refactor: migrate ghsecret to 'gh aw secret set' subcommand

mnkiefer · mnkiefer · commit 64f0bf0dafa9 · 2025-12-12T12:41:25.000+01:00
diff --git a/cmd/gh-aw/main.go b/cmd/gh-aw/main.go
@@ -495,6 +495,7 @@ Use "` + constants.CLIExtensionPrefix + ` help all" to show help for all command
 	prCmd := cli.NewPRCommand()
 	campaignCmd := campaign.NewCommand()
 	tokensCmd := cli.NewTokensCommand()
+	secretCmd := cli.NewSecretCommand()
 
 	// Assign commands to groups
 	// Setup Commands
@@ -504,6 +505,7 @@ Use "` + constants.CLIExtensionPrefix + ` help all" to show help for all command
 	removeCmd.GroupID = "setup"
 	updateCmd.GroupID = "setup"
 	tokensCmd.GroupID = "setup"
+	secretCmd.GroupID = "setup"
 
 	// Development Commands
 	compileCmd.GroupID = "development"
@@ -549,6 +551,7 @@ Use "` + constants.CLIExtensionPrefix + ` help all" to show help for all command
 	rootCmd.AddCommand(versionCmd)
 	rootCmd.AddCommand(campaignCmd)
 	rootCmd.AddCommand(tokensCmd)
+	rootCmd.AddCommand(secretCmd)
 }
 
 func main() {
diff --git a/pkg/cli/secret_set_command.go b/pkg/cli/secret_set_command.go
@@ -1,19 +1,19 @@
-package main
+package cli
 
 import (
 	"bufio"
 	"crypto/rand"
 	"encoding/base64"
 	"encoding/json"
 	"errors"
-	"flag"
 	"fmt"
 	"io"
-	"log"
 	"os"
 	"strings"
 
 	"github.com/cli/go-gh/v2/pkg/api"
+	"github.com/githubnext/gh-aw/pkg/console"
+	"github.com/spf13/cobra"
 	"golang.org/x/crypto/nacl/box"
 )
 
@@ -27,46 +27,95 @@ type secretPayload struct {
 	KeyID          string `json:"key_id"`
 }
 
-func main() {
+// NewSecretCommand creates the secret command group
+func NewSecretCommand() *cobra.Command {
+	secretCmd := &cobra.Command{
+		Use:   "secret",
+		Short: "Manage repository secrets",
+		Long:  `Manage GitHub Actions secrets for repositories`,
+	}
+
+	// Add subcommands
+	secretCmd.AddCommand(newSecretSetCommand())
+
+	return secretCmd
+}
+
+func newSecretSetCommand() *cobra.Command {
 	var (
-		flagOwner      = flag.String("owner", "", "GitHub repository owner or organization")
-		flagRepo       = flag.String("repo", "", "GitHub repository name")
-		flagSecretName = flag.String("secret", "", "Secret name to create or update")
-		flagValue      = flag.String("value", "", "Secret value (if empty, read from stdin)")
-		flagValueEnv   = flag.String("value-from-env", "", "Environment variable to read secret value from")
-		flagAPIBase    = flag.String("api-url", "", "GitHub API base URL (default: https://api.github.com or $GITHUB_API_URL)")
+		flagOwner    string
+		flagRepo     string
+		flagValue    string
+		flagValueEnv string
+		flagAPIBase  string
 	)
 
-	flag.Parse()
+	cmd := &cobra.Command{
+		Use:   "set <secret-name>",
+		Short: "Create or update a repository secret",
+		Long: `Create or update a GitHub Actions secret for a repository.
+
+The secret value can be provided in three ways:
+  1. Via the --value flag
+  2. Via the --value-from-env flag (reads from environment variable)
+  3. From stdin (if neither flag is provided)
+
+Examples:
+  # From stdin
+  gh aw secret set MY_SECRET --owner myorg --repo myrepo
+
+  # From flag
+  gh aw secret set MY_SECRET --value "secret123" --owner myorg --repo myrepo
+
+  # From environment variable
+  export MY_TOKEN="secret123"
+  gh aw secret set MY_SECRET --value-from-env MY_TOKEN --owner myorg --repo myrepo`,
+		Args: cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			secretName := args[0]
+
+			// Validate required flags
+			if flagOwner == "" || flagRepo == "" {
+				return fmt.Errorf("--owner and --repo flags are required")
+			}
 
