I got a problem I hope some kind soul in this channel will shed some light on. I am trying to create Github environment secrets and failing miserably at it. As always the documentation is almost non-existent and the Pulumi Artificial Idiot is useless. Going by these Github issues: https://github.com/pulumi/pulumi/discussions/9377 https://github.com/pulumi/pulumi-github/issues/248#issue-1393340785 I have to encrypt the plaintext values of the secrets using the Github repo public key before uploading them to the environment. The problem I am encountering is that no matter what I do I am getting the following error:

error: 1 error occurred:
        * PUT <https://api.github.com/repositories/REPO_ID/environments/ENVIRONMENT_NAME/secrets/CLIENT_ID>: 422 Bad request - validation failed due to an improperly encrypted secret []

I have tried the procedure outlined here: https://docs.github.com/en/rest/guides/encrypting-secrets-for-the-rest-api?apiVersion=2022-11-28#example-encrypting-a-secret-using-python as well as the one in those two Github issues but I had no luck. When I try to get the repository key I am getting two different values, depending on what I use. If I try to get the public key through Pulumi, using the get_actions_public_key function I get one value. If I try to get using the Github CLI and the API I get another value. Halp pls.

Can you show the relevant part of your code? Can you create a secret by providing the plaintext value, or does that fail as well?

here's the code:

#Github repository public key
public_key=github.get_actions_public_key(
    repository="DevOps",
)

#repository
existing_repo=github.get_repository(
    full_name="organization/DevOps",
)
#repository environment
test_env=github.RepositoryEnvironment(
    "test-env",
    repository=existing_repo.name,
    environment="test",
    can_admins_bypass=True
)

# function to encrypt the secret's value
# this is based off pynacl
def encrypt_github_action_secret(public_encryption_key: str, secret_value: str) -> str:
    public_key = public.PublicKey(public_encryption_key.encode("utf-8"), encoding.Base64Encoder())
    sealed_box = public.SealedBox(public_key)
    encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
    return b64encode(encrypted).decode("utf-8")


encrypted_secret = encrypt_github_action_secret(public_encryption_key=public_key.key, secret_value="whatever")

# creating the actual environment secret
github.ActionsEnvironmentSecret(
    "test-client-id",
    environment=test_env.environment,
    repository="DevOps",
    secret_name="CLIENT_ID",
    encrypted_value=encrypted_secret,
)

Have you tried to confirm that your encryption function generates the correct output?

No I have not

yeah i'm inclined to believe this is an encoding issue, lookin now

I think if you take the example at https://pynacl.readthedocs.io/en/latest/public/#nacl-public-box and plug in your encryption function in-between this should help figure out where things go wrong

there's also the fact that I am getting different public keys depending on what I use using curl: curl -H "Accept: application/vnd.github+json" -H "Authorization: Bearer <token>" https://api.github.com/repositories/834197836/environments/sikrit/secrets/public-key { "key_id": "3380204578043523366", "key": "blahblah" } using the get_actions_public_key I get a completely different value

Per the docs, you should use the organization's public key, no? https://www.pulumi.com/registry/packages/github/api-docs/getactionsorganizationpublickey/

I was actually using this https://www.pulumi.com/registry/packages/github/api-docs/getactionspublickey/

Yes, I might also be wrong here.

I can try the org pulbic key

You're updating an environment secret, right?

I am creating it from scratch

So you'll need the environment public key, per https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#get-an-environment-public-key

and that's what I was using

Yes, this is also reported upstream as https://github.com/integrations/terraform-provider-github/issues/2315

I'll get a better lock at that sealed box

It looks like it's not possible to retrieve the environment public key via Pulumi or Terraform

yeah, hm

even if I plug the key I got using the curl it's still not working

The relevant API endpoint is not exposed it seems

wonder what

gh

does

that's github CLI

i meant https://github.com/cli/cli/blob/trunk/pkg/cmd/secret/set/set.go

I was able to PUT the environment secret slobodan@slobodan:~$ gh api \ --method PUT \ -H "Accept: application/vnd.github+json" \ -H "X-GitHub-Api-Version: 2022-11-28" \ /repos/OWNER/REPO/environments/ENVIRONMENT/secrets/SECRETNAME \ -f "encrypted_value=<the usual alphanumeric mess>" -f "key_id=1234567890" {}

so it worked fine if you manually got the environment's public key, encrypted the secret with that, and manually PUT the encrypted secret?