feat: sync secrets workflow for sibling repositories#825
feat: sync secrets workflow for sibling repositories#825frostebite wants to merge 1 commit intomainfrom
Conversation
Adds a manually-triggered workflow that copies secrets from unity-builder (repo + org level) to target repos like orchestrator and cli. Uses GIT_PRIVATE_TOKEN for cross-repo API access. Secrets synced: UNITY_EMAIL, UNITY_PASSWORD, UNITY_SERIAL, GIT_PRIVATE_TOKEN, LOCALSTACK_AUTH_TOKEN, GOOGLE_SERVICE_ACCOUNT_EMAIL, GOOGLE_SERVICE_ACCOUNT_KEY, CODECOV_TOKEN. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
📝 WalkthroughWalkthroughA new GitHub Actions workflow has been added that enables manual synchronization of secrets to target repositories. The workflow accepts configuration inputs for the target repository and a dry-run mode, then processes a predefined list of environment variables, syncing each as a GitHub secret or logging skipped entries. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
|
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| name: Sync secrets to ${{ inputs.target_repo }} | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Sync secrets | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }} | ||
| TARGET_REPO: ${{ inputs.target_repo }} | ||
| DRY_RUN: ${{ inputs.dry_run }} | ||
| # Secrets to sync — values come from repo + org secrets available here | ||
| SECRET_UNITY_EMAIL: ${{ secrets.UNITY_EMAIL }} | ||
| SECRET_UNITY_PASSWORD: ${{ secrets.UNITY_PASSWORD }} | ||
| SECRET_UNITY_SERIAL: ${{ secrets.UNITY_SERIAL }} | ||
| SECRET_GIT_PRIVATE_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }} | ||
| SECRET_LOCALSTACK_AUTH_TOKEN: ${{ secrets.LOCALSTACK_AUTH_TOKEN }} | ||
| SECRET_GOOGLE_SERVICE_ACCOUNT_EMAIL: ${{ secrets.GOOGLE_SERVICE_ACCOUNT_EMAIL }} | ||
| SECRET_GOOGLE_SERVICE_ACCOUNT_KEY: ${{ secrets.GOOGLE_SERVICE_ACCOUNT_KEY }} | ||
| SECRET_CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | ||
| run: | | ||
| SECRETS=( | ||
| "UNITY_EMAIL:SECRET_UNITY_EMAIL" | ||
| "UNITY_PASSWORD:SECRET_UNITY_PASSWORD" | ||
| "UNITY_SERIAL:SECRET_UNITY_SERIAL" | ||
| "GIT_PRIVATE_TOKEN:SECRET_GIT_PRIVATE_TOKEN" | ||
| "LOCALSTACK_AUTH_TOKEN:SECRET_LOCALSTACK_AUTH_TOKEN" | ||
| "GOOGLE_SERVICE_ACCOUNT_EMAIL:SECRET_GOOGLE_SERVICE_ACCOUNT_EMAIL" | ||
| "GOOGLE_SERVICE_ACCOUNT_KEY:SECRET_GOOGLE_SERVICE_ACCOUNT_KEY" | ||
| "CODECOV_TOKEN:SECRET_CODECOV_TOKEN" | ||
| ) | ||
|
|
||
| synced=0 | ||
| skipped=0 | ||
|
|
||
| for entry in "${SECRETS[@]}"; do | ||
| name="${entry%%:*}" | ||
| env_var="${entry##*:}" | ||
| value="${!env_var}" | ||
|
|
||
| if [ -z "$value" ]; then | ||
| echo "⏭ SKIP: $name (not available in this repo's context)" | ||
| skipped=$((skipped + 1)) | ||
| continue | ||
| fi | ||
|
|
||
| if [ "$DRY_RUN" = "true" ]; then | ||
| echo "🔍 DRY RUN: would sync $name → $TARGET_REPO" | ||
| else | ||
| echo "$value" | gh secret set "$name" -R "$TARGET_REPO" --body - | ||
| echo "✅ SYNCED: $name → $TARGET_REPO" | ||
| fi | ||
| synced=$((synced + 1)) | ||
| done | ||
|
|
||
| echo "" | ||
| echo "=== Summary ===" | ||
| echo "Synced: $synced" | ||
| echo "Skipped (not available): $skipped" | ||
| echo "Target: $TARGET_REPO" | ||
| if [ "$DRY_RUN" = "true" ]; then | ||
| echo "Mode: DRY RUN (no secrets were written)" | ||
| fi |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 5 days ago
In general, the fix is to add an explicit permissions block that limits the GITHUB_TOKEN to the least privileges required. This should be added either at the top level of the workflow (to apply to all jobs) or at the job level (for sync-secrets). Since this workflow only has a single job and uses a separate secret (GIT_PRIVATE_TOKEN) for writing secrets, GITHUB_TOKEN does not appear to need any write permissions. The safest minimal configuration is permissions: contents: read at the job or workflow level.
