Sync Repository Secrets #13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Sync Repository Secrets | |
| on: | |
| workflow_dispatch: {} | |
| jobs: | |
| sync-secrets: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup GitHub CLI | |
| run: | | |
| gh auth login --with-token <<< "${{ secrets.SECRETS_TOKEN }}" | |
| - name: Process Secrets | |
| env: | |
| SECRETS: '${{ toJson(secrets) }}' | |
| GITHUB_OWNER: ${{ github.repository_owner }} | |
| run: | | |
| # Read all secret names from mapping.json | |
| SECRET_NAMES=$(jq -r 'keys[]' mapping.json) | |
| # Process each secret | |
| echo "$SECRET_NAMES" | while read -r secret_name; do | |
| echo "Processing secret: $secret_name" | |
| secret_value=$(jq -r --arg key "$secret_name" '.[$key]' <<< "$SECRETS") | |
| if [ -z "$secret_value" ] || [ "$secret_value" = "null" ]; then | |
| echo "Error: Secret '$secret_name' not found in source repository" | |
| continue | |
| fi | |
| # Get target repositories for this secret | |
| target_repos=$(jq -r --arg secret "$secret_name" '.[$secret][]' mapping.json) | |
| # Sync to each target repository | |
| echo "$target_repos" | while read -r repo; do | |
| if [ ! -z "$repo" ]; then | |
| echo "Creating/updating secret '$secret_name' in repository '$GITHUB_OWNER/$repo'" | |
| gh secret set "$secret_name" -R "$GITHUB_OWNER/$repo" --body "$secret_value" | |
| fi | |
| done | |
| done |