Put secrets on github organizations (#3567)

* support for github org secrets

Signed-off-by: Marlon Pina Tojal <marlont@backbase.com>

---------

Signed-off-by: Marlon Pina Tojal <marlont@backbase.com>
Co-authored-by: Marlon Pina Tojal <marlont@backbase.com>

pkg/cosign/git/github/github.go

@@ -70,19 +70,25 @@ func (g *Gh) PutSecret(ctx context.Context, ref string, pf cosign.PassFunc) erro
 		return fmt.Errorf("generating key pair: %w", err)
 	}
 
+	var owner, repo string
 	split := strings.Split(ref, "/")
-	if len(split) < 2 {
-		return errors.New("could not parse scheme, use github://<owner>/<repo> format")
+
+	switch len(split) {
+	case 2:
+		owner, repo = split[0], split[1]
+	case 1:
+		owner = split[0]
+	default:
+		return errors.New("could not parse scheme, use github://<owner> or github://<owner>/<repo> format")
 	}
-	owner, repo := split[0], split[1]
 
-	key, getRepoPubKeyResp, err := client.Actions.GetRepoPublicKey(ctx, owner, repo)
+	key, getPubKeyResp, err := getPublicKey(ctx, client, owner, repo)
 	if err != nil {
 		return fmt.Errorf("could not get repository public key: %w", err)
 	}
 
-	if getRepoPubKeyResp.StatusCode < 200 && getRepoPubKeyResp.StatusCode >= 300 {
-		bodyBytes, _ := io.ReadAll(getRepoPubKeyResp.Body)
+	if getPubKeyResp.StatusCode < 200 && getPubKeyResp.StatusCode >= 300 {
+		bodyBytes, _ := io.ReadAll(getPubKeyResp.Body)
 		return fmt.Errorf("%s", bodyBytes)
 	}
 
@@ -91,7 +97,7 @@ func (g *Gh) PutSecret(ctx context.Context, ref string, pf cosign.PassFunc) erro
 		return fmt.Errorf("could not encrypt the secret: %w", err)
 	}
 
-	passwordSecretEnvResp, err := client.Actions.CreateOrUpdateRepoSecret(ctx, owner, repo, encryptedCosignPasswd)
+	passwordSecretEnvResp, err := createOrUpdateOrgSecret(ctx, client, owner, repo, encryptedCosignPasswd)
 	if err != nil {
 		return fmt.Errorf("could not create \"COSIGN_PASSWORD\" github actions secret: %w", err)
 	}
@@ -108,7 +114,7 @@ func (g *Gh) PutSecret(ctx context.Context, ref string, pf cosign.PassFunc) erro
 		return fmt.Errorf("could not encrypt the secret: %w", err)
 	}
 
-	privateKeySecretEnvResp, err := client.Actions.CreateOrUpdateRepoSecret(ctx, owner, repo, encryptedCosignPrivKey)
+	privateKeySecretEnvResp, err := createOrUpdateOrgSecret(ctx, client, owner, repo, encryptedCosignPrivKey)
 	if err != nil {
 		return fmt.Errorf("could not create \"COSIGN_PRIVATE_KEY\" github actions secret: %w", err)
 	}
@@ -125,7 +131,7 @@ func (g *Gh) PutSecret(ctx context.Context, ref string, pf cosign.PassFunc) erro
 		return fmt.Errorf("could not encrypt the secret: %w", err)
 	}
 
-	publicKeySecretEnvResp, err := client.Actions.CreateOrUpdateRepoSecret(ctx, owner, repo, encryptedCosignPubKey)
+	publicKeySecretEnvResp, err := createOrUpdateOrgSecret(ctx, client, owner, repo, encryptedCosignPubKey)
 	if err != nil {
 		return fmt.Errorf("could not create \"COSIGN_PUBLIC_KEY\" github actions secret: %w", err)
 	}
@@ -150,6 +156,20 @@ func (g *Gh) GetSecret(ctx context.Context, ref string, key string) (string, err
 	return "", nil
 }
 
+func createOrUpdateOrgSecret(ctx context.Context, client *github.Client, owner string, repo string, encryptedCosignPasswd *github.EncryptedSecret) (*github.Response, error) {
+	if len(repo) > 0 {
+		return client.Actions.CreateOrUpdateRepoSecret(ctx, owner, repo, encryptedCosignPasswd)
+	}
+	return client.Actions.CreateOrUpdateOrgSecret(ctx, owner, encryptedCosignPasswd)
+}
+
+func getPublicKey(ctx context.Context, client *github.Client, owner string, repo string) (*github.PublicKey, *github.Response, error) {
+	if len(repo) > 0 {
+		return client.Actions.GetRepoPublicKey(ctx, owner, repo)
+	}
+	return client.Actions.GetOrgPublicKey(ctx, owner)
+}
+
 func encryptSecretWithPublicKey(publicKey *github.PublicKey, secretName string, secretValue []byte) (*github.EncryptedSecret, error) {
 	decodedPubKey, err := base64.StdEncoding.DecodeString(publicKey.GetKey())
 	if err != nil {