The single best way to fix this without affecting existing behavior is to add a permissions block under the sync-secrets job, right after runs-on: ubuntu-latest. Given the script only calls gh secret set using GH_TOKEN from a custom secret and does not interact with repository contents, issues, or pull requests via GITHUB_TOKEN, we can set permissions: contents: read. This keeps GITHUB_TOKEN usable for basic checkout or read-only operations if added later, while preventing unintended write access.
Concretely, in .github/workflows/sync-secrets.yml, modify the sync-secrets job so that:
sync-secrets:
name: Sync secrets to ${{ inputs.target_repo }}
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Sync secrets
...No new imports or libraries are needed, as this is purely a YAML configuration change.
| @@ -21,6 +21,8 @@ | ||
| sync-secrets: | ||
| name: Sync secrets to ${{ inputs.target_repo }} | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| steps: | ||
| - name: Sync secrets | ||
| env: |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #825 +/- ##
=======================================
Coverage 31.23% 31.23%
=======================================
Files 84 84
Lines 4565 4565
Branches 1054 1054
=======================================
Hits 1426 1426
Misses 3139 3139 🚀 New features to boost your workflow:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.github/workflows/sync-secrets.yml (1)
27-29: Add auth preflight for clearer non-dry-run failures.Right now, auth/scope problems only surface during
gh secret setexecution. A small preflight makes failures immediate and clearer for operators.Suggested patch
- name: Sync secrets + shell: bash env: GH_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }} TARGET_REPO: ${{ inputs.target_repo }} DRY_RUN: ${{ inputs.dry_run }} @@ run: | + if [ "$DRY_RUN" != "true" ]; then + if [ -z "${GH_TOKEN:-}" ]; then + echo "::error::GIT_PRIVATE_TOKEN is required for non-dry-run sync." + exit 1 + fi + gh auth status >/dev/null 2>&1 || { + echo "::error::gh authentication failed (missing/invalid token or scopes)." + exit 1 + } + fi + SECRETS=(Also applies to: 39-69
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/sync-secrets.yml around lines 27 - 29, Add an auth preflight step that runs only when DRY_RUN is false to fail early on token/scope problems: use the existing GH_TOKEN and conditionally execute a lightweight check (for example running `gh auth status` or `gh api /user`) in a step named like "auth-preflight" or with id "auth_preflight" before any `gh secret set` calls so operators get immediate, clear failures instead of errors surfacing later during secret operations.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/sync-secrets.yml:
- Around line 20-24: Add an explicit permissions block at the workflow root to
restrict the default GITHUB_TOKEN (follow least privilege). Insert a top-level
permissions section (above jobs) such as "permissions: contents: read" or
"permissions: none" depending on whether the workflow needs repo contents; this
will limit GITHUB_TOKEN access for the "sync-secrets" job while you continue to
use the explicit GH_TOKEN for gh secret set.
- Around line 31-38: The sync secrets allowlist is missing UNITY_LICENSE which
is used by downstream workflows (e.g., build-tests-windows.yml); update the
secret mappings in .github/workflows/sync-secrets.yml by adding a mapping for
UNITY_LICENSE (e.g., SECRET_UNITY_LICENSE -> ${{ secrets.UNITY_LICENSE }})
alongside the existing SECRET_UNITY_* entries so the workflow can sync that
secret for downstream use.