-	if *flagOwner == "" || *flagRepo == "" || *flagSecretName == "" {
-		flag.Usage()
-		os.Exit(1)
-	}
+			// Create GitHub REST client using go-gh
+			opts := api.ClientOptions{}
+			if flagAPIBase != "" {
+				opts.Host = strings.TrimPrefix(strings.TrimPrefix(flagAPIBase, "https://"), "http://")
+			}
+			client, err := api.NewRESTClient(opts)
+			if err != nil {
+				return fmt.Errorf("cannot create GitHub client: %w", err)
+			}
 
-	// Create GitHub REST client using go-gh
-	opts := api.ClientOptions{}
-	if *flagAPIBase != "" {
-		opts.Host = strings.TrimPrefix(strings.TrimPrefix(*flagAPIBase, "https://"), "http://")
-	}
-	client, err := api.NewRESTClient(opts)
-	if err != nil {
-		log.Fatalf("cannot create GitHub client: %v", err)
-	}
+			secretValue, err := resolveSecretValueForSet(flagValueEnv, flagValue)
+			if err != nil {
+				return fmt.Errorf("cannot resolve secret value: %w", err)
+			}
 
-	secretValue, err := resolveSecretValue(*flagValueEnv, *flagValue)
-	if err != nil {
-		log.Fatalf("cannot resolve secret value: %v", err)
-	}
+			if err := setRepoSecret(client, flagOwner, flagRepo, secretName, secretValue); err != nil {
+				return fmt.Errorf("failed to set secret: %w", err)
+			}
 
-	if err := setRepoSecret(client, *flagOwner, *flagRepo, *flagSecretName, secretValue); err != nil {
-		log.Fatalf("failed to set secret: %v", err)
+			fmt.Fprintln(os.Stderr, console.FormatSuccessMessage(fmt.Sprintf("Secret %s updated for %s/%s", secretName, flagOwner, flagRepo)))
+			return nil
+		},
 	}
 
-	fmt.Printf("Secret %s updated for %s/%s\n", *flagSecretName, *flagOwner, *flagRepo)
+	cmd.Flags().StringVar(&flagOwner, "owner", "", "GitHub repository owner or organization (required)")
+	cmd.Flags().StringVar(&flagRepo, "repo", "", "GitHub repository name (required)")
+	cmd.Flags().StringVar(&flagValue, "value", "", "Secret value (if empty, read from stdin)")
+	cmd.Flags().StringVar(&flagValueEnv, "value-from-env", "", "Environment variable to read secret value from")
+	cmd.Flags().StringVar(&flagAPIBase, "api-url", "", "GitHub API base URL (default: https://api.github.com or $GITHUB_API_URL)")
+
+	cmd.MarkFlagRequired("owner")
+	cmd.MarkFlagRequired("repo")
+
+	return cmd
 }
 
