feat: add support for syncing secrets to GitHub Actions & Dependabot

backend/api/services.py

@@ -129,6 +129,13 @@ class ServiceConfig:
         "provider": Providers.GITHUB,
         "resource_type": "repo",
     }
+
+    GITHUB_DEPENDABOT = {
+        "id": "github_dependabot",
+        "name": "GitHub Dependabot",
+        "provider": Providers.GITHUB,
+        "resource_type": "repo",
+    }
 
     GITLAB_CI = {
         "id": "gitlab_ci",

backend/api/tasks/syncing.py

@@ -8,6 +8,11 @@
 from api.utils.syncing.github.actions import (
     get_gh_actions_credentials,
     sync_github_secrets,
+    sync_github_org_secrets,
+)
+from api.utils.syncing.github.dependabot import (
+    sync_github_dependabot_secrets,
+    sync_github_dependabot_org_secrets,
 )
 from api.utils.syncing.vault.main import sync_vault_secrets
 from api.utils.syncing.nomad.main import sync_nomad_secrets
@@ -84,6 +89,15 @@ def trigger_sync_tasks(env_sync):
 
         EnvironmentSyncEvent.objects.create(id=job_id, env_sync=env_sync)
 
+    elif env_sync.service == ServiceConfig.GITHUB_DEPENDABOT["id"]:
+        env_sync.status = EnvironmentSync.IN_PROGRESS
+        env_sync.save()
+
+        job = perform_github_dependabot_sync.delay(env_sync)
+        job_id = job.get_id()
+
+        EnvironmentSyncEvent.objects.create(id=job_id, env_sync=env_sync)
+
     elif env_sync.service == ServiceConfig.HASHICORP_VAULT["id"]:
         env_sync.status = EnvironmentSync.IN_PROGRESS
         env_sync.save()
@@ -255,19 +269,64 @@ def perform_cloudflare_pages_sync(environment_sync):
 def perform_github_actions_sync(environment_sync):
 
     access_token, api_host = get_gh_actions_credentials(environment_sync)
-    repo_name = environment_sync.options.get("repo_name")
-    repo_owner = environment_sync.options.get("owner")
-    environment_name = environment_sync.options.get("environment_name")
+    is_org_sync = environment_sync.options.get("org_sync", False)
 
-    handle_sync_event(
-        environment_sync,
-        sync_github_secrets,
-        access_token,
-        repo_name,
-        repo_owner,
-        api_host,
-        environment_name,
-    )
+    if is_org_sync:
+        org = environment_sync.options.get("org")
+        visibility = environment_sync.options.get("visibility", "all")
+        handle_sync_event(
+            environment_sync,
+            sync_github_org_secrets,
+            access_token,
+            org,
+            api_host,
+            visibility,
+        )
+    else:
+        repo_name = environment_sync.options.get("repo_name")
+        repo_owner = environment_sync.options.get("owner")
+        environment_name = environment_sync.options.get("environment_name")
+
+        handle_sync_event(
+            environment_sync,
+            sync_github_secrets,
+            access_token,
+            repo_name,
+            repo_owner,
+            api_host,
+            environment_name,
+        )
+
+
+@job("default", timeout=DEFAULT_TIMEOUT)
+def perform_github_dependabot_sync(environment_sync):
+
+    access_token, api_host = get_gh_actions_credentials(environment_sync)
+    is_org_sync = environment_sync.options.get("org_sync", False)
+
+    if is_org_sync:
+        org = environment_sync.options.get("org")
+        visibility = environment_sync.options.get("visibility", "all")
+        handle_sync_event(
+            environment_sync,
+            sync_github_dependabot_org_secrets,
+            access_token,
+            org,
+            api_host,
+            visibility,
+        )
+    else:
+        repo_name = environment_sync.options.get("repo_name")
+        repo_owner = environment_sync.options.get("owner")
+
+        handle_sync_event(
+            environment_sync,
+            sync_github_dependabot_secrets,
+            access_token,
+            repo_name,
+            repo_owner,
+            api_host,
+        )
 
 
 @job("default", timeout=DEFAULT_TIMEOUT)

backend/api/utils/syncing/github/actions.py

@@ -20,11 +20,17 @@ class GitHubRepoType(ObjectType):
     type = graphene.String()
 
 
+class GitHubOrgType(ObjectType):
+    name = graphene.String()
+    role = graphene.String()
+
+
 def normalize_api_host(api_host):
     if not api_host or api_host.strip() == "":
         api_host = GITHUB_CLOUD_API_URL
 
-    if settings.APP_HOST == "cloud":
+    app_host = getattr(settings, "APP_HOST", None)
+    if app_host == "cloud":
         validate_url_is_safe(api_host)
 
     stripped_host = api_host.rstrip("/")
@@ -92,6 +98,52 @@ def serialize_repos(repos):
     return all_repos
 
