Merge pull request #118 from KittyCAD/add-dependabot-key-rotation

Add option for updating dependabot secrets
KittyCAD · Oct 12, 2022 · cb4aad5 · cb4aad5
2 parents 856dfb3 + a1df759
commit cb4aad5
Show file tree

Hide file tree

Showing 18 changed files with 5,687 additions and 328 deletions.
diff --git a/dist/add-issues-to-project/index.js b/dist/add-issues-to-project/index.js
diff --git a/dist/add-issues-to-project/index.js.map b/dist/add-issues-to-project/index.js.map
diff --git a/dist/autogen-readme-list/index.js b/dist/autogen-readme-list/index.js
diff --git a/dist/autogen-readme-list/index.js.map b/dist/autogen-readme-list/index.js.map
diff --git a/dist/create-openapi-types/index.js b/dist/create-openapi-types/index.js
diff --git a/dist/create-openapi-types/index.js.map b/dist/create-openapi-types/index.js.map
diff --git a/dist/get-deployment-target-url/index.js b/dist/get-deployment-target-url/index.js
diff --git a/dist/get-deployment-target-url/index.js.map b/dist/get-deployment-target-url/index.js.map
diff --git a/dist/show-visual-diffs-in-comment/index.js b/dist/show-visual-diffs-in-comment/index.js
diff --git a/dist/show-visual-diffs-in-comment/index.js.map b/dist/show-visual-diffs-in-comment/index.js.map
diff --git a/dist/update-ts-machine-key/index.js b/dist/update-ts-machine-key/index.js
diff --git a/dist/update-ts-machine-key/index.js.map b/dist/update-ts-machine-key/index.js.map
diff --git a/dist/weekly-contributions/index.js b/dist/weekly-contributions/index.js
diff --git a/dist/weekly-contributions/index.js.map b/dist/weekly-contributions/index.js.map
diff --git a/package-lock.json b/package-lock.json
diff --git a/src/update-ts-machine-key.ts b/src/update-ts-machine-key.ts
@@ -9,11 +9,13 @@ const re = /tskey-(?:auth-)?(?<keyID>.+)-.*/
 async function run(): Promise<void> {
   const org = github.context.repo.owner
   const token = core.getInput('token')
-  const currentTSMachineKey = core.getInput('current-ts-machine-key')
   const tsAPIKey = core.getInput('ts-api-key')
+  const currentTSMachineKey = core.getInput('current-ts-machine-key')
   const tailnet = core.getInput('tailnet')
   const secretName = core.getInput('org-secret-name')
   const rotationLeadTimeInDays = core.getInput('rotation-lead-time')
+  const secretType = core.getInput('secret-type')
+
   const rotationLeadTimeInMillis = parseInt(rotationLeadTimeInDays) * 24 * 3600 * 1000
   const matches = currentTSMachineKey.match(re)
   if (matches === null) {
@@ -28,6 +30,8 @@ async function run(): Promise<void> {
 
   try {
     const octokit = github.getOctokit(token || '')
+    const secretsClient = (secretType == 'actions') ? octokit.rest.actions : octokit.rest.dependabot
+
     const headers = new Headers({
       'Authorization': 'Basic ' + Buffer.from(tsAPIKey + ":").toString('base64'),
     })
@@ -43,11 +47,11 @@ async function run(): Promise<void> {
     const dateDiff = keyExpiry - Date.now()
     // If we're not about to expire, log and continue
     if (dateDiff > rotationLeadTimeInMillis) {
-      core.info(`Key is not about to expire, expiry: ${data.expires}`)
+      core.info(`Key is not about to expire (${data.expires})`)
       return
     }
 
-    core.info(`Key is about to expire (${keyExpiry}), creating and uploading a new key.`)
+    core.info(`Key is about to expire (${data.expires}), creating and uploading a new key.`)
 
     // Reuse capabilities of the existing key
     const newKeyCapabilities = { capabilities: data.capabilities }
@@ -61,7 +65,7 @@ async function run(): Promise<void> {
     const machineKeyBytes = Buffer.from(data.key)
     core.info(`Generated a new key, ID: ${data.id}`)
 
-    const pubKeyResponse = await octokit.rest.actions.getOrgPublicKey({ org, })
+    const pubKeyResponse = await secretsClient.getOrgPublicKey({ org, })
     const pubKeyID = pubKeyResponse.data.key_id
     const pubKey = Buffer.from(pubKeyResponse.data.key, 'base64')
 
@@ -74,7 +78,7 @@ async function run(): Promise<void> {
     const encrypted = Buffer.from(encryptedBytes).toString('base64')
 
     core.info(`Updating ${org} secret ${secretName} to new key`)
-    octokit.rest.actions.createOrUpdateOrgSecret({
+    secretsClient.createOrUpdateOrgSecret({
       org: org,
       secret_name: secretName,
       key_id: pubKeyID,

diff --git a/update-ts-machine-key/action.yml b/update-ts-machine-key/action.yml
@@ -21,6 +21,10 @@ inputs:
     required: false
     default: 7
     description: 'Number of days in advance to rotate a given key'
+  secret-type:
+    required: false
+    default: "actions"
+    description: "Update the machine key for either 'actions' or 'dependabot'"
 runs:
   using: 'node16'
   main: '../dist/update-ts-machine-key/index.js'