use go-gh package

Author: mnkiefer

go.mod

@@ -34,6 +34,7 @@ require (
 	github.com/charmbracelet/x/exp/strings v0.0.0-20251106172358-54469c29c2bc // indirect
 	github.com/charmbracelet/x/term v0.2.2 // indirect
 	github.com/cli/safeexec v1.0.1 // indirect
+	github.com/cli/shurcooL-graphql v0.0.4 // indirect
 	github.com/clipperhouse/displaywidth v0.5.0 // indirect
 	github.com/clipperhouse/stringish v0.1.1 // indirect
 	github.com/clipperhouse/uax29/v2 v2.3.0 // indirect

go.sum

@@ -73,6 +73,8 @@ github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/jsonschema-go v0.3.0 h1:6AH2TxVNtk3IlvkkhjrtbUc4S8AvO0Xii0DxIygDg+Q=
 github.com/google/jsonschema-go v0.3.0/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE=
+github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542 h1:2VTzZjLZBgl62/EtslCrtky5vbi9dd7HrQPQIx6wqiw=
+github.com/h2non/parth v0.0.0-20190131123155-b4df798d6542/go.mod h1:Ow0tF8D4Kplbc8s8sSb3V2oUCygFHVp8gC3Dn6U4MNI=
 github.com/henvic/httpretty v0.1.4 h1:Jo7uwIRWVFxkqOnErcoYfH90o3ddQyVrSANeS4cxYmU=
 github.com/henvic/httpretty v0.1.4/go.mod h1:Dn60sQTZfbt2dYsdUSNsCljyF4AfdqnuJFDLJA1I4AM=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
@@ -159,5 +161,7 @@ golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/h2non/gock.v1 v1.1.2 h1:jBbHXgGBK/AoPVfJh5x4r/WxIrElvbLel8TCZkkZJoY=
+gopkg.in/h2non/gock.v1 v1.1.2/go.mod h1:n7UGz/ckNChHiK05rDoiC4MYSunEC/lyaUm2WWaDva0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

internal/tools/ghsecret/main.go

@@ -10,11 +10,10 @@ import (
 	"fmt"
 	"io"
 	"log"
-	"net/http"
-	"net/url"
 	"os"
 	"strings"
 
+	"github.com/cli/go-gh/v2/pkg/api"
 	"golang.org/x/crypto/nacl/box"
 )
 
@@ -45,48 +44,28 @@ func main() {
 		os.Exit(1)
 	}
 
-	apiBase := resolveAPIBase(*flagAPIBase)
-	token, err := resolveToken()
+	// Create GitHub REST client using go-gh
+	opts := api.ClientOptions{}
+	if *flagAPIBase != "" {
+		opts.Host = strings.TrimPrefix(strings.TrimPrefix(*flagAPIBase, "https://"), "http://")
+	}
+	client, err := api.NewRESTClient(opts)
 	if err != nil {
-		log.Fatalf("cannot resolve GitHub token: %v", err)
+		log.Fatalf("cannot create GitHub client: %v", err)
 	}
 
 	secretValue, err := resolveSecretValue(*flagValueEnv, *flagValue)
 	if err != nil {
 		log.Fatalf("cannot resolve secret value: %v", err)
 	}
 
-	if err := setRepoSecret(apiBase, token, *flagOwner, *flagRepo, *flagSecretName, secretValue); err != nil {
+	if err := setRepoSecret(client, *flagOwner, *flagRepo, *flagSecretName, secretValue); err != nil {
 		log.Fatalf("failed to set secret: %v", err)
 	}
 
 	fmt.Printf("Secret %s updated for %s/%s\n", *flagSecretName, *flagOwner, *flagRepo)
 }
 
-func resolveAPIBase(flagValue string) string {
-	candidates := []string{
-		strings.TrimSpace(flagValue),
-		strings.TrimSpace(os.Getenv("GITHUB_API_URL")),
-	}
-
-	for _, c := range candidates {
-		if c != "" {
-			return strings.TrimRight(c, "/")
-		}
-	}
-
-	return "https://api.github.com"
-}
-
-func resolveToken() (string, error) {
-	for _, name := range []string{"GITHUB_TOKEN", "GH_TOKEN"} {
-		if v := strings.TrimSpace(os.Getenv(name)); v != "" {
-			return v, nil
-		}
-	}
-	return "", errors.New("no GitHub token found; set the GITHUB_TOKEN or GH_TOKEN environment variable with a personal access token (see https://github.com/settings/tokens)")
-}
-
 func resolveSecretValue(fromEnv, fromFlag string) (string, error) {
 	if fromEnv != "" {
 		v := os.Getenv(fromEnv)
@@ -130,8 +109,8 @@ func resolveSecretValue(fromEnv, fromFlag string) (string, error) {
 	return value, nil
 }
 
