RakeGithub

Rake tasks for managing Github repositories.

Installation

Add this line to your application's Gemfile:

gem 'rake_github'

And then execute:

$ bundle

Or install it yourself as:

$ gem install rake_github

System dependencies

The secrets task group encrypts secrets client-side using rbnacl, which requires the native libsodium library to be present on the host. Install it before running any secrets task:

# macOS
$ brew install libsodium

# Debian/Ubuntu
$ apt-get install libsodium23

libsodium is only required when using the secrets tasks; the other task groups have no additional system dependencies.

Usage

define_deploy_keys_tasks

define_repository_tasks

Sets up rake tasks for managing deploy keys and merging pull requests.

require 'rake_github'

RakeGithub.define_repository_tasks(
  namespace: :github,
  repository: 'org/repo', # required
) do |t|
  t.access_token = "your_github_access_token" # required
  t.deploy_keys = [
    {
      title: 'CircleCI',
      public_key: File.read('path/to/your_deploy_key.public')
    }
  ]
end
Parameter Type Required Description Example Default
repository string Y Repository to perform tasks upon 'organisation/repository_name' N/A
access_token string Y Github token for authorisation 'ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' N/A
deploy_keys array N Keys to deploy to repository { title: string, public_key: string, read_only: bool } [ ]
deploy_keys_namespace symbol N Namespace to contain deploy keys tasks :deploy_tasks :deploy_keys
deploy_keys_destroy_task_name symbol N Option to change the destroy task name :obliterate :destroy
deploy_keys_provision_task_name symbol N Option to change the provision task name :add :provision
deploy_keys_ensure_task_name symbol N Option to change the ensure task name :destroy_and_provision :ensure
secrets array N Secrets to provision on the repository { name: string, value: string, dependabot: bool } [ ]
secrets_namespace symbol N Namespace to contain secrets tasks :repository_secrets :secrets
secrets_destroy_task_name symbol N Option to change the secrets destroy task name :obliterate :destroy
secrets_provision_task_name symbol N Option to change the secrets provision task name :add :provision
secrets_ensure_task_name symbol N Option to change the secrets ensure task name :destroy_and_provision :ensure
environments array N Environments to provision on the repository { name: string, reviewers: array } [ ]
environments_namespace symbol N Namespace to contain environments tasks :repository_environments :environments
environments_destroy_task_name symbol N Option to change the environments destroy task name :obliterate :destroy
environments_provision_task_name symbol N Option to change the environments provision task name :add :provision
environments_ensure_task_name symbol N Option to change the environments ensure task name :destroy_and_provision :ensure
namespace symbol N Namespace for tasks to live in, defaults to root namespace :rake_github N/A

Exposes tasks:

$ rake -T

rake github:deploy_keys:destroy
rake github:deploy_keys:ensure
rake github:deploy_keys:provision
rake github:secrets:destroy
rake github:secrets:ensure
rake github:secrets:provision
rake github:environments:destroy
rake github:environments:ensure
rake github:environments:provision
rake github:pull_requests:merge[branch_name,commit_message]

deploy_keys:provision

Provisions deploy keys to the specified repository.

deploy_keys:destroy

Destroys deploy keys from the specified repository.

deploy_keys:ensure

Destroys and then provisions deploy keys on the specified repository.

pull_requests:merge

Merges the PR associated with the branch_name. Branch name is required.

commit_message is optional, and can contain the original commit message with the %s placeholder, e.g. pull_requests:merge[new_feature,"%s [skip ci]"].

define_secrets_tasks

Sets up rake tasks for managing repository secrets. Each secret is written to the Actions secret store by default. A secret can additionally be written to the Dependabot secret store by setting dependabot: true, so that Dependabot-triggered workflow runs can read the secrets they need. Secrets are encrypted client-side before being sent to GitHub.

