github_secrets: new module (#11514)

* add support for managing GitHub secrets Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * fix tab Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * update for sanity Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * more sanity fixes Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * update botmeta Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * formating Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * remove list function Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * remove docstring, format text strings and return codes Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * switch to deps Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * black and ruff doesnt get along Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * initial unit tests Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * update non-existing secret test Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * update description and details Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * handle when a secret cant be deleted Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * fail if not acceptable error codes Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * add test for non-acceptable status codes Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * remove local ruff config Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * allow empty strings Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * set required_ Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * extend tests Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * cleanup Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * cover all, got a git urlopen error Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * cover all, got a git urlopen error Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * ensure value cant be None Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * check_mode Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * bump to 12.5.0 Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * Update plugins/modules/github_secrets.py Co-authored-by: Felix Fontein <felix@fontein.de> * extend check_mode and related tests Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * split constants and return dict when checking secret Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * switch to HTTPStatus Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * replace DELETE and UPDATE with NO_CONTENT Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * Update plugins/modules/github_secrets.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/github_secrets.py Co-authored-by: Felix Fontein <felix@fontein.de> * update tests Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> * Update plugins/modules/github_secrets.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/github_secrets.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/github_secrets.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/github_secrets.py Co-authored-by: Felix Fontein <felix@fontein.de> * Update plugins/modules/github_secrets.py Co-authored-by: Felix Fontein <felix@fontein.de> --------- Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com> Co-authored-by: Felix Fontein <felix@fontein.de> (cherry picked from commit 46ffec6f0e)
2026-03-22 05:09:12 +00:00 · 2026-03-15 16:29:33 +01:00 · 2026-03-15 16:29:33 +01:00 · 739b5ac6ff
commit 739b5ac6ff
parent 86616b1559
4 changed files with 764 additions and 0 deletions
--- a/.github/BOTMETA.yml
+++ b/.github/BOTMETA.yml
@ -642,6 +642,8 @@ files:
    maintainers: adrianmoisey
  $modules/github_repo.py:
    maintainers: atorrescogollo
  $modules/github_secrets.py:
    maintainers: konstruktoid
  $modules/gitlab_:
    keywords: gitlab source_control
    maintainers: $team_gitlab
--- a/plugins/modules/github_secrets.py
+++ b/plugins/modules/github_secrets.py
@ -0,0 +1,401 @@
 #!/usr/bin/python
 # Copyright (c) Ansible project
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
 from __future__ import annotations
 DOCUMENTATION = r"""
 module: github_secrets
 short_description: Manage GitHub repository or organization secrets
 description:
  - Create, update, or delete secrets in a GitHub repository or organization.
 author:
  - Thomas Sjögren (@konstruktoid)
 version_added: '12.5.0'
 requirements:
  - pynacl
 extends_documentation_fragment:
  - community.general.attributes
 attributes:
  check_mode:
    support: full
  diff_mode:
    support: none
 options:
  organization:
    description:
      - The GitHub username or organization name.
    type: str
    required: true
    aliases: ["org", "username"]
  repository:
    description:
      - The name of the repository.
      - If not provided, the secret will be managed at the organization level.
    type: str
    aliases: ["repo"]
  key:
    description:
      - The name of the secret.
    type: str
  value:
    description:
      - The value of the secret. Required when O(state=present).
    type: str
  visibility:
    description:
      - The visibility of the secret when set at the organization level.
      - Required when O(state=present) and O(repository) is not set.
    type: str
    choices: ["all", "private", "selected"]
  state:
    description:
      - The desired state of the secret.
    type: str
    choices: ["present", "absent"]
    default: "present"
  api_url:
    description:
      - The base URL for the GitHub API.
    type: str
    default: "https://api.github.com"
  token:
    description:
      - The GitHub token used for authentication.
    type: str
    required: true
 """
 EXAMPLES = r"""
 - name: Add Github secret
  community.general.github_secrets:
    token: "{{ lookup('ansible.builtin.env', 'GITHUB_TOKEN') }}"
    repository: "ansible"
    organization: "ansible"
    key: "TEST_SECRET"
    value: "bob"
    state: "present"
 - name: Delete Github secret
  community.general.github_secrets:
    token: "{{ lookup('ansible.builtin.env', 'GITHUB_TOKEN') }}"
    repository: "ansible"
    organization: "ansible"
    key: "TEST_SECRET"
    state: "absent"
 """
 RETURN = r"""
 result:
  description: The result of the module.
