arazzo: 1.0.1 info: title: GitHub Actions Share an Organization Secret with Selected Repositories summary: Fetch the org public key, create or update a selected-visibility org secret, scope it to repositories, and list them. description: >- Provisions an organization-level Actions secret and restricts it to a chosen set of repositories. The workflow retrieves the organization public key, creates or updates the secret with selected visibility, replaces the secret's repository allow list, and lists the selected repositories to confirm the scope. Every step spells out its request inline so the flow can be read and executed without opening the underlying OpenAPI description. version: 1.0.0 sourceDescriptions: - name: githubActionsApi url: ../openapi/github-actions-openapi.yml type: openapi workflows: - workflowId: share-org-secret summary: Create a selected-visibility org secret and scope it to repositories. description: >- Gets the org public key, writes the encrypted org secret with selected visibility, sets its selected repositories, and lists them to confirm. inputs: type: object required: - accessToken - org - secretName - encryptedValue - keyId - selectedRepositoryIds properties: accessToken: type: string description: GitHub bearer token with organization secrets admin access. org: type: string description: The organization name. secretName: type: string description: The name of the organization secret to create or update. encryptedValue: type: string description: The secret value encrypted with LibSodium using the org public key. keyId: type: string description: The id of the public key used to encrypt the value. selectedRepositoryIds: type: array description: The repository ids that may access the secret. items: type: integer steps: - stepId: getOrgPublicKey description: >- Retrieve the organization public key whose key_id must match the key used to encrypt the secret value. operationId: getOrgPublicKey parameters: - name: Authorization in: header value: "Bearer $inputs.accessToken" - name: org in: path value: $inputs.org successCriteria: - condition: $statusCode == 200 outputs: keyId: $response.body#/key_id publicKey: $response.body#/key - stepId: writeOrgSecret description: >- Create or update the organization secret with selected visibility. Returns 201 when newly created and 204 when updated. operationId: createOrUpdateOrgSecret parameters: - name: Authorization in: header value: "Bearer $inputs.accessToken" - name: org in: path value: $inputs.org - name: secret_name in: path value: $inputs.secretName requestBody: contentType: application/json payload: encrypted_value: $inputs.encryptedValue key_id: $inputs.keyId visibility: selected selected_repository_ids: $inputs.selectedRepositoryIds successCriteria: - condition: $statusCode == 201 || $statusCode == 204 - stepId: setSelectedRepos description: >- Replace the secret's repository allow list with the supplied repository ids. Returns 204 with no body. operationId: setSelectedReposForOrgSecret parameters: - name: Authorization in: header value: "Bearer $inputs.accessToken" - name: org in: path value: $inputs.org - name: secret_name in: path value: $inputs.secretName requestBody: contentType: application/json payload: selected_repository_ids: $inputs.selectedRepositoryIds successCriteria: - condition: $statusCode == 204 - stepId: listSelectedRepos description: >- List the repositories now scoped to the secret to confirm the allow list. operationId: listSelectedReposForOrgSecret parameters: - name: Authorization in: header value: "Bearer $inputs.accessToken" - name: org in: path value: $inputs.org - name: secret_name in: path value: $inputs.secretName successCriteria: - condition: $statusCode == 200 outputs: totalCount: $response.body#/total_count repositories: $response.body#/repositories outputs: secretName: $inputs.secretName scopedRepoCount: $steps.listSelectedRepos.outputs.totalCount