Client) ListOrgSecrets(ctx context.Context, org string) ([]string, error)

ListOrgSecrets returns the names of org-level Actions secrets.

func (*Client) ListOrgVariables 

func (c *Client) ListOrgVariables(ctx context.Context, org string) (map[string]string, error)

ListOrgVariables returns org-level Actions variables as name → value map.

func (*Client) ListRepoDependabotSecrets 

func (c *Client) ListRepoDependabotSecrets(ctx context.Context, owner, repo string) ([]string, error)

ListRepoDependabotSecrets returns the names of repo Dependabot secrets.

func (*Client) ListRepoSecrets 

func (c *Client) ListRepoSecrets(ctx context.Context, owner, repo string) ([]string, error)

ListRepoSecrets returns the names of repo Actions secrets.

func (*Client) ListRepoVariables 

func (c *Client) ListRepoVariables(ctx context.Context, owner, repo string) (map[string]string, error)

ListRepoVariables returns repo Actions variables as a name → value map.

The single-page fetch is intentional for this slice; pagination support belongs in a later slice when org-wide fan-out makes it actually matter.

func (*Client) ListUserRepos added in v0.1.2 

func (c *Client) ListUserRepos(ctx context.Context, owner string) ([]string, error)

ListUserRepos returns the names of every repository owned by the authenticated user whose owner login matches owner (case-insensitively, as GitHub logins are). It pages through GET /user/repos with the `owner` affiliation so private repos are included; the login filter drops repos reachable through other affiliations. Managing a user account's secrets requires authenticating as that user, so the authenticated-user endpoint is the right source here.

func (*Client) SetOrgDependabotSecret 

func (c *Client) SetOrgDependabotSecret(ctx context.Context, org, name string, key *PublicKey, plaintext, visibility string, selectedRepoIDs []int64) error

SetOrgDependabotSecret creates or updates an org Dependabot secret with the given visibility envelope.

func (*Client) SetOrgSecret 

func (c *Client) SetOrgSecret(ctx context.Context, org, name string, key *PublicKey, plaintext, visibility string, selectedRepoIDs []int64) error

SetOrgSecret creates or updates an org Actions secret with the given visibility envelope. plaintext is encrypted client-side with key.

func (*Client) SetOrgVariable 

func (c *Client) SetOrgVariable(ctx context.Context, org, name, value, visibility string, selectedRepoIDs []int64) error

SetOrgVariable creates or updates an org Actions variable with the given visibility envelope. selectedRepoIDs must be non-empty when visibility is "selected" and is ignored otherwise.

func (*Client) SetRepoDependabotSecret 

func (c *Client) SetRepoDependabotSecret(ctx context.Context, owner, repo, name string, key *PublicKey, plaintext string) error

SetRepoDependabotSecret creates or updates a repo Dependabot secret using the Dependabot-specific public key.

func (*Client) SetRepoSecret 

func (c *Client) SetRepoSecret(ctx context.Context, owner, repo, name string, key *PublicKey, plaintext string) error

SetRepoSecret creates or updates a repo Actions secret. plaintext is encrypted client-side with libsodium sealed-box against key before being sent to GitHub.

func (*Client) SetRepoVariable 

func (c *Client) SetRepoVariable(ctx context.Context, owner, repo, name, value string) error

SetRepoVariable creates or updates a repo Actions variable.

The GitHub API exposes create (POST) and update (PATCH) as separate endpoints. We try update first; on 404 we fall back to create. This keeps the Backend surface "set, don't ask".

type OwnerType added in v0.1.2 

type OwnerType int

OwnerType distinguishes a GitHub organization from a personal (user) account. The two differ in how their repositories are enumerated and in whether org-level secrets/variables exist at all: user accounts have no org-level Actions, variable, or Dependabot API, so that scope is unsupported for them. 

const (
	// OwnerOrg is a GitHub organization.
	OwnerOrg OwnerType = iota
	// OwnerUser is a personal GitHub account.
	OwnerUser
)

type PublicKey 

type PublicKey struct {
	KeyID string
	Key   string // base64-encoded 32-byte recipient public key
}

PublicKey is a GitHub-issued libsodium public key used to encrypt secrets.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.