support for github org secrets

Signed-off-by: Marlon Pina Tojal <marlont@backbase.com>

pkg/cosign/git/github/github.go

@@ -70,19 +70,24 @@ func (g *Gh) PutSecret(ctx context.Context, ref string, pf cosign.PassFunc) erro
 		return fmt.Errorf("generating key pair: %w", err)
 	}
 
+	var owner, repo string
 	split := strings.Split(ref, "/")
-	if len(split) < 2 {
-		return errors.New("could not parse scheme, use github://<owner>/<repo> format")
+
+	if len(split) == 2 {
+		owner, repo = split[0], split[1]
+	} else if len(split) == 1 {
+		owner = split[0]
+	} else {
+		return errors.New("could not parse scheme, use github://<owner> or github://<owner>/<repo> format")
 	}
-	owner, repo := split[0], split[1]
 
-	key, getRepoPubKeyResp, err := client.Actions.GetRepoPublicKey(ctx, owner, repo)
+	key, getPubKeyResp, err := g.getPublicKey(client, ctx, owner, repo)
 	if err != nil {
 		return fmt.Errorf("could not get repository public key: %w", err)
 	}
 
-	if getRepoPubKeyResp.StatusCode < 200 && getRepoPubKeyResp.StatusCode >= 300 {
-		bodyBytes, _ := io.ReadAll(getRepoPubKeyResp.Body)
+	if getPubKeyResp.StatusCode < 200 && getPubKeyResp.StatusCode >= 300 {
+		bodyBytes, _ := io.ReadAll(getPubKeyResp.Body)
 		return fmt.Errorf("%s", bodyBytes)
 	}
 
@@ -91,7 +96,7 @@ func (g *Gh) PutSecret(ctx context.Context, ref string, pf cosign.PassFunc) erro
 		return fmt.Errorf("could not encrypt the secret: %w", err)
 	}
 
-	passwordSecretEnvResp, err := client.Actions.CreateOrUpdateRepoSecret(ctx, owner, repo, encryptedCosignPasswd)
+	passwordSecretEnvResp, err := g.createOrUpdateOrgSecret(client, ctx, owner, repo, encryptedCosignPasswd)
 	if err != nil {
 		return fmt.Errorf("could not create \"COSIGN_PASSWORD\" github actions secret: %w", err)
 	}
@@ -108,7 +113,7 @@ func (g *Gh) PutSecret(ctx context.Context, ref string, pf cosign.PassFunc) erro
 		return fmt.Errorf("could not encrypt the secret: %w", err)
 	}
 
-	privateKeySecretEnvResp, err := client.Actions.CreateOrUpdateRepoSecret(ctx, owner, repo, encryptedCosignPrivKey)
+	privateKeySecretEnvResp, err := g.createOrUpdateOrgSecret(client, ctx, owner, repo, encryptedCosignPrivKey)
 	if err != nil {
 		return fmt.Errorf("could not create \"COSIGN_PRIVATE_KEY\" github actions secret: %w", err)
 	}
@@ -125,7 +130,7 @@ func (g *Gh) PutSecret(ctx context.Context, ref string, pf cosign.PassFunc) erro
 		return fmt.Errorf("could not encrypt the secret: %w", err)
 	}
 
-	publicKeySecretEnvResp, err := client.Actions.CreateOrUpdateRepoSecret(ctx, owner, repo, encryptedCosignPubKey)
+	publicKeySecretEnvResp, err := g.createOrUpdateOrgSecret(client, ctx, owner, repo, encryptedCosignPubKey)
 	if err != nil {
 		return fmt.Errorf("could not create \"COSIGN_PUBLIC_KEY\" github actions secret: %w", err)
 	}
@@ -145,6 +150,20 @@ func (g *Gh) PutSecret(ctx context.Context, ref string, pf cosign.PassFunc) erro
 	return nil
 }
 
+func (g *Gh) getPublicKey(client *github.Client, ctx context.Context, owner string, repo string) (*github.PublicKey, *github.Response, error) {
+	if len(repo) > 0 {
+		return client.Actions.GetRepoPublicKey(ctx, owner, repo)
+	}
+	return client.Actions.GetOrgPublicKey(ctx, owner)
+}
+
+func (g *Gh) createOrUpdateOrgSecret(client *github.Client, ctx context.Context, owner string, repo string, encryptedCosignPasswd *github.EncryptedSecret) (*github.Response, error) {
+	if len(repo) > 0 {
+		return client.Actions.CreateOrUpdateRepoSecret(ctx, owner, repo, encryptedCosignPasswd)
+	}
+	return client.Actions.CreateOrUpdateOrgSecret(ctx, owner, encryptedCosignPasswd)
+}
+
 // NOTE: GetSecret is not implemented for GitHub
 func (g *Gh) GetSecret(ctx context.Context, ref string, key string) (string, error) { //nolint: revive
 	return "", nil