feat: add workflow to sync secrets to sibling repositories

Adds a manually-triggered workflow that copies secrets from unity-builder (repo + org level) to target repos like orchestrator and cli. Uses GIT_PRIVATE_TOKEN for cross-repo API access. Secrets synced: UNITY_EMAIL, UNITY_PASSWORD, UNITY_SERIAL, GIT_PRIVATE_TOKEN, LOCALSTACK_AUTH_TOKEN, GOOGLE_SERVICE_ACCOUNT_EMAIL, GOOGLE_SERVICE_ACCOUNT_KEY, CODECOV_TOKEN. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-31 13:56:13 -07:00 · 2026-03-29 02:45:44 +01:00
parent 4a7fc08e63
commit f0b74c7214
1 changed files with 81 additions and 0 deletions
--- a/.github/workflows/sync-secrets.yml
+++ b/.github/workflows/sync-secrets.yml
@@ -0,0 +1,81 @@
 name: Sync Secrets to Repositories
 on:
  workflow_dispatch:
    inputs:
      target_repo:
        description: 'Target repository (org/repo format)'
        required: true
        default: 'game-ci/orchestrator'
        type: choice
        options:
          - game-ci/orchestrator
          - game-ci/cli
      dry_run:
        description: 'Dry run (list secrets to sync without writing)'
        required: false
        default: false
        type: boolean
 jobs:
  sync-secrets:
    name: Sync secrets to ${{ inputs.target_repo }}
    runs-on: ubuntu-latest
    steps:
      - name: Sync secrets
        env:
          GH_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }}
          TARGET_REPO: ${{ inputs.target_repo }}
          DRY_RUN: ${{ inputs.dry_run }}
          # Secrets to sync — values come from repo + org secrets available here
          SECRET_UNITY_EMAIL: ${{ secrets.UNITY_EMAIL }}
          SECRET_UNITY_PASSWORD: ${{ secrets.UNITY_PASSWORD }}
          SECRET_UNITY_SERIAL: ${{ secrets.UNITY_SERIAL }}
          SECRET_GIT_PRIVATE_TOKEN: ${{ secrets.GIT_PRIVATE_TOKEN }}
          SECRET_LOCALSTACK_AUTH_TOKEN: ${{ secrets.LOCALSTACK_AUTH_TOKEN }}
          SECRET_GOOGLE_SERVICE_ACCOUNT_EMAIL: ${{ secrets.GOOGLE_SERVICE_ACCOUNT_EMAIL }}
          SECRET_GOOGLE_SERVICE_ACCOUNT_KEY: ${{ secrets.GOOGLE_SERVICE_ACCOUNT_KEY }}
          SECRET_CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
        run: |
          SECRETS=(
            "UNITY_EMAIL:SECRET_UNITY_EMAIL"
            "UNITY_PASSWORD:SECRET_UNITY_PASSWORD"
            "UNITY_SERIAL:SECRET_UNITY_SERIAL"
            "GIT_PRIVATE_TOKEN:SECRET_GIT_PRIVATE_TOKEN"
            "LOCALSTACK_AUTH_TOKEN:SECRET_LOCALSTACK_AUTH_TOKEN"
            "GOOGLE_SERVICE_ACCOUNT_EMAIL:SECRET_GOOGLE_SERVICE_ACCOUNT_EMAIL"
            "GOOGLE_SERVICE_ACCOUNT_KEY:SECRET_GOOGLE_SERVICE_ACCOUNT_KEY"
            "CODECOV_TOKEN:SECRET_CODECOV_TOKEN"
          )
          synced=0
          skipped=0
          for entry in "${SECRETS[@]}"; do
            name="${entry%%:*}"
            env_var="${entry##*:}"
            value="${!env_var}"
            if [ -z "$value" ]; then
              echo "⏭ SKIP: $name (not available in this repo's context)"
              skipped=$((skipped + 1))
              continue
            fi
            if [ "$DRY_RUN" = "true" ]; then
              echo "🔍 DRY RUN: would sync $name → $TARGET_REPO"
            else
              echo "$value" | gh secret set "$name" -R "$TARGET_REPO" --body -
              echo "✅ SYNCED: $name → $TARGET_REPO"
            fi
            synced=$((synced + 1))
          done
          echo ""
          echo "=== Summary ==="
          echo "Synced: $synced"
          echo "Skipped (not available): $skipped"
          echo "Target: $TARGET_REPO"
          if [ "$DRY_RUN" = "true" ]; then
            echo "Mode: DRY RUN (no secrets were written)"
          fi