  type: dict
  returned: always
  sample: {
    "msg": "OK (2 bytes)",
    "response": "Secret created",
    "status": 201
  }
 """
 import json
 from http import HTTPStatus
 from typing import Any
 from ansible.module_utils.basic import AnsibleModule
 from ansible.module_utils.urls import fetch_url
 from ansible_collections.community.general.plugins.module_utils import deps
 with deps.declare(
    "pynacl",
    reason="pynacl is a required dependency",
    url="https://pypi.org/project/PyNaCl/",
 ):
    from nacl import encoding, public
 def get_public_key(
    module: AnsibleModule,
    api_url: str,
    headers: dict[str, str],
    organization: str,
    repository: str,
 ) -> tuple[str, str]:
    """Retrieve the GitHub Actions public key used to encrypt secrets."""
    if repository:
        url = f"{api_url}/repos/{organization}/{repository}/actions/secrets/public-key"
    else:
        url = f"{api_url}/orgs/{organization}/actions/secrets/public-key"
    resp, info = fetch_url(module, url, headers=headers)
    if info["status"] != HTTPStatus.OK:
        module.fail_json(msg=f"Failed to get public key: {info}")
    data = json.loads(resp.read())
    return data["key_id"], data["key"]
 def encrypt_secret(public_key: str, secret_value: str) -> str:
    """Encrypt a secret value using GitHub's public key."""
    key = public.PublicKey(
        public_key.encode("utf-8"),
        encoding.Base64Encoder(),  # type: ignore [arg-type]
    )
    sealed_box = public.SealedBox(key)
    encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
    return encoding.Base64Encoder.encode(encrypted).decode("utf-8")
 def check_secret(
    module: AnsibleModule,
    api_url: str,
    headers: dict[str, str],
    organization: str,
    repository: str,
    key: str,
 ) -> dict[str, int]:
    url = (
        f"{api_url}/repos/{organization}/{repository}/actions/secrets/{key}"
        if repository
        else f"{api_url}/orgs/{organization}/actions/secrets/{key}"
    )
    resp, info = fetch_url(module, url, headers=headers)
    if info["status"] in (HTTPStatus.OK, HTTPStatus.NOT_FOUND):
        return {"status": info["status"]}
    else:
        module.fail_json(msg=f"Failed to check secret: {info}")
 def upsert_secret(
    module: AnsibleModule,
    api_url: str,
    headers: dict[str, str],
    organization: str,
    repository: str,
    key: str,
    encrypted_value: str,
    key_id: str,
 ) -> dict[str, Any]:
    """Create or update a GitHub Actions secret."""
    url = (
        f"{api_url}/repos/{organization}/{repository}/actions/secrets/{key}"
        if repository
        else f"{api_url}/orgs/{organization}/actions/secrets/{key}"
    )
    payload = {
        "encrypted_value": encrypted_value,
        "key_id": key_id,
    }
    if not repository and module.params.get("visibility"):
        payload["visibility"] = module.params["visibility"]
    if module.check_mode:
        secret_present = check_secret(module, api_url, headers, organization, repository, key)
        if secret_present["status"] == HTTPStatus.NOT_FOUND:
            check_mode_msg = "OK (2 bytes)"
            check_mode_status = HTTPStatus.CREATED.value
            info = {
                "msg": check_mode_msg,
                "status": check_mode_status,
            }
        else:
            check_mode_msg = "OK (unknown bytes)"
            check_mode_status = HTTPStatus.NO_CONTENT
            info = {
                "msg": check_mode_msg,
                "status": check_mode_status,
            }
    else:
        resp, info = fetch_url(
            module,
            url,
            headers=headers,
            data=json.dumps(payload).encode("utf-8"),
            method="PUT",
        )
    if info["status"] not in (HTTPStatus.CREATED, HTTPStatus.NO_CONTENT):
        module.fail_json(msg=f"Failed to upsert secret: {info}")
    return info
 def delete_secret(
    module: AnsibleModule,
    api_url: str,
    headers: dict[str, str],
    organization: str,
    repository: str,
    key: str,
 ) -> dict[str, Any]:
    """Delete a GitHub Actions secret."""
    url = (
        f"{api_url}/repos/{organization}/{repository}/actions/secrets/{key}"
        if repository
        else f"{api_url}/orgs/{organization}/actions/secrets/{key}"
    )
    if module.check_mode:
        secret_present = check_secret(module, api_url, headers, organization, repository, key)
        info = {
            "msg": (
                "HTTP Error 404: Not Found"
                if secret_present["status"] == HTTPStatus.NOT_FOUND
                else "OK (unknown bytes)"
            ),
            "status": (
                HTTPStatus.NO_CONTENT if secret_present["status"] == HTTPStatus.OK else secret_present["status"]
            ),
        }
    else:
        resp, info = fetch_url(
            module,
            url,
            headers=headers,
            method="DELETE",
        )
    if info["status"] not in (HTTPStatus.NO_CONTENT, HTTPStatus.NOT_FOUND):
        module.fail_json(msg=f"Failed to delete secret: {info}")
    return info
 def main() -> None:
    """Ansible module entry point."""
