github_secrets_info: new module

Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
2026-03-22 05:09:12 +00:00 · 2026-03-13 15:08:27 +00:00 · 2026-03-13 15:08:27 +00:00 · 387cc59ea0
commit 387cc59ea0
parent f0e3edc892
3 changed files with 277 additions and 0 deletions
--- a/plugins/modules/github_secrets_info.py
+++ b/plugins/modules/github_secrets_info.py
@ -0,0 +1,174 @@
+#!/usr/bin/python
+
+# Copyright (c) Ansible project
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import annotations
+
+DOCUMENTATION = r"""
+module: github_secrets_info
+short_description: List GitHub repository or organization secrets
+description:
+  - List secrets in a GitHub repository or organization.
+author:
+  - Thomas Sjögren (@konstruktoid)
+version_added: '12.5.0'
+requirements:
+  - pynacl
+extends_documentation_fragment:
+  - community.general.attributes
+attributes:
+  check_mode:
+    support: full
+  diff_mode:
+    support: none
+options:
+  organization:
+    description:
+      - The GitHub username or organization name.
+    type: str
+    required: true
+    aliases: ["org", "username"]
+  repository:
+    description:
+      - The name of the repository.
+      - If not provided, the listing will be at organization level.
+    type: str
+    aliases: ["repo"]
+  api_url:
+    description:
+      - The base URL for the GitHub API.
+    type: str
+    default: "https://api.github.com"
+  token:
+    description:
+      - The GitHub token used for authentication.
+    type: str
+    required: true
+"""
+
+EXAMPLES = r"""
+- name: List Github secret
+  github_secrets_info:
+    token: "{{ lookup('env', 'GITHUB_TOKEN') }}"
+    repository: "ansible"
+    organization: "ansible"
+"""
+
+RETURN = r"""
+result:
+  description: The result of the module.
+  type: dict
+  returned: always
+  sample: {
+    "changed": false,
+    "failed": false,
+    "result": {
+      "info": 200,
+      "response": "Secrets listed",
+      "secrets": [
+        {
+          "created_at": "2026-01-11T23:19:00Z",
+          "name": "ANSIBLE",
+          "updated_at": "2026-02-15T22:18:16Z"
+        },
+      ]
+    },
+  }
+"""
+
+import json
+from http import HTTPStatus
+from typing import Any
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.urls import fetch_url
+
+from ansible_collections.community.general.plugins.module_utils import deps
+
+with deps.declare(
+    "pynacl",
+    reason="pynacl is a required dependency",
+    url="https://pypi.org/project/PyNaCl/",
+):
+    pass
+
+
+def list_secrets(
+    module: AnsibleModule,
+    api_url: str,
+    headers: dict[str, str],
+    organization: str,
+    repository: str,
+) -> dict[str, int]:
+    url = (
+        f"{api_url}/repos/{organization}/{repository}/actions/secrets"
+        if repository
+        else f"{api_url}/orgs/{organization}/actions/secrets"
+    )
+
+    resp, info = fetch_url(module, url, headers=headers, method="GET")
+
+    if info["status"] == HTTPStatus.OK:
+        body = resp.read()
+        return {
+            "secrets": json.loads(body).get("secrets", []),
+            "info": info["status"],
+            "response": "Secrets listed",
+        }
+    elif info["status"] == HTTPStatus.NOT_FOUND:
+        return {
+            "secrets": [],
+            "info": info["status"],
+            "response": "No secrets found",
+        }
+    else:
+        module.fail_json(msg=f"Failed to list secrets: {info}")
+
+
+def main() -> None:
+    """Ansible module entry point."""
+    argument_spec = {
+        "organization": {
+            "type": "str",
+            "aliases": ["org", "username"],
+            "required": True,
+        },
+        "repository": {"type": "str", "aliases": ["repo"]},
+        "api_url": {"type": "str", "default": "https://api.github.com"},
+        "token": {"type": "str", "required": True, "no_log": True},
+    }
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+    )
+
+    deps.validate(module)
+
+    organization: str = module.params["organization"]
+    repository: str = module.params["repository"]
+    api_url: str = module.params["api_url"]
+    token: str = module.params["token"]
+
+    result: dict[str, Any] = {}
+
+    headers = {
+        "Accept": "application/vnd.github+json",
+        "Authorization": f"Bearer {token}",
+        "Content-Type": "application/json",
+    }
+
+    secrets = list_secrets(module, api_url, headers, organization, repository)
+
+    result["changed"] = False
+    result.update(
+        result=secrets,
+    )
+
+    module.exit_json(**result)
+
+
+if __name__ == "__main__":
+    main()