Add playbook to deploy github environment secrets (#140)

ansible · Nov 27, 2023 · 27fa5f4 · 27fa5f4
1 parent 917c4c4
commit 27fa5f4
Show file tree

Hide file tree

Showing 6 changed files with 48 additions and 0 deletions.
diff --git a/.gitignore b/.gitignore
@@ -128,3 +128,5 @@ dmypy.json
 # Pyre type checker
 .pyre/
 .DS_Store
+.envrc
+.vault
diff --git a/playbooks/ansible.cfg b/playbooks/ansible.cfg
diff --git a/playbooks/deploy-bot-pat.yml b/playbooks/deploy-bot-pat.yml
@@ -0,0 +1,19 @@
+- name: Deploy BOT_PAT secret
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Load repositories
+      ansible.builtin.include_vars:
+        file: ../config/devtools.yml
+        name: devtools
+
+    - debug:
+        msg: "{{ item }}"
+      loop: "{{ env_secrets | dict2items(key_name='env_name', value_name='env_secrets') }}"
+
+    - name: Loop over repositories
+      ansible.builtin.include_tasks: tasks/gh-set-env-secrets.yml
+      loop: "{{ devtools.repos }}"
+      loop_control:
+        label: "{{ repo }}"
+        loop_var: repo
diff --git a/playbooks/host_vars/localhost.yml b/playbooks/host_vars/localhost.yml
@@ -0,0 +1,10 @@
+env_secrets:
+  ack: # github environment name
+    BOT_PAT: !vault |
+      $ANSIBLE_VAULT;1.1;AES256
+      39316132336366663432646530316462373436646132633437363032613335626263616564663437
+      3739303161373964643437623663393663343666326564660a633637383631386433373633383736
+      38656339306634363737656530333531313638313865666232306238626230326365373063363133
+      6464643330333332320a633631663661616532356262363034386664316339306463306264393636
+      37386663626565386362626133623538343264353363613164373662306335343038376237313566
+      6564643761366534643538666532386339353238656237313532
diff --git a/playbooks/tasks/gh-set-env-secrets.yml b/playbooks/tasks/gh-set-env-secrets.yml
@@ -0,0 +1,12 @@
+- name: Create github environment
+  ansible.builtin.shell: >
+    gh api --method PUT -H "Accept: application/vnd.github+json" repos/{{ repo }}/environments/{{ env.env_name }}
+  loop: "{{ env_secrets | dict2items(key_name='env_name', value_name='env_secrets') }}"
+  loop_control:
+    loop_var: env
+
+- name: For each secret in environment
+  ansible.builtin.include_tasks: gh-set-secret.yml
+  loop: "{{ env_secrets | dict2items(key_name='env_name', value_name='env_secrets') }}"
+  loop_control:
+    loop_var: env
diff --git a/playbooks/tasks/gh-set-secret.yml b/playbooks/tasks/gh-set-secret.yml
@@ -0,0 +1,5 @@
+- name: Configure secret
+  ansible.builtin.shell: >
+    gh secret --repo {{ repo }} set --env {{ env.env_name }} {{ item.gh_secret_name }} --body {{ item.gh_secret_value }}
+  no_log: false
+  loop: "{{  env.env_secrets | dict2items('gh_secret_name', 'gh_secret_value') }}"
-Original file line number
+Diff line change
@@ Expand Up / @@ -128,3 +128,5 @@ dmypy.json @@
     # Pyre type checker
     .pyre/
     .DS_Store
+    .envrc
+    .vault