    argument_spec = {
        "organization": {
            "type": "str",
            "aliases": ["org", "username"],
            "required": True,
        },
        "repository": {"type": "str", "aliases": ["repo"]},
        "key": {"type": "str", "no_log": False},
        "value": {"type": "str", "no_log": True},
        "visibility": {"type": "str", "choices": ["all", "private", "selected"]},
        "state": {
            "type": "str",
            "choices": ["present", "absent"],
            "default": "present",
        },
        "api_url": {"type": "str", "default": "https://api.github.com"},
        "token": {"type": "str", "required": True, "no_log": True},
    }
    module = AnsibleModule(
        argument_spec=argument_spec,
        required_if=[("state", "present", ["value"])],
        required_by={"value": "key"},
        supports_check_mode=True,
    )
    deps.validate(module)
    organization: str = module.params["organization"]
    repository: str = module.params["repository"]
    key: str = module.params["key"]
    value: str = module.params["value"]
    visibility: str = module.params.get("visibility")
    state: str = module.params["state"]
    api_url: str = module.params["api_url"]
    token: str = module.params["token"]
    if state == "present" and value is None:
        module.fail_json(
            msg="Invalid parameters",
            details="The 'value' parameter cannot be empty",
            params=module.params,
        )
    if state == "present" and not repository and not visibility:
        module.fail_json(
            msg="Invalid parameters",
            details="When 'state' is 'present' and 'repository' is not set, 'visibility' must be provided",
            params=module.params,
        )
    result: dict[str, Any] = {}
    headers = {
        "Accept": "application/vnd.github+json",
        "Authorization": f"Bearer {token}",
        "Content-Type": "application/json",
    }
    if state == "present":
        key_id, public_key = get_public_key(
            module,
            api_url,
            headers,
            organization,
            repository,
        )
        encrypted_value = encrypt_secret(public_key, value)
        upsert = upsert_secret(
            module,
            api_url,
            headers,
            organization,
            repository,
            key,
            encrypted_value,
            key_id,
        )
        response_msg = "Secret created" if upsert["status"] == HTTPStatus.CREATED else "Secret updated"
        result["changed"] = True
        result.update(
            result={
                "status": upsert["status"],
                "msg": upsert.get("msg"),
                "response": response_msg,
            },
        )
    if state == "absent":
        delete = delete_secret(
            module,
            api_url,
            headers,
            organization,
            repository,
            key,
        )
        if delete["status"] == HTTPStatus.NO_CONTENT:
            result["changed"] = True
            result.update(
                result={
                    "status": delete["status"],
                    "msg": delete.get("msg"),
                    "response": "Secret deleted",
                },
            )
        if delete["status"] == HTTPStatus.NOT_FOUND:
            result["changed"] = False
            result.update(
                result={
                    "status": delete["status"],
                    "msg": delete.get("msg"),
                    "response": "Secret not found",
                },
            )
    module.exit_json(**result)
 if __name__ == "__main__":
    main()
--- a/tests/unit/plugins/modules/test_github_secrets.py
+++ b/tests/unit/plugins/modules/test_github_secrets.py
@ -0,0 +1,360 @@
 # Copyright (c) Ansible Project
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
 from __future__ import annotations
 import json
 from unittest.mock import MagicMock, patch
 import pytest
 from ansible_collections.community.internal_test_tools.tests.unit.plugins.modules.utils import (
    AnsibleExitJson,
    AnsibleFailJson,
    exit_json,
    fail_json,
    set_module_args,
 )
 from ansible_collections.community.general.plugins.modules import github_secrets
 PUBLIC_KEY_PAYLOAD = {
    "key_id": "100",
    "key": "j6gSA9mu5bO8ig+YBNU6oXRhGwd3Z4EFiS9rVmU9gwo=",
 }
 def make_fetch_url_response(body, status=200):
    response = MagicMock()
    response.read.return_value = json.dumps(body).encode("utf-8")
    info = {"status": status, "msg": f"OK ({len(json.dumps(body))} bytes)"}
    return (response, info)
@pytest.fixture(autouse=True)
 def patch_module():
    with patch.multiple(
        "ansible.module_utils.basic.AnsibleModule",
