func()

in pkg/tasks/to/gha.go [45:128]

• 55 lines of code
• 14 McCabe index (conditional complexity)

func (t *GithubActionTask) Run(ctx context.Context) error {
	// Create the reader
	reader, err := t.ContainerReader(ctx)
	if err != nil {
		return fmt.Errorf("unable to open input bundle reader: %w", err)
	}

	// Extract bundle from container
	b, err := bundle.FromContainerReader(reader)
	if err != nil {
		return fmt.Errorf("unable to load bundle: %w", err)
	}

	// Prepae github API client
	client, err := t.prepareClient(ctx)
	if err != nil {
		return fmt.Errorf("unable to prepare github api client: %w", err)
	}

	// Retrieve repository public key
	keyID, boxKey, err := t.getRepositoryKey(ctx, client)
	if err != nil {
		return fmt.Errorf("unable to retieve repository public key: %w", err)
	}

	// Requests to send to github
	githubSecrets := []*github.EncryptedSecret{}

	// Iterate over packages
	for _, p := range b.Packages {
		// Ignore nil secret chain
		if p.Secrets == nil {
			continue
		}

		// Get secrets
		secretMap, err := bundle.AsSecretMap(p)
		if err != nil {
			return fmt.Errorf("unable to retrieve secrets from '%s' package: %w", p.Name, err)
		}

		// Filter secrets map using given filter glob.
		filteredSecrets := secretMap.Glob(t.SecretFilter)

		// Iterate over secrets
		for secretKey, value := range filteredSecrets {
			var secretBytes []byte

			// Pack the secret value
			switch v := value.(type) {
			case string:
				secretBytes = []byte(v)
			case []byte:
				secretBytes = v
			default:
				return fmt.Errorf("can't process secret type %T", value)
			}

			// The secret is encrypted with box.SealAnonymous using the repo's decoded public key.
			encryptedBytes, err := box.SealAnonymous([]byte{}, secretBytes, boxKey, rand.Reader)
			if err != nil {
				return fmt.Errorf("unable to encrypt the secret payload: %w", err)
			}

			// Prepare the request
			githubSecrets = append(githubSecrets, &github.EncryptedSecret{
				Name:           secretKey,
				KeyID:          keyID,
				EncryptedValue: base64.StdEncoding.EncodeToString(encryptedBytes),
			})
		}
	}

	// Publish all secrets
	for _, gs := range githubSecrets {
		// Create or update the secret value.
		if _, err := client.Actions.CreateOrUpdateRepoSecret(ctx, t.Owner, t.Repository, gs); err != nil {
			return fmt.Errorf("unable to publish secret to github: %w", err)
		}
	}

	// No error
	return nil
}