-func setRepoSecret(apiBase, token, owner, repo, name, value string) error {
-	pubKey, err := getRepoPublicKey(apiBase, token, owner, repo)
+func setRepoSecret(client *api.RESTClient, owner, repo, name, value string) error {
+	pubKey, err := getRepoPublicKey(client, owner, repo)
 	if err != nil {
 		return fmt.Errorf("get repo public key: %w", err)
 	}
@@ -141,32 +120,14 @@ func setRepoSecret(apiBase, token, owner, repo, name, value string) error {
 		return fmt.Errorf("encrypt secret: %w", err)
 	}
 
-	return putRepoSecret(apiBase, token, owner, repo, name, pubKey.ID, encrypted)
+	return putRepoSecret(client, owner, repo, name, pubKey.ID, encrypted)
 }
 
-func getRepoPublicKey(apiBase, token, owner, repo string) (*repoPublicKey, error) {
-	endpoint := fmt.Sprintf("%s/repos/%s/%s/actions/secrets/public-key", apiBase, owner, repo)
-
-	req, err := http.NewRequest(http.MethodGet, endpoint, nil)
-	if err != nil {
-		return nil, err
-	}
-	addGitHubHeaders(req, token)
-
-	resp, err := http.DefaultClient.Do(req)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusOK {
-		body, _ := io.ReadAll(resp.Body)
-		return nil, fmt.Errorf("GitHub API %s: %s", resp.Status, string(body))
-	}
-
+func getRepoPublicKey(client *api.RESTClient, owner, repo string) (*repoPublicKey, error) {
 	var key repoPublicKey
-	if err := json.NewDecoder(resp.Body).Decode(&key); err != nil {
-		return nil, err
+	path := fmt.Sprintf("repos/%s/%s/actions/secrets/public-key", owner, repo)
+	if err := client.Get(path, &key); err != nil {
+		return nil, fmt.Errorf("get public key: %w", err)
 	}
 	if key.ID == "" || key.Key == "" {
 		return nil, errors.New("public key response missing key_id or key")
@@ -194,43 +155,17 @@ func encryptWithPublicKey(publicKeyB64, plaintext string) (string, error) {
 	return base64.StdEncoding.EncodeToString(ciphertext), nil
 }
 
-func putRepoSecret(apiBase, token, owner, repo, name, keyID, encryptedValue string) error {
-	endpoint := fmt.Sprintf("%s/repos/%s/%s/actions/secrets/%s",
-		apiBase, owner, repo, url.PathEscape(name))
-
-	body, err := json.Marshal(secretPayload{
+func putRepoSecret(client *api.RESTClient, owner, repo, name, keyID, encryptedValue string) error {
+	path := fmt.Sprintf("repos/%s/%s/actions/secrets/%s", owner, repo, name)
+	payload := secretPayload{
 		EncryptedValue: encryptedValue,
 		KeyID:          keyID,
-	})
-	if err != nil {
-		return err
-	}
-
-	req, err := http.NewRequest(http.MethodPut, endpoint, strings.NewReader(string(body)))
-	if err != nil {
-		return err
 	}
-	addGitHubHeaders(req, token)
-	req.Header.Set("Content-Type", "application/json")
 
-	resp, err := http.DefaultClient.Do(req)
+	body, err := json.Marshal(payload)
 	if err != nil {
 		return err
 	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode != http.StatusNoContent && resp.StatusCode != http.StatusCreated {
-		b, _ := io.ReadAll(resp.Body)
-		return fmt.Errorf("GitHub API %s: %s", resp.Status, string(b))
-	}
-
-	return nil
-}
 
-func addGitHubHeaders(req *http.Request, token string) {
-	req.Header.Set("Accept", "application/vnd.github+json")
-	req.Header.Set("Authorization", "Bearer "+token)
-	if req.Header.Get("X-GitHub-Api-Version") == "" {
-		req.Header.Set("X-GitHub-Api-Version", "2022-11-28")
-	}
+	return client.Put(path, strings.NewReader(string(body)), nil)
 }