        exit_json=exit_json,
        fail_json=fail_json,
    ):
        yield
@pytest.fixture
 def fetch_url_mock():
    with patch.object(github_secrets, "fetch_url") as mock:
        yield mock
 def test_encrypt_secret():
    result = github_secrets.encrypt_secret(PUBLIC_KEY_PAYLOAD["key"], "ansible")
    assert isinstance(result, str)
    assert result != "ansible"
    assert len(result) > 70
 def test_fail_without_parameters():
    with pytest.raises(AnsibleFailJson):
        with set_module_args({}):
            github_secrets.main()
 def test_fail_present_without_value():
    with pytest.raises(AnsibleFailJson) as exc:
        with set_module_args(
            {
                "organization": "myorg",
                "repository": "myrepo",
                "key": "MY_SECRET",
                "value": None,
                "state": "present",
                "token": "ghp_test_token",
            }
        ):
            github_secrets.main()
    assert "value' parameter cannot be empty" in exc.value.args[0]["details"]
 def test_fail_org_secret_present_without_visibility():
    with pytest.raises(AnsibleFailJson) as exc:
        with set_module_args(
            {
                "organization": "myorg",
                "key": "ORG_SECRET",
                "value": "org_value",
                "state": "present",
                "token": "ghp_test_token",
            }
        ):
            github_secrets.main()
    assert "'visibility' must be provided" in exc.value.args[0]["details"]
 def test_create_repo_secret(fetch_url_mock):
    fetch_url_mock.side_effect = [
        make_fetch_url_response(PUBLIC_KEY_PAYLOAD),
        make_fetch_url_response({}, status=201),
    ]
    with set_module_args(
        {
            "organization": "myorg",
            "repository": "myrepo",
            "key": "MY_SECRET",
            "value": "secret_value",
            "state": "present",
            "token": "ghp_test_token",
        }
    ):
        with pytest.raises(AnsibleExitJson) as exc:
            github_secrets.main()
    result = exc.value.args[0]
    assert result["changed"] is True
    assert result["result"]["status"] == 201
    assert result["result"]["response"] == "Secret created"
 def test_update_repo_secret(fetch_url_mock):
    fetch_url_mock.side_effect = [
        make_fetch_url_response(PUBLIC_KEY_PAYLOAD),
        make_fetch_url_response({}, status=204),
    ]
    with set_module_args(
        {
            "organization": "myorg",
            "repository": "myrepo",
            "key": "MY_SECRET",
            "value": "new_value",
            "state": "present",
            "token": "ghp_test_token",
        }
    ):
        with pytest.raises(AnsibleExitJson) as exc:
            github_secrets.main()
    result = exc.value.args[0]
    assert result["changed"] is True
    assert result["result"]["response"] == "Secret updated"
 def test_create_repo_secret_check_mode(fetch_url_mock):
    fetch_url_mock.side_effect = [
        make_fetch_url_response(PUBLIC_KEY_PAYLOAD),
        make_fetch_url_response({}, status=404),
    ]
    with set_module_args(
        {
            "organization": "myorg",
            "repository": "myrepo",
            "key": "MY_SECRET",
            "value": "new_value",
            "state": "present",
            "token": "ghp_test_token",
            "_ansible_check_mode": True,
        }
    ):
        with pytest.raises(AnsibleExitJson) as exc:
            github_secrets.main()
    result = exc.value.args[0]
    assert result["changed"] is True
    assert result["result"]["status"] == 201
    assert result["result"]["response"] == "Secret created"
 def test_update_repo_secret_check_mode(fetch_url_mock):
    fetch_url_mock.side_effect = [
        make_fetch_url_response(PUBLIC_KEY_PAYLOAD),
        make_fetch_url_response({}, status=200),
    ]
    with set_module_args(
        {
            "organization": "myorg",
            "repository": "myrepo",
            "key": "MY_SECRET",
            "value": "new_value",
            "state": "present",
            "token": "ghp_test_token",
            "_ansible_check_mode": True,
        }
    ):
        with pytest.raises(AnsibleExitJson) as exc:
            github_secrets.main()
    result = exc.value.args[0]
    assert result["changed"] is True
    assert result["result"]["status"] == 204
    assert result["result"]["response"] == "Secret updated"
 def test_delete_repo_secret_check_mode(fetch_url_mock):
    fetch_url_mock.side_effect = [
        make_fetch_url_response(PUBLIC_KEY_PAYLOAD),
        make_fetch_url_response({}, status=200),
    ]
    with set_module_args(
        {
            "organization": "myorg",
            "repository": "myrepo",
