feat: add support for syncing secrets to GitHub Actions & Dependabot

backend/api/tasks/syncing.py

@@ -8,6 +8,7 @@
 from api.utils.syncing.github.actions import (
     get_gh_actions_credentials,
     sync_github_secrets,
+    sync_github_org_secrets,
 )
 from api.utils.syncing.vault.main import sync_vault_secrets
 from api.utils.syncing.nomad.main import sync_nomad_secrets
@@ -255,19 +256,33 @@ def perform_cloudflare_pages_sync(environment_sync):
 def perform_github_actions_sync(environment_sync):
 
     access_token, api_host = get_gh_actions_credentials(environment_sync)
-    repo_name = environment_sync.options.get("repo_name")
-    repo_owner = environment_sync.options.get("owner")
-    environment_name = environment_sync.options.get("environment_name")
+    is_org_sync = environment_sync.options.get("org_sync", False)
 
-    handle_sync_event(
-        environment_sync,
-        sync_github_secrets,
-        access_token,
-        repo_name,
-        repo_owner,
-        api_host,
-        environment_name,
-    )
+    if is_org_sync:
+        org = environment_sync.options.get("org")
+        visibility = environment_sync.options.get("visibility", "all")
+        handle_sync_event(
+            environment_sync,
+            sync_github_org_secrets,
+            access_token,
+            org,
+            api_host,
+            visibility,
+        )
+    else:
+        repo_name = environment_sync.options.get("repo_name")
+        repo_owner = environment_sync.options.get("owner")
+        environment_name = environment_sync.options.get("environment_name")
+
+        handle_sync_event(
+            environment_sync,
+            sync_github_secrets,
+            access_token,
+            repo_name,
+            repo_owner,
+            api_host,
+            environment_name,
+        )
 
 
 @job("default", timeout=DEFAULT_TIMEOUT)

backend/api/utils/syncing/github/actions.py

@@ -18,6 +18,11 @@ class GitHubRepoType(ObjectType):
     type = graphene.String()
 
 
+class GitHubOrgType(ObjectType):
+    name = graphene.String()
+    role = graphene.String()
+
+
 def normalize_api_host(api_host):
     if not api_host or api_host.strip() == "":
         api_host = GITHUB_CLOUD_API_URL
@@ -87,6 +92,59 @@ def serialize_repos(repos):
     return all_repos
 
 
+def list_orgs(credential_id):
+    ProviderCredentials = apps.get_model("api", "ProviderCredentials")
+
+    pk, sk = get_server_keypair()
+    credential = ProviderCredentials.objects.get(id=credential_id)
+
+    access_token = decrypt_asymmetric(
+        credential.credentials["access_token"], sk.hex(), pk.hex()
+    )
+
+    api_host = GITHUB_CLOUD_API_URL
+    if "host" in credential.credentials:
+        api_host = decrypt_asymmetric(
+            credential.credentials["api_url"], sk.hex(), pk.hex()
+        )
+
+    api_host = normalize_api_host(api_host)
+
+    headers = {
+        "Authorization": f"Bearer {access_token}",
+        "Accept": "application/vnd.github+json",
+    }
+
+    all_orgs = []
+    page = 1
+
+    while True:
+        response = requests.get(
+            f"{api_host}/user/orgs?per_page=100&page={page}", headers=headers
+        )
+        if response.status_code != 200:
+            raise Exception(f"Error fetching organizations: {response.text}")
+
+        orgs_on_page = response.json()
+        if not orgs_on_page:
+            break
+
+        for org in orgs_on_page:
+            # Get org membership to determine role
+            membership_response = requests.get(
+                f"{api_host}/user/memberships/orgs/{org['login']}", headers=headers
+            )
+            role = "member"
+            if membership_response.status_code == 200:
+                role = membership_response.json().get("role", "member")
+
+            all_orgs.append({"name": org["login"], "role": role})
+
+        page += 1
+
+    return all_orgs
+
+
 def get_gh_actions_credentials(environment_sync):
     pk, sk = get_server_keypair()
 
