encryptSecret encrypts a plain-text secret using libsodium's sealed box (crypto_box_seal), which is what GitHub's API expects for encrypted credentials.
(publicKeyB64, secret string)
| 44 | // encryptSecret encrypts a plain-text secret using libsodium's sealed box |
| 45 | // (crypto_box_seal), which is what GitHub's API expects for encrypted credentials. |
| 46 | func encryptSecret(publicKeyB64, secret string) (string, error) { |
| 47 | publicKeyBytes, err := base64.StdEncoding.DecodeString(publicKeyB64) |
| 48 | if err != nil { |
| 49 | return "", fmt.Errorf("decoding public key: %w", err) |
| 50 | } |
| 51 | if len(publicKeyBytes) != 32 { |
| 52 | return "", fmt.Errorf("public key must be 32 bytes, got %v", len(publicKeyBytes)) |
| 53 | } |
| 54 | publicKey := [32]byte(publicKeyBytes) |
| 55 | |
| 56 | encrypted, err := box.SealAnonymous(nil, []byte(secret), &publicKey, rand.Reader) |
| 57 | if err != nil { |
| 58 | return "", fmt.Errorf("encrypting secret: %w", err) |
| 59 | } |
| 60 | |
| 61 | return base64.StdEncoding.EncodeToString(encrypted), nil |
| 62 | } |
| 63 | |
| 64 | func main() { |
| 65 | if len(os.Args) < 2 { |
no outgoing calls
no test coverage detected
searching dependent graphs…