gh secret {set,list,remove} #2529
Conversation
|
Awesome that this is happening! 👏
Since our API doesn't have different endpoints for creating vs. updating a secret (it's both done via the same PUT endpoint), would we consider having both as the same command, e.g. |
|
@mislav i'm open to that, when i initially laid out the commands i didn't realize it was just the same endpoint. |
|
@mislav reusing set for repository secrets is easy enough but for organization secrets one might want to add or remove repositories from a secret with $ gh secret set a_secret --org --add -r"addedRepo"
# => addedRepo is added to list of repositories allowed to use secret
$ gh secret set a_secret --org --remove -r"removedRepo"
# => removedRepo is removed from list of repositories allowed to use secret
$ gh secret set a_secret --org -r"repo1,repo2"
# => list of allowed repos is set to repo1, repo2(inspired by I'm concerned that's a lot of usage for one command; separate cc @ampinsk in case you have any opinions |
I see! That's a very good point. It looks like org secrets also have a single PUT endpoint for create & update operations, but I can see how, in the interest of better usability and increased security, we might want to capture editing the list of repositories as a separate command. @vilmibm Do you know if it's possible do edit the list of repositories for a secret without also editing its |
|
current status:
|
yes, there are endpoints for just adding/removing/setting the list of repositories for a given org secret without needing to change its value. |
There was a problem hiding this comment.
This looks fantastic ✨
The only small gripes I have with the set command is its handling of the values in the -b flag, including filename handling. If possible, I'd like us to talk those over and make adjustments for flexibility and consistency with other commands before shipping. Thank you!
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
This comment was marked as spam.
also fill in missing test cases >_>
|
This is ready for re-review, though as per
I'm curious what y'all think I should be doing there. I see a few options:
I vote for the middle option. Additionally, I'd also like to support accepting a no-echo paste when STDIN is empty and |
|
@vilmibm I am 👍 on the second option.
This may be a stupid question but could you elaborate on what this would look like? Or maybe an example command invocation illustrating what you mean. |
|
@samcoe something like this: $ gh secret set a_secret
Paste secret and submit with ctrl+d: it's functionally the same as doing |
I'd be super down with this! Bonus points if the input gets printed as |
|
Filename support is out and I'm caught up on all feedback. I'm saving better secret update experience for org secrets + interactivity for follow-up PRs. |
|
|
||
| err := client.GraphQL(host, query, nil, &graphqlResult) | ||
|
|
||
| gqlErr, isGqlErr := err.(*api.GraphQLErrorResponse) |
There was a problem hiding this comment.
Nit: to support wrapped errors, using errors.As() in a conditional might be a better bet here.
| $ gh secret set FROM_FLAG -b"some literal value" | ||
| $ gh secret set FROM_ENV -b"${ENV_VALUE}" | ||
| $ gh secret set FROM_FILE < file.json | ||
| $ gh secret set ORG_SECRET -bval --org=anOrg --visibility=all | ||
| $ gh secret set ORG_SECRET -bval --org=anOrg --repos="repo1,repo2,repo3" |
There was a problem hiding this comment.
These examples are :chef-kiss: ✨
| return nil | ||
| } | ||
|
|
||
| func validSecretName(name string) error { |
There was a problem hiding this comment.
Nit: I think we could have gotten away without client-side validation. These rules may change in the future on the platform, and instead of syncing the logic here, we could have allowed any value and let the server decide whether to accept them.
partially addresses #441
This PR implements
gh secret list,gh secret create, andgh secret remove. They support repository secrets by default and organization secrets using the--orgflag.NB: Updating secrets
gh secret setcan be used to update secrets. However, this PR merely supports "recreating" the secret: you need to specify a body and visibility and the full repo list for org secrets. I'm putting off adding a more nuanced secret update as a follow up PR since I'm still not convinced we shouldn't have a separateupdatesubcommand.NB Interactive set
Here's a demo of a working interactive
set. I'd like feedback on whether this is useful and worth adding tests/polish for. The code is in441-secrets-survey.