@@ -301,3 +359,101 @@ def sync_github_secrets(
 
         traceback.print_exc()
         return False, {"message": f"An unexpected error occurred: {str(e)}"}
+
+
+def get_all_org_secrets(org, headers, api_host=GITHUB_CLOUD_API_URL):
+    api_host = normalize_api_host(api_host)
+    all_secrets = []
+    page = 1
+    while True:
+        response = requests.get(
+            f"{api_host}/orgs/{org}/actions/secrets?page={page}",
+            headers=headers,
+        )
+        if response.status_code != 200 or not response.json().get("secrets"):
+            break
+        all_secrets.extend(response.json()["secrets"])
+        page += 1
+    return all_secrets
+
+
+def sync_github_org_secrets(
+    secrets,
+    access_token,
+    org,
+    api_host=GITHUB_CLOUD_API_URL,
+    visibility="all",
+):
+    api_host = normalize_api_host(api_host)
+
+    try:
+        if not check_rate_limit(access_token, api_host):
+            return False, {"message": "Rate limit exceeded"}
+
+        headers = {
+            "Authorization": f"Bearer {access_token}",
+            "Accept": "application/vnd.github+json",
+        }
+
+        public_key_url = f"{api_host}/orgs/{org}/actions/secrets/public-key"
+
+        public_key_response = requests.get(public_key_url, headers=headers)
+        if public_key_response.status_code != 200:
+            if public_key_response.status_code == 404:
+                return False, {
+                    "response_code": public_key_response.status_code,
+                    "message": "Unable to access organization. Please verify the organization exists and your access token has the required permissions (admin:org scope).",
+                }
+            return False, {
+                "response_code": public_key_response.status_code,
+                "message": f"Failed to fetch organization public key: {public_key_response.text}",
+            }
+
+        public_key = public_key_response.json()
+        key_id = public_key["key_id"]
+        public_key_value = public_key["key"]
+
+        local_secrets = {k: v for k, v, _ in secrets}
+        existing_secrets = get_all_org_secrets(org, headers, api_host)
+        existing_secret_names = {secret["name"] for secret in existing_secrets}
+
+        for key, value in local_secrets.items():
+            encrypted_value = encrypt_secret(public_key_value, value)
+            if len(encrypted_value) > 64 * 1024:
+                continue  # Skip oversized secret
+
+            secret_data = {
+                "encrypted_value": encrypted_value,
+                "key_id": key_id,
+                "visibility": visibility,
+            }
+            secret_url = f"{api_host}/orgs/{org}/actions/secrets/{key}"
+            response = requests.put(secret_url, headers=headers, json=secret_data)
+
+            if response.status_code not in [201, 204]:
+                return False, {
+                    "response_code": response.status_code,
+                    "message": f"Error syncing secret '{key}': {response.text}",
+                }
+
+        for secret_name in existing_secret_names:
+            if secret_name not in local_secrets:
+                delete_url = f"{api_host}/orgs/{org}/actions/secrets/{secret_name}"
+                delete_response = requests.delete(delete_url, headers=headers)
+                if delete_response.status_code != 204:
+                    return False, {
+                        "response_code": delete_response.status_code,
+                        "message": f"Error deleting secret '{secret_name}': {delete_response.text}",
+                    }
+
+        return True, {"message": "Organization secrets synced successfully"}
+
+    except requests.RequestException as e:
+        return False, {"message": f"HTTP request error: {str(e)}"}
+    except json.JSONDecodeError:
+        return False, {"message": "Error decoding JSON response"}
+    except Exception as e:
+        import traceback
+
+        traceback.print_exc()
+        return False, {"message": f"An unexpected error occurred: {str(e)}"}

backend/backend/graphene/mutations/syncing.py

@@ -264,15 +264,27 @@ class Arguments:
         env_id = graphene.ID()
         path = graphene.String()
         credential_id = graphene.ID()
-        repo_name = graphene.String()
+        repo_name = graphene.String(required=False)
         owner = graphene.String()
         environment_name = graphene.String(required=False)
+        org_sync = graphene.Boolean(required=False)
+        repo_visibility = graphene.String(required=False)
 
     sync = graphene.Field(EnvironmentSyncType)
 
