Fixes for Github Actions sink

go.mod

@@ -10,20 +10,17 @@ require (
 	github.com/google/go-github/v29 v29.0.3
 	github.com/google/uuid v1.1.1
 	github.com/hashicorp/go-multierror v1.0.0
+	github.com/haya14busa/goverage v0.0.0-20180129164344-eec3514a20b5 // indirect
 	github.com/howeyc/gopass v0.0.0-20190910152052-7cb4b85ec19c // indirect
 	github.com/jszwedko/go-circleci v0.3.0
-	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
-	github.com/mattn/go-colorable v0.1.6 // indirect
 	github.com/pkg/errors v0.9.1
 	github.com/segmentio/go-prompt v1.2.1-0.20161017233205-f0d19b6901ad // build fails otherwise
 	github.com/shuheiktgw/go-travis v0.2.4
 	github.com/sirupsen/logrus v1.4.2
 	github.com/spf13/cobra v0.0.6
-	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/stretchr/objx v0.2.0 // indirect
 	github.com/stretchr/testify v1.5.1
 	golang.org/x/crypto v0.0.0-20200302210943-78000ba7a073
-	golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be
-	golang.org/x/sys v0.0.0-20200302150141-5c8b2ff67527 // indirect
+	golang.org/x/oauth2 v0.0.0-20200107190931-bf48bf16ab8d
+	golang.org/x/tools v0.0.0-20200304143113-d6a4d55695f2 // indirect
 	gopkg.in/yaml.v2 v2.2.8
 )

pkg/sink/github_actions_env.go

@@ -2,8 +2,8 @@ package sink
 
 import (
 	"context"
-	"crypto/rand"
 	"encoding/base64"
+	"fmt"
 
 	"github.com/google/go-github/v29/github"
 	"github.com/pkg/errors"
@@ -15,15 +15,17 @@ const (
 	gitHubPubKeyLen = 32
 )
 
+// GitHubActionsSecretSink holds the configuration for a Github actions secret
 type GitHubActionsSecretSink struct {
 	BaseSink `yaml:",inline"`
 
-	owner string // github organization owner
-	repo  string // github repo
+	owner string `yaml:"owner"` // github organization owner
+	repo  string `yaml:"repo"`  // github repo
 
-	client *github.Client
+	client *github.Client `yaml:"client"`
 }
 
+// WithStaticTokenAuthClient configures a github client for this sink using an oauth token
 func (s *GitHubActionsSecretSink) WithStaticTokenAuthClient(token string, owner string, repo string) *GitHubActionsSecretSink {
 	ts := oauth2.StaticTokenSource(
 		&oauth2.Token{AccessToken: token},
@@ -33,6 +35,7 @@ func (s *GitHubActionsSecretSink) WithStaticTokenAuthClient(token string, owner
 	return s.WithClient(client, owner, repo)
 }
 
+// WithClient configures a github client for this sink
 func (s *GitHubActionsSecretSink) WithClient(client *github.Client, owner string, repo string) *GitHubActionsSecretSink {
 	s.client = client
 	s.owner = owner
@@ -41,13 +44,18 @@ func (s *GitHubActionsSecretSink) WithClient(client *github.Client, owner string
 	return s
 }
 
+// Write updates the value of the env var with the specified name
+// for the given repo.
 func (s *GitHubActionsSecretSink) Write(ctx context.Context, name string, value string) error {
 	f := func(ctx context.Context) error {
 
-		receiverPublicKey, _, err := s.client.Actions.GetPublicKey(ctx, s.owner, s.repo)
+		receiverPublicKey, resp, err := s.client.Actions.GetPublicKey(ctx, s.owner, s.repo)
 		if err != nil {
 			return errors.Wrapf(err, "could not fetch %s/%s public key", s.owner, s.repo)
 		}
+		if resp.StatusCode < 200 || 300 <= resp.StatusCode {
+			return errors.New(fmt.Sprintf("unable to get public key in Github for repo %s/%s: invalid http status: %s", s.owner, s.repo, resp.Status))
+		}
 
 		if receiverPublicKey.Key == nil || receiverPublicKey.KeyID == nil {
 			return errors.Wrap(err, "invalid GitHub response; receiver key id or public key nil")
@@ -70,7 +78,7 @@ func (s *GitHubActionsSecretSink) Write(ctx context.Context, name string, value
 			out,
 			[]byte(value),
 			&pubKeyBytes,
-			rand.Reader,
+			nil,
 		)
 		if err != nil {
 			return errors.Wrap(err, "error encrypted github secret")
@@ -82,18 +90,26 @@ func (s *GitHubActionsSecretSink) Write(ctx context.Context, name string, value
 			EncryptedValue: base64.StdEncoding.EncodeToString(out),
 		}
 
-		_, err = s.client.Actions.CreateOrUpdateSecret(
+		resp, err = s.client.Actions.CreateOrUpdateSecret(
 			ctx,
 			s.owner,
 			s.repo,
 			encryptedSecret,
 		)
-		return errors.Wrap(err, "could not write encrypted secret to GitHub")
+		if err != nil {
+			return errors.Wrap(err, "could not write encrypted secret to GitHub")
+		}
+		if resp.StatusCode < 200 || 300 <= resp.StatusCode {
+			return errors.New(fmt.Sprintf("unable to create or update env var %s in Github for repo %s/%s: invalid http status: %s", encryptedSecret.Name, s.owner, s.repo, resp.Status))
+		}
+
+		return nil
 	}
 
 	return retry(ctx, defaultRetryAttempts, defaultRetrySleep, f)
 }
 
+// Kind returns the kind of this sink
 func (s *GitHubActionsSecretSink) Kind() Kind {
 	return KindGithubActionsSecret
 }

pkg/sink/sink.go

@@ -88,6 +88,15 @@ func (sinks Sinks) MarshalYAML() (interface{}, error) {
 					"account":     sink.Account,
 					"repo":        sink.Repo,
 				})
+		case KindGithubActionsSecret:
+			sink := s.(*GitHubActionsSecretSink)
+			yamlSinks = append(yamlSinks,
+				map[string]interface{}{
+					"kind":        string(KindGithubActionsSecret),
+					"key_to_name": sink.KeyToName,
+					"repo":        sink.repo,
+					"owner":       sink.owner,
+				})
 		default:
 			return nil, ErrUnknownKind
 		}