actions secret

enc.py

from base64 import encodebytes
from nacl import encoding, public
import os
import sys
import json
import requests
from requests.auth import HTTPBasicAuth
import pdb
from pprint import pprint


def encrypt(key, value):
    public_key = public.PublicKey(key, encoding.Base64Encoder())
    sealed_box = public.SealedBox(public_key)
    encrypted = sealed_box.encrypt(bytes(value, "utf-8"))
    return encodebytes(encrypted).decode("utf-8")


resp = requests.get(f"https://api.github.com/repos/{os.environ.get('GH_USER')}/{os.environ.get('GH_REPO')}/actions/secrets/public-key",
    auth=HTTPBasicAuth(os.environ.get('GH_USER'),
    os.environ.get('GH_TOKEN'))
)

pub_key = resp.json().get('key')
pub_key_id = resp.json().get('key_id')

enc_blob = encrypt(pub_key, 'foo').rstrip()
payload = {
    'encrypted_value': enc_blob,
    'key_id': pub_key_id,
}
pprint(payload)
try:
    resp = requests.put(
        f"https://api.github.com/repos/{os.environ.get('GH_USER')}/{os.environ.get('GH_REPO')}/actions/secrets/foo",
        auth=HTTPBasicAuth(os.environ.get('GH_USER'), os.environ.get('GH_TOKEN')),
        headers = {
            'Accept': 'application/vnd.github.v3+json',
            'Content-Type': 'application/json',
        },
        data = json.dumps(payload),
    )
    pprint(resp)
    resp.raise_for_status()
except requests.exceptions.HTTPError as err:
    print(err)
    sys.exit(1)