-func resolveSecretValue(fromEnv, fromFlag string) (string, error) {
+func resolveSecretValueForSet(fromEnv, fromFlag string) (string, error) {
 	if fromEnv != "" {
 		v := os.Getenv(fromEnv)
 		if v == "" {
diff --git a/pkg/cli/secret_set_command_test.go b/pkg/cli/secret_set_command_test.go
@@ -0,0 +1,114 @@
+package cli
+
+import (
+	"strings"
+	"testing"
+)
+
+func TestResolveSecretValueForSet(t *testing.T) {
+	tests := []struct {
+		name       string
+		fromEnv    string
+		fromFlag   string
+		envValue   string
+		wantErr    bool
+		wantValue  string
+		errContains string
+	}{
+		{
+			name:      "from flag",
+			fromFlag:  "secret123",
+			wantValue: "secret123",
+		},
+		{
+			name:      "from env var - set",
+			fromEnv:   "TEST_SECRET",
+			envValue:  "envvalue123",
+			wantValue: "envvalue123",
+		},
+		{
+			name:        "from env var - empty",
+			fromEnv:     "TEST_SECRET_MISSING",
+			wantErr:     true,
+			errContains: "not set or empty",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Set up environment
+			if tt.envValue != "" {
+				t.Setenv(tt.fromEnv, tt.envValue)
+			}
+
+			got, err := resolveSecretValueForSet(tt.fromEnv, tt.fromFlag)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("resolveSecretValueForSet() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if tt.wantErr && tt.errContains != "" {
+				if err == nil || !strings.Contains(err.Error(), tt.errContains) {
+					t.Errorf("expected error containing %q, got %v", tt.errContains, err)
+				}
+			}
+			if !tt.wantErr && got != tt.wantValue {
+				t.Errorf("resolveSecretValueForSet() = %v, want %v", got, tt.wantValue)
+			}
+		})
+	}
+}
+
+func TestEncryptWithPublicKey(t *testing.T) {
+	// Valid 32-byte public key in base64
+	validKey := "YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXpBQkNERUY="
+	plaintext := "my-secret-value"
+
+	encrypted, err := encryptWithPublicKey(validKey, plaintext)
+	if err != nil {
+		t.Fatalf("encryptWithPublicKey() error = %v", err)
+	}
+
+	if encrypted == "" {
+		t.Error("encryptWithPublicKey() returned empty string")
+	}
+
+	// The encrypted value should be different from the plaintext
+	if encrypted == plaintext {
+		t.Error("encrypted value should differ from plaintext")
+	}
+}
+
+func TestEncryptWithPublicKeyInvalidKey(t *testing.T) {
+	tests := []struct {
+		name        string
+		key         string
+		plaintext   string
+		errContains string
+	}{
+		{
+			name:        "invalid base64",
+			key:         "not-valid-base64!@#$",
+			plaintext:   "secret",
+			errContains: "decode public key",
+		},
+		{
+			name:        "wrong key length",
+			key:         "YWJjZA==", // "abcd" in base64 = 4 bytes, not 32
+			plaintext:   "secret",
+			errContains: "unexpected public key length",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			_, err := encryptWithPublicKey(tt.key, tt.plaintext)
+			if err == nil {
+				t.Fatal("encryptWithPublicKey() expected error, got nil")
+			}
+			if !strings.Contains(err.Error(), tt.errContains) {
+				t.Errorf("expected error containing %q, got %v", tt.errContains, err)
+			}
+		})
+	}
+}
+
diff --git a/pkg/cli/templates/github-agentic-workflows.md b/pkg/cli/templates/github-agentic-workflows.md
@@ -79,6 +79,7 @@ The YAML frontmatter supports these fields:
   - Object: Complex trigger configuration
   - Special: `command:` for /mention triggers
   - **`forks:`** - Fork allowlist for `pull_request` triggers (array or string). By default, workflows block all forks and only allow same-repo PRs. Use `["*"]` to allow all forks, or specify patterns like `["org/*", "user/repo"]`
+  - **`lock-for-agent:`** - Lock issue when agent works on it (boolean, issues trigger only). Prevents concurrent modifications during workflow execution
   - **`stop-after:`** - Can be included in the `on:` object to set a deadline for workflow execution. Supports absolute timestamps ("YYYY-MM-DD HH:MM:SS") or relative time deltas (+25h, +3d, +1d12h). The minimum unit for relative deltas is hours (h). Uses precise date calculations that account for varying month lengths.
   - **`reaction:`** - Add emoji reactions to triggering items
   - **`manual-approval:`** - Require manual approval using environment protection rules
