Propagate Repository Secrets #9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Propagate Repository Secrets | |
| on: | |
| workflow_dispatch: | |
| jobs: | |
| get-mappings: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - id: set-matrix | |
| run: | | |
| # Validate JSON first | |
| if ! jq empty mapping.json; then | |
| echo "Invalid JSON format!" | |
| exit 1 | |
| fi | |
| # Create matrix | |
| MATRIX=$(jq -c '{ include: [ to_entries[] | { secret: .key, repos: .value } ] }' mapping.json) | |
| echo "matrix=$MATRIX" >> $GITHUB_OUTPUT | |
| propagate: | |
| needs: get-mappings | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: ${{fromJson(needs.get-mappings.outputs.matrix)}} | |
| fail-fast: false | |
| steps: | |
| - name: Configure GitHub CLI | |
| run: | | |
| gh auth login --with-token <<< "${{ secrets.PAT_TOKEN }}" | |
| - name: Propagate Secret | |
| env: | |
| GITHUB_ORG: ${{ github.repository_owner }} | |
| run: | | |
| # The secret value is referenced statically for each matrix job | |
| SECRET_VALUE="${{ secrets[matrix.secret] }}" | |
| # Process each target repo, prepending the org name | |
| echo '${{ toJson(matrix.repos) }}' | jq -r '.[]' | while read -r repo; do | |
| if [ ! -z "$repo" ]; then | |
| FULL_REPO="$GITHUB_ORG/$repo" | |
| echo "Setting ${{ matrix.secret }} for repository $FULL_REPO" | |
| echo "$SECRET_VALUE" | gh secret set "${{ matrix.secret }}" --repo "$FULL_REPO" | |
| fi | |
| done |