diff --git a/app/update_secret_action.py b/app/update_secret_action.py index b82c5e7..5adf62f 100644 --- a/app/update_secret_action.py +++ b/app/update_secret_action.py @@ -1,24 +1,25 @@ import os -import base64 -import nacl.secret -import nacl.utils +from base64 import b64encode +from nacl import encoding, public, secret import requests import logging import sys -def encrypt_secret(secret_value, public_key): +def encrypt_secret(secret_value, public_key_base64): try: - box = nacl.secret.SecretBox(public_key, encoder=nacl.encoding.Base64Encoder) - encrypted = box.encrypt(secret_value.encode()) - return base64.b64encode(encrypted).decode() + public_key = public.PublicKey(public_key_base64, encoding.Base64Encoder()) + sealed_box = public.SealedBox(public_key) + encrypted = sealed_box.encrypt(secret_value.encode()) + return b64encode(encrypted).decode() except Exception as e: logging.error(f"Encryption failed: {e}") sys.exit(1) -def decrypt_secret(encrypted_secret, private_key): +def decrypt_secret(encrypted_secret, private_key_base64): try: - box = nacl.secret.SecretBox(private_key, encoder=nacl.encoding.Base64Encoder) - decrypted = box.decrypt(base64.b64decode(encrypted_secret)).decode() + private_key = secret.SecretKey(private_key_base64, encoding.Base64Encoder()) + box = public.SealedBox(private_key.public_key) + decrypted = box.decrypt(b64encode(encrypted_secret).decode()).decode() return decrypted except Exception as e: logging.error(f"Decryption failed: {e}") @@ -29,20 +30,20 @@ def update_github_secret(repository_owner, repository_name, secret_name, new_sec url = f"https://api.github.com/repos/{repository_owner}/{repository_name}/actions/secrets/{secret_name}" # Get the public key for encryption - response = requests.get(f"https://api.github.com/repos/{repository_owner}/{repository_name}/actions/secrets/public-key", headers={"Authorization": f"Bearer {token}"}) - response.raise_for_status() # Raise an error for bad responses - public_key = response.json()['key'] - public_key = base64.b64decode(public_key) + public_key_info = requests.get(f"https://api.github.com/repos/{repository_owner}/{repository_name}/actions/secrets/public-key", headers={"Authorization": f"Bearer {token}"}) + public_key_info = public_key_info.json() + key_id = public_key_info['key_id'] + public_key_base64 = public_key_info['key'] # Encrypt the new secret value - encrypted_secret = encrypt_secret(new_secret_value, public_key) + encrypted_secret = encrypt_secret(new_secret_value, public_key_base64) # Update the secret on GitHub - response = requests.put(url, json={"encrypted_value": encrypted_secret}, headers={"Authorization": f"Bearer {token}"}) + response = requests.put(url, json={"encrypted_value": encrypted_secret, "key_id": key_id}, headers={"Authorization": f"Bearer {token}"}) response.raise_for_status() # Raise an error for bad responses - if response.status_code == 200: + if response.status_code == 204: logging.info(f"Secret '{secret_name}' updated successfully.") else: logging.error(f"Failed to update secret '{secret_name}'. Status code: {response.status_code}, Response: {response.text}") @@ -64,4 +65,4 @@ def update_github_secret(repository_owner, repository_name, secret_name, new_sec logging.error("Missing required environment variables.") sys.exit(1) - update_github_secret(repository_owner, repository_name, secret_name, new_secret_value, github_token) + update_github_secret(repository_owner, repository_name, secret_name, new_secret_value, github_token) \ No newline at end of file