     @classmethod
     def mutate(
-        cls, root, info, env_id, path, credential_id, repo_name, owner, environment_name=None
+        cls,
+        root,
+        info,
+        env_id,
+        path,
+        credential_id,
+        owner,
+        repo_name=None,
+        environment_name=None,
+        org_sync=False,
+        repo_visibility="all",
     ):
         service_id = "github_actions"
         service_config = ServiceConfig.get_service_config(service_id)
@@ -285,16 +297,29 @@ def mutate(
         if not user_can_access_app(info.context.user.userId, env.app.id):
             raise GraphQLError("You don't have access to this app")
 
-        sync_options = {"repo_name": repo_name, "owner": owner}
-        if environment_name:
-            sync_options["environment_name"] = environment_name
+        if org_sync:
+            sync_options = {
+                "org": owner,
+                "org_sync": True,
+                "visibility": repo_visibility or "all",
+            }
+        else:
+            if not repo_name:
+                raise GraphQLError("Repository name is required for repository syncs")
+            sync_options = {"repo_name": repo_name, "owner": owner}
+            if environment_name:
+                sync_options["environment_name"] = environment_name
 
         existing_syncs = EnvironmentSync.objects.filter(
             environment__app_id=env.app.id, service=service_id, deleted_at=None
         )
 
         for es in existing_syncs:
             if es.options == sync_options:
+                if org_sync:
+                    raise GraphQLError(
+                        "A sync already exists for this GitHub organization!"
+                    )
                 raise GraphQLError("A sync already exists for this GitHub repo!")
 
         sync = EnvironmentSync.objects.create(

backend/backend/graphene/queries/syncing.py

@@ -20,7 +20,7 @@
 )
 from api.services import Providers, ServiceConfig
 from api.utils.syncing.aws.secrets_manager import list_aws_secrets
-from api.utils.syncing.github.actions import list_repos, list_environments
+from api.utils.syncing.github.actions import list_repos, list_environments, list_orgs
 from api.utils.syncing.vault.main import test_vault_creds
 from api.utils.syncing.nomad.main import test_nomad_creds
 from api.utils.syncing.gitlab.main import list_gitlab_groups, list_gitlab_projects
@@ -199,6 +199,14 @@ def resolve_github_environments(root, info, credential_id, owner, repo_name):
         raise GraphQLError(ex)
 
 
+def resolve_gh_orgs(root, info, credential_id):
+    try:
+        orgs = list_orgs(credential_id)
+        return orgs
+    except Exception as ex:
+        raise GraphQLError(ex)
+
+
 def resolve_test_vault_creds(root, info, credential_id):
     try:
         valid = test_vault_creds(credential_id)

backend/backend/schema.py

@@ -1,7 +1,7 @@
 from api.utils.syncing.cloudflare.pages import CloudFlarePagesType
 from api.utils.syncing.cloudflare.workers import CloudflareWorkerType
 from api.utils.syncing.aws.secrets_manager import AWSSecretType
-from api.utils.syncing.github.actions import GitHubRepoType
+from api.utils.syncing.github.actions import GitHubRepoType, GitHubOrgType
 from api.utils.syncing.gitlab.main import GitLabGroupType, GitLabProjectType
 from api.utils.syncing.railway.main import RailwayProjectType
 from api.utils.syncing.render.main import RenderEnvGroupType, RenderServiceType
@@ -71,6 +71,7 @@
 from .graphene.queries.syncing import (
     resolve_aws_secret_manager_secrets,
     resolve_gh_repos,
+    resolve_gh_orgs,
     resolve_github_environments,
     resolve_gitlab_projects,
     resolve_gitlab_groups,
@@ -395,6 +396,10 @@ class Query(graphene.ObjectType):
         GitHubRepoType,
         credential_id=graphene.ID(),
     )
+    github_orgs = graphene.List(
+        GitHubOrgType,
+        credential_id=graphene.ID(),
+    )
     github_environments = graphene.List(
         graphene.String,
         credential_id=graphene.ID(),
@@ -475,6 +480,7 @@ class Query(graphene.ObjectType):
     resolve_aws_secrets = resolve_aws_secret_manager_secrets
 
     resolve_github_repos = resolve_gh_repos
+    resolve_github_orgs = resolve_gh_orgs
     resolve_github_environments = resolve_github_environments
 
     resolve_gitlab_projects = resolve_gitlab_projects