[Python] Github API to encrypt new token and update a secret with encrypted token in Github...

I am trying to replace the access token stored as a secret in Github Secrets & Variables via Github Actions but couldn't find a way to do encryption on new access token using libsodium (https://docs.github.com/en/rest/act...11-28#create-or-update-an-organization-secret). Here below is the workflow script which I have created and I am currently stuck at the point where id - encrypt_access_token. I created a script to process the encryption but found no way to develop the script in python. A reference using Javascript can be found in GitHub API secret encryption with libsodium in Node.js: UnhandledPromiseRejectionWarning: Error: bad public key size. Anyone has experience in this?

on:
workflow_dispatch:
schedule:
- cron: '0 0 * * *'

jobs:
refresh-token:
runs-on: [self-hosted, 2-core]

steps:
- name: Checkout Code
uses: actions/checkout@v4

- name: Set Up Python
uses: actions/setup-python@v4
with:
python-version: '3.10'

- name: Refresh OAuth Token
run: |
curl --request POST \
--url https://xxxx/oauth/token \
--header "Content-Type: application/x-www-form-urlencoded" \
--data "client_id=${{ secrets.CLIENT_ID }}" \
--data "client_secret=${{ secrets.CLIENT_SECRET }}" \
--data "refresh_token=${{ secrets.REFRESH_TOKEN }}" \
--data "grant_type=client_credentials" \
--output response.json

echo "NEW_ACCESS_TOKEN=$(cat response.json | jq -r '.access_token')" >> $GITHUB_ENV

- name: Get GitHub Repository Public Key (for secret encryption)
id: get_public_key
run: |
curl -s -H "Authorization: token ${{ secrets.GH_PAT }}" \
-H "Accept: application/vnd.github+json" \
-H "X-GitHub-Api-Version: 2022-11-28" \
https://api.github.com/repos/${{ github.repository }}/actions/secrets/public-key \
> public_key.json
echo "KEY_ID=$(cat public_key.json | jq -r '.key_id')" >> $GITHUB_ENV
echo "PUBLIC_KEY=$(cat public_key.json | jq -r '.key')" >> $GITHUB_ENV

- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install pynacl

- name: Encrypt the New Access Token
id: encrypt_access_token
run: |
echo "ENCRYPTED_ACCESS_TOKEN=$(python secret_encryptor.py)" >> $GITHUB_ENV

- name: Update the Access Token Secret Using GitHub API
run: |
curl -X PUT -H "Authorization: token ${{ secrets.GH_PAT }}" \
-H "Content-Type: application/json" \
-d '{"encrypted_value":"'"${{ env.ENCRYPTED_ACCESS_TOKEN }}"'","key_id":"'"${{ env.KEY_ID }}"'"}' \
https://api.github.com/repos/${{ github.repository }}/actions/secrets/ACCESS_TOKEN


a python script using libsodium to encrypt new token and update the secret stored in Github

Continue reading...