---
Nitpick comments:
In @.github/workflows/sync-secrets.yml:
- Around line 27-29: Add an auth preflight step that runs only when DRY_RUN is
false to fail early on token/scope problems: use the existing GH_TOKEN and
conditionally execute a lightweight check (for example running `gh auth status`
or `gh api /user`) in a step named like "auth-preflight" or with id
"auth_preflight" before any `gh secret set` calls so operators get immediate,
clear failures instead of errors surfacing later during secret operations.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: c1a893b8-5835-481a-b1bd-bf59fd200cdd
📒 Files selected for processing (1)
.github/workflows/sync-secrets.yml
| jobs: | ||
| sync-secrets: | ||
| name: Sync secrets to ${{ inputs.target_repo }} | ||
| runs-on: ubuntu-latest | ||
| steps: |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cat -n .github/workflows/sync-secrets.ymlRepository: game-ci/unity-builder
Length of output: 3535
🏁 Script executed:
find .github/workflows -name "*.yml" -o -name "*.yaml" | head -5 | xargs grep -l "permissions:" 2>/dev/nullRepository: game-ci/unity-builder
Length of output: 49
🏁 Script executed:
find .github/workflows -name "*.yml" -o -name "*.yaml" | xargs head -30 | grep -A 5 "^jobs:" | head -20Repository: game-ci/unity-builder
Length of output: 547
🏁 Script executed:
find .github/workflows -type f \( -name "*.yml" -o -name "*.yaml" \) | wc -lRepository: game-ci/unity-builder
Length of output: 67
🏁 Script executed:
find .github/workflows -type f \( -name "*.yml" -o -name "*.yaml" \) -exec grep -l "^permissions:" {} \;Repository: game-ci/unity-builder
Length of output: 195
🏁 Script executed:
grep -A 2 "^permissions:" .github/workflows/integrity-check.yml .github/workflows/orchestrator-async-checks.yml .github/workflows/orchestrator-integrity.ymlRepository: game-ci/unity-builder
Length of output: 585
🏁 Script executed:
# Verify the syntax of permissions: {} in GitHub Actions documentation context
# Check if there are any other cross-repo secret workflows to compare
grep -r "gh secret set" .github/workflows/Repository: game-ci/unity-builder
Length of output: 178
Add explicit workflow permissions (least privilege).
The workflow lacks an explicit permissions block, leaving default GITHUB_TOKEN permissions implicit. While this workflow uses an explicit GH_TOKEN for gh secret set, the default token should still be restricted to follow least-privilege principle and align with the repository's existing security pattern (other workflows declare explicit permissions).
Suggested patch
name: Sync Secrets to Repositories
on:
workflow_dispatch:
+ inputs: type: boolean
+
+permissions: {}
jobs:
sync-secrets:🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/sync-secrets.yml around lines 20 - 24, Add an explicit
permissions block at the workflow root to restrict the default GITHUB_TOKEN
(follow least privilege). Insert a top-level permissions section (above jobs)
such as "permissions: contents: read" or "permissions: none" depending on
whether the workflow needs repo contents; this will limit GITHUB_TOKEN access
for the "sync-secrets" job while you continue to use the explicit GH_TOKEN for
gh secret set.