These tasks require the native libsodium library to be installed on the host — see System dependencies above.

require 'rake_github'

RakeGithub.define_secrets_tasks(
  namespace: :secrets,
  repository: 'org/repo', # required
) do |t|
  t.access_token = "your_github_access_token" # required
  t.secrets = [
    {
      name: 'SOME_SECRET',
      value: 'some-plaintext-value'
    },
    {
      name: 'SHARED_SECRET',
      value: 'another-plaintext-value',
      dependabot: true # also write to the Dependabot store
    }
  ]
end
Parameter Type Required Description Example Default
repository string Y Repository to perform tasks upon 'organisation/repository_name' N/A
access_token string Y Github token for authorisation 'ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' N/A
secrets array N Secrets to provision on the repository { name: string, value: string, dependabot: bool } [ ]
destroy_task_name symbol N Option to change the destroy task name :obliterate :destroy
provision_task_name symbol N Option to change the provision task name :add :provision
ensure_task_name symbol N Option to change the ensure task name :destroy_and_provision :ensure
namespace symbol N Namespace for tasks to live in, defaults to root namespace :secrets N/A

Exposes tasks:

$ rake -T

rake secrets:destroy
rake secrets:ensure
rake secrets:provision

secrets:provision

Provisions the specified secrets to the repository, writing each one to the Actions secret store and, for secrets marked dependabot: true, also to the Dependabot secret store.

secrets:destroy

Destroys the specified secrets from the repository, removing each one from both the Actions and Dependabot secret stores.

secrets:ensure

Destroys and then provisions the specified secrets on the repository.

define_environments_tasks

Sets up rake tasks for managing GitHub deployment environments, including protection rules such as required reviewers. Team and user reviewers are resolved to their numeric ids before being sent to GitHub.

require 'rake_github'

RakeGithub.define_environments_tasks(
  namespace: :environments,
  repository: 'org/repo', # required
) do |t|
  t.access_token = "your_github_access_token" # required
  t.environments = [
    {
      name: 'release',
      wait_timer: 0,
      prevent_self_review: false,
      reviewers: [
        { team: 'maintainers' },
        { user: 'someone' }
      ],
      deployment_branch_policy: {
        protected_branches: true,
        custom_branch_policies: false
      }
    }
  ]
end

Only name is required for each environment; every other key is optional and is omitted from the GitHub API payload when absent.

Parameter Type Required Description Example Default
repository string Y Repository to perform tasks upon 'organisation/repository_name' N/A
access_token string Y Github token for authorisation 'ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' N/A
environments array N Environments to provision on the repository { name: string, reviewers: array } [ ]
destroy_task_name symbol N Option to change the destroy task name :obliterate :destroy
provision_task_name symbol N Option to change the provision task name :add :provision
ensure_task_name symbol N Option to change the ensure task name :destroy_and_provision :ensure
namespace symbol N Namespace for tasks to live in, defaults to root namespace :environments N/A

Exposes tasks:

$ rake -T

rake environments:destroy
rake environments:ensure
rake environments:provision

environments:provision

Provisions the specified environments on the repository, resolving any team and user reviewers to their numeric ids.

environments:destroy

Destroys the specified environments from the repository. This is irreversible and also discards each environment's protection rules, environment secrets and deployment history. environments:ensure therefore fully recreates each environment rather than patching it in place.

environments:ensure

Destroys and then provisions the specified environments on the repository.

define_release_task

Development

After checking out the repo, run bin/setup to install dependencies. Then, run rake spec to run the tests. You can also run bin/console for an interactive prompt that will allow you to experiment.

To install this gem onto your local machine, run bundle exec rake install. To release a new version, update the version number in version.rb, and then run bundle exec rake release, which will create a git tag for the version, push git commits and tags, and push the .gem file to rubygems.org.

Managing CircleCI keys

To encrypt a GPG key for use by CircleCI:

openssl aes-256-cbc \
  -e \
  -md sha1 \
  -in ./config/secrets/ci/gpg.private \
  -out ./.circleci/gpg.private.enc \
  -k "<passphrase>"

To check decryption is working correctly:

openssl aes-256-cbc \
  -d \
  -md sha1 \
  -in ./.circleci/gpg.private.enc \
  -k "<passphrase>"

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/infrablocks/rake_github. This project is intended to be a safe, welcoming space for collaboration, and contributors are expected to adhere to the Contributor Covenant code of conduct.

License

The gem is available as open source under the terms of the MIT License.