@@ -31,15 +31,35 @@ jobs:
3131
3232 # Save the long-lived token as a GitHub secret
3333 echo "THREADS_ACCESS_TOKEN=$LONG_LIVED_TOKEN" >> $GITHUB_ENV
34-
34+ uses : actions/setup-node@v3
35+ with :
36+ node-version : 20
37+ - name : Install LibSodium
38+ run : |
39+ npm install --global [email protected] 40+ echo "NODE_PATH=$(npm root -g)" >> $GITHUB_ENV
3541name : Update GitHub Secret with new token
3642 uses : actions/github-script@v7
3743 with :
38- github-token : ${{ secrets.GITHUB_TOKEN }}
44+ result-encoding : string
45+ github-token : ${{ secrets.UPDATE_THREADS_TOKEN_PAT }} # Use the PAT here for updating secrets
3946 script : |
40- github.rest.actions.createOrUpdateRepoSecret({
41- owner: context.repo.owner,
42- repo: context.repo.repo,
43- secret_name: "THREADS_ACCESS_TOKEN",
44- encrypted_value: process.env.THREADS_ACCESS_TOKEN
45- })
47+ const sodium = require('sodium-native');
48+ const { data: {key: publicKey, key_id: keyId} } = await github.rest.actions.getRepoPublicKey({...context.repo});
49+ if (publicKey) {
50+ const key = Buffer.from(publicKey, 'base64');
51+ const message = Buffer.from(process.env.THREADS_ACCESS_TOKEN);
52+ const ciphertext = Buffer.alloc(message.length + sodium.crypto_box_SEALBYTES);
53+
54+ sodium.crypto_box_seal(ciphertext, message, key);
55+ const encryptedToken = ciphertext.toString('base64');
56+
57+ await github.rest.actions.createOrUpdateRepoSecret({
58+ ...context.repo,
59+ secret_name: 'THREADS_ACCESS_TOKEN',
60+ encrypted_value: encryptedToken,
61+ key_id: keyId,
62+ });
63+ } else {
64+ core.error('Failed to fetch the public key. Unable to update secret');
65+ }
0 commit comments