| SECRET_UNITY_EMAIL: ${{ secrets.UNITY_EMAIL }} | ||
| SECRET_UNITY_PASSWORD: ${{ secrets.UNITY_PASSWORD }} | ||
| SECRET_UNITY_SERIAL: ${{ secrets.UNITY_SERIAL }} | ||
| SECRET_GIT_PRIVATE_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }} | ||
| SECRET_LOCALSTACK_AUTH_TOKEN: ${{ secrets.LOCALSTACK_AUTH_TOKEN }} | ||
| SECRET_GOOGLE_SERVICE_ACCOUNT_EMAIL: ${{ secrets.GOOGLE_SERVICE_ACCOUNT_EMAIL }} | ||
| SECRET_GOOGLE_SERVICE_ACCOUNT_KEY: ${{ secrets.GOOGLE_SERVICE_ACCOUNT_KEY }} | ||
| SECRET_CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
cd /tmp && git ls-files | grep -E "\.github/workflows/" | head -20Repository: game-ci/unity-builder
Length of output: 133
🏁 Script executed:
cat -n .github/workflows/sync-secrets.yml | head -60Repository: game-ci/unity-builder
Length of output: 2698
🏁 Script executed:
cat -n .github/workflows/build-tests-windows.yml | grep -i "unity_license" -A 2 -B 2Repository: game-ci/unity-builder
Length of output: 826
🏁 Script executed:
cat .github/workflows/orchestrator-integrity.yml | grep -E "AWS_ACCESS_KEY_ID|AWS_SECRET_ACCESS_KEY" -A 2 -B 2Repository: game-ci/unity-builder
Length of output: 4497
🏁 Script executed:
cat .github/workflows/orchestrator-integrity.yml | grep -E "secrets\." -i | head -20Repository: game-ci/unity-builder
Length of output: 1172
🏁 Script executed:
rg "secrets\.AWS_" .github/workflows/ -A 1 -B 1Repository: game-ci/unity-builder
Length of output: 436
🏁 Script executed:
cat .github/workflows/orchestrator-async-checks.yml | grep -A 10 -B 10 "AWS_ACCESS_KEY_ID.*secrets"Repository: game-ci/unity-builder
Length of output: 830
🏁 Script executed:
cat -n .github/workflows/sync-secrets.yml | tail -30Repository: game-ci/unity-builder
Length of output: 1239
Add UNITY_LICENSE to the secrets allowlist for sync.
The mapping omits UNITY_LICENSE, which is actively referenced in .github/workflows/build-tests-windows.yml (lines 109, 136, 161). This secret is necessary for downstream workflows and should be included in the sync.
Note: AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY are not referenced as actual secrets in the workflows—they are hardcoded test values (in orchestrator-integrity.yml) or commented out (in orchestrator-async-checks.yml), so they should not be added to the sync allowlist.
Suggested patch
SECRET_UNITY_SERIAL: ${{ secrets.UNITY_SERIAL }}
+ SECRET_UNITY_LICENSE: ${{ secrets.UNITY_LICENSE }}
SECRET_GIT_PRIVATE_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }} "UNITY_SERIAL:SECRET_UNITY_SERIAL"
+ "UNITY_LICENSE:SECRET_UNITY_LICENSE"
"GIT_PRIVATE_TOKEN:SECRET_GIT_PRIVATE_TOKEN"🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/sync-secrets.yml around lines 31 - 38, The sync secrets
allowlist is missing UNITY_LICENSE which is used by downstream workflows (e.g.,
build-tests-windows.yml); update the secret mappings in
.github/workflows/sync-secrets.yml by adding a mapping for UNITY_LICENSE (e.g.,
SECRET_UNITY_LICENSE -> ${{ secrets.UNITY_LICENSE }}) alongside the existing
SECRET_UNITY_* entries so the workflow can sync that secret for downstream use.
2 participants
Summary
sync-secrets.yml) that copies secrets from unity-builder to sibling repos (orchestrator, cli)GIT_PRIVATE_TOKENfor cross-repo GitHub API access viagh secret setSecrets synced
UNITY_EMAILUNITY_PASSWORDUNITY_SERIALGIT_PRIVATE_TOKENLOCALSTACK_AUTH_TOKENGOOGLE_SERVICE_ACCOUNT_EMAILGOOGLE_SERVICE_ACCOUNT_KEYCODECOV_TOKENUsage
Context
The orchestrator repo has zero secrets configured, causing all LocalStack-based integration tests to fail. This workflow provides a convenient way to keep secrets in sync across game-ci repos without manual copying.
🤖 Generated with Claude Code
Summary by CodeRabbit