            "key": "MY_SECRET",
            "state": "absent",
            "token": "ghp_test_token",
            "_ansible_check_mode": True,
        }
    ):
        with pytest.raises(AnsibleExitJson) as exc:
            github_secrets.main()
    result = exc.value.args[0]
    assert result["changed"] is True
    assert result["result"]["status"] == 204
    assert result["result"]["response"] == "Secret deleted"
 def test_update_empty_repo_secret(fetch_url_mock):
    fetch_url_mock.side_effect = [
        make_fetch_url_response(PUBLIC_KEY_PAYLOAD),
        make_fetch_url_response({}, status=204),
    ]
    with set_module_args(
        {
            "organization": "myorg",
            "repository": "myrepo",
            "key": "MY_SECRET",
            "value": "",
            "state": "present",
            "token": "ghp_test_token",
        }
    ):
        with pytest.raises(AnsibleExitJson) as exc:
            github_secrets.main()
    result = exc.value.args[0]
    assert result["changed"] is True
    assert result["result"]["response"] == "Secret updated"
 def test_update_missing_value_repo_secret(fetch_url_mock):
    fetch_url_mock.side_effect = [
        make_fetch_url_response(PUBLIC_KEY_PAYLOAD),
        make_fetch_url_response({}, status=204),
    ]
    with set_module_args(
        {
            "organization": "myorg",
            "repository": "myrepo",
            "key": "MY_SECRET",
            "state": "present",
            "token": "ghp_test_token",
        }
    ):
        with pytest.raises(AnsibleFailJson) as exc:
            github_secrets.main()
    assert "the following are missing: value" in exc.value.args[0]["msg"]
 def test_delete_repo_secret(fetch_url_mock):
    fetch_url_mock.return_value = make_fetch_url_response({}, status=204)
    with set_module_args(
        {
            "organization": "myorg",
            "repository": "myrepo",
            "key": "MY_SECRET",
            "state": "absent",
            "token": "ghp_test_token",
        }
    ):
        with pytest.raises(AnsibleExitJson) as exc:
            github_secrets.main()
    result = exc.value.args[0]
    assert result["changed"] is True
    assert result["result"]["status"] == 204
    assert result["result"]["response"] == "Secret deleted"
 def test_delete_dne_repo_secret(fetch_url_mock):
    fetch_url_mock.return_value = make_fetch_url_response({}, status=404)
    with set_module_args(
        {
            "organization": "myorg",
            "repository": "myrepo",
            "key": "DOES_NOT_EXIST",
            "state": "absent",
            "token": "ghp_test_token",
        }
    ):
        with pytest.raises(AnsibleExitJson) as exc:
            github_secrets.main()
    result = exc.value.args[0]
    assert result["changed"] is False
    assert result["result"]["status"] == 404
    assert result["result"]["response"] == "Secret not found"
 def test_fail_get_public_key(fetch_url_mock):
    fetch_url_mock.return_value = make_fetch_url_response({}, status=403)
    with set_module_args(
        {
            "organization": "myorg",
            "repository": "myrepo",
            "key": "MY_SECRET",
            "value": "secret_value",
            "state": "present",
            "token": "ghp_test_token",
        }
    ):
        with pytest.raises(AnsibleFailJson) as exc:
            github_secrets.main()
    assert "Failed to get public key" in exc.value.args[0]["msg"]
 def test_fail_upsert_secret(fetch_url_mock):
    fetch_url_mock.side_effect = [
        make_fetch_url_response(PUBLIC_KEY_PAYLOAD),
        make_fetch_url_response({}, status=422),
    ]
    with set_module_args(
        {
            "organization": "myorg",
            "repository": "myrepo",
            "key": "MY_SECRET",
            "value": "secret_value",
            "state": "present",
            "token": "ghp_test_token",
        }
    ):
        with pytest.raises(AnsibleFailJson) as exc:
            github_secrets.main()
    assert "Failed to upsert secret" in exc.value.args[0]["msg"]
 def test_fail_delete_secret(fetch_url_mock):
    fetch_url_mock.return_value = make_fetch_url_response({}, status=503)
    with set_module_args(
        {
            "organization": "myorg",
            "repository": "myrepo",
            "key": "MY_SECRET",
            "state": "absent",
            "token": "ghp_test_token",
        }
    ):
        with pytest.raises(AnsibleFailJson) as exc:
            github_secrets.main()
    assert "Failed to delete secret" in exc.value.args[0]["msg"]
--- a/tests/unit/requirements.txt
+++ b/tests/unit/requirements.txt
@ -19,6 +19,7 @@ linode_api4  # APIv4
 python-gitlab
 PyGithub
 httmock
 pynacl
 # requirement for maven_artifact module
 lxml