 
+def list_orgs(credential_id):
+    ProviderCredentials = apps.get_model("api", "ProviderCredentials")
+
+    pk, sk = get_server_keypair()
+    credential = ProviderCredentials.objects.get(id=credential_id)
+
+    access_token = decrypt_asymmetric(
+        credential.credentials["access_token"], sk.hex(), pk.hex()
+    )
+
+    api_host = GITHUB_CLOUD_API_URL
+    if "host" in credential.credentials:
+        api_host = decrypt_asymmetric(
+            credential.credentials["api_url"], sk.hex(), pk.hex()
+        )
+
+    api_host = normalize_api_host(api_host)
+
+    headers = {
+        "Authorization": f"Bearer {access_token}",
+        "Accept": "application/vnd.github+json",
+    }
+
+    all_orgs = []
+    page = 1
+
+    while True:
+        response = requests.get(
+            f"{api_host}/user/orgs?per_page=100&page={page}", headers=headers
+        )
+        if response.status_code != 200:
+            raise Exception(f"Error fetching organizations: {response.text}")
+
+        orgs_on_page = response.json()
+        if not orgs_on_page:
+            break
+
+        for org in orgs_on_page:
+            role = org.get("role", "member")
+            all_orgs.append({"name": org["login"], "role": role})
+
+        page += 1
+
+    return all_orgs
+
+
 def get_gh_actions_credentials(environment_sync):
     pk, sk = get_server_keypair()
 
@@ -265,7 +317,10 @@ def sync_github_secrets(
         for key, value in local_secrets.items():
             encrypted_value = encrypt_secret(public_key_value, value)
             if len(encrypted_value) > 64 * 1024:
-                continue  # Skip oversized secret
+                message = (
+                    f"Secret '{key}' is too large to sync. GitHub Actions has a limit of 64KB for secrets."
+                )
+                return False, {"message": message}
 
             secret_data = {"encrypted_value": encrypted_value, "key_id": key_id}
             if environment_name:
@@ -306,3 +361,110 @@ def sync_github_secrets(
 
         traceback.print_exc()
         return False, {"message": f"An unexpected error occurred: {str(e)}"}
+
+
+def get_all_org_secrets(org, headers, api_host=GITHUB_CLOUD_API_URL):
+    api_host = normalize_api_host(api_host)
+    all_secrets = []
+    page = 1
+    while True:
+        response = requests.get(
+            f"{api_host}/orgs/{org}/actions/secrets?page={page}",
+            headers=headers,
+        )
+        if response.status_code != 200:
+            break
+        try:
+            data = response.json()
+        except json.JSONDecodeError:
+            break
+        if not data.get("secrets"):
+            break
+        all_secrets.extend(data["secrets"])
+        page += 1
+    return all_secrets
+
+
+def sync_github_org_secrets(
+    secrets,
+    access_token,
+    org,
+    api_host=GITHUB_CLOUD_API_URL,
+    visibility="all",
+):
+    api_host = normalize_api_host(api_host)
+
+    try:
+        if not check_rate_limit(access_token, api_host):
+            return False, {"message": "Rate limit exceeded"}
+
+        headers = {
+            "Authorization": f"Bearer {access_token}",
+            "Accept": "application/vnd.github+json",
+        }
+
+        public_key_url = f"{api_host}/orgs/{org}/actions/secrets/public-key"
+
+        public_key_response = requests.get(public_key_url, headers=headers)
+        if public_key_response.status_code != 200:
+            if public_key_response.status_code == 404:
+                return False, {
+                    "response_code": public_key_response.status_code,
+                    "message": "Unable to access organization. Please verify the organization exists and your access token has the required permissions (admin:org scope).",
+                }
+            return False, {
+                "response_code": public_key_response.status_code,
+                "message": f"Failed to fetch organization public key: {public_key_response.text}",
+            }
+
+        public_key = public_key_response.json()
+        key_id = public_key["key_id"]
+        public_key_value = public_key["key"]
+
+        local_secrets = {k: v for k, v, _ in secrets}
+        existing_secrets = get_all_org_secrets(org, headers, api_host)
+        existing_secret_names = {secret["name"] for secret in existing_secrets}
+
+        for key, value in local_secrets.items():
+            encrypted_value = encrypt_secret(public_key_value, value)
+            if len(encrypted_value) > 64 * 1024:
+                message = (
+                    f"Secret '{key}' is too large to sync. GitHub Actions has a limit of 64KB for secrets."
+                )
+                return False, {"message": message}
+
+            secret_data = {
+                "encrypted_value": encrypted_value,
+                "key_id": key_id,
+                "visibility": visibility,
+            }
+            secret_url = f"{api_host}/orgs/{org}/actions/secrets/{key}"
+            response = requests.put(secret_url, headers=headers, json=secret_data)
+
+            if response.status_code not in [201, 204]:
+                return False, {
+                    "response_code": response.status_code,
+                    "message": f"Error syncing secret '{key}': {response.text}",
+                }
+
+        for secret_name in existing_secret_names:
+            if secret_name not in local_secrets:
+                delete_url = f"{api_host}/orgs/{org}/actions/secrets/{secret_name}"
+                delete_response = requests.delete(delete_url, headers=headers)
+                if delete_response.status_code != 204:
+                    return False, {
+                        "response_code": delete_response.status_code,
+                        "message": f"Error deleting secret '{secret_name}': {delete_response.text}",
+                    }
+
+        return True, {"message": "Organization secrets synced successfully"}
+
+    except requests.RequestException as e:
+        return False, {"message": f"HTTP request error: {str(e)}"}
+    except json.JSONDecodeError:
+        return False, {"message": "Error decoding JSON response"}
+    except Exception as e:
+        import traceback
+
+        traceback.print_exc()
+        return False, {"message": f"An unexpected error occurred: {str(e)}"}