Sync Repository Secrets #9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sync Repository Secrets | |
| on: | |
| workflow_dispatch: {} | |
| jobs: | |
| sync-secrets: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup GitHub CLI | |
| run: | | |
| gh auth login --with-token <<< "${{ secrets.SECRETS_TOKEN }}" | |
| - name: Process Secrets | |
| env: | |
| SECRETS: '${{ toJson(secrets) }}' | |
| run: | | |
| # Read all secret names from mapping.json | |
| SECRET_NAMES=$(jq -r 'keys[]' mapping.json) | |
| # Process each secret | |
| echo "$SECRET_NAMES" | while read -r secret_name; do | |
| echo "Processing secret: $secret_name" | |
| # Get the secret value | |
| secret_value=$(jq -r --arg key "$secret_name" '.[$key]' <<< "$SECRETS") | |
| if [ -z "$secret_value" ] || [ "$secret_value" = "null" ]; then | |
| echo "Warning: Secret '$secret_name' not found in repository secrets" | |
| continue | |
| fi | |
| # Get target repositories for this secret | |
| target_repos=$(jq -r --arg secret "$secret_name" '.[$secret][]' mapping.json) | |
| # Sync to each target repository | |
| echo "$target_repos" | while read -r repo; do | |
| if [ ! -z "$repo" ]; then | |
| echo "Syncing secret '$secret_name' to repository '$repo'" | |
| echo "$secret_value" | gh secret set "$secret_name" --body-file - --repo "$repo" | |
| fi | |
| done | |
| done |