Skip to content

Allow agents as application for secrets#13421

Open
tenjaa wants to merge 3 commits into
cli:trunkfrom
tenjaa:trunk
Open

Allow agents as application for secrets#13421
tenjaa wants to merge 3 commits into
cli:trunkfrom
tenjaa:trunk

Conversation

@tenjaa
Copy link
Copy Markdown

@tenjaa tenjaa commented May 13, 2026

Fixes #13419

I built it locally and ran bin/gh secret set TEST_SECRET -a agents -b 123 -o <my-org> and it worked exactly as expected.

What might be missing is another test? I looked through it and added a little bit but maybe a maintainer has a little more input regarding that.

@tenjaa tenjaa requested a review from a team as a code owner May 13, 2026 16:29
@tenjaa tenjaa requested review from BagToad and Copilot May 13, 2026 16:29
@github-actions github-actions Bot added external pull request originating outside of the CLI core team needs-triage needs to be reviewed labels May 13, 2026
@github-actions github-actions Bot added unmet-requirements and removed needs-triage needs to be reviewed labels May 13, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 13, 2026

Thanks for your pull request! Unfortunately, it doesn't meet the requirements for review:

  • None of the referenced issues have the help wanted label

Please update your PR to address the above. This PR will be automatically closed in 4 days if these requirements are not met.

Full contribution requirements
  1. Include a detailed description of what this PR does
  2. Link to an issue with the help wanted label (use Fixes #123 or Closes #123)

Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds support for the new agents application when setting GitHub secrets via gh secret set --app.

Changes:

  • Introduces Agents as a supported secret application in shared secret app parsing/validation.
  • Extends gh secret set --app flag enum to accept agents.
  • Adds/updates unit tests to cover the new application in parsing and set flows.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
pkg/cmd/secret/shared/shared.go Adds Agents app constant and enables it in app parsing + entity support checks.
pkg/cmd/secret/shared/shared_test.go Adds a GetSecretApp test case for the new agents app.
pkg/cmd/secret/set/set.go Allows --app agents via the enum flag options for secret set.
pkg/cmd/secret/set/set_test.go Adds a setRun repo test case verifying API paths/payload for agents.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/cmd/secret/shared/shared.go
Comment on lines 88 to 92
case Actions:
return entity == Repository || entity == Organization || entity == Environment
case Agents:
return entity == Repository || entity == Organization
case Codespaces:
Comment thread pkg/cmd/secret/set/set.go
cmd.Flags().BoolVar(&opts.DoNotStore, "no-store", false, "Print the encrypted, base64-encoded value instead of storing it on GitHub")
cmd.Flags().StringVarP(&opts.EnvFile, "env-file", "f", "", "Load secret names and values from a dotenv-formatted `file`")
cmdutil.StringEnumFlag(cmd, &opts.Application, "app", "a", "", []string{shared.Actions, shared.Codespaces, shared.Dependabot}, "Set the application for a secret")
cmdutil.StringEnumFlag(cmd, &opts.Application, "app", "a", "", []string{shared.Actions, shared.Agents, shared.Codespaces, shared.Dependabot}, "Set the application for a secret")
Comment thread pkg/cmd/secret/set/set.go
Comment thread pkg/cmd/secret/set/set_test.go
Comment on lines +410 to +414
{
name: "Agents",
opts: &SetOptions{
Application: "agents",
},
@BagToad
Copy link
Copy Markdown
Member

BagToad commented May 13, 2026

Hey @tenjaa - thanks for the PR.

I'll echo the copilot review comment, and say we should expand this to the other commands under gh secret. The other comments copilot made are also worth looking at.

The big thing that came to mind for me on this is what to do about GHES support, since it won't have this secret type. Maybe it's fine since the user needs to provide this command and the API will return an error when they do - but for commands like list we want to be sure that the command doesn't do anything like fetch that secret type without it being explicitly asked for.

@tenjaa
Copy link
Copy Markdown
Author

tenjaa commented May 13, 2026
edited
Loading

@BagToad Thanks for the instant reaction!

I adapted the copilot findings except the third one (there is a comment why this doesn't make sense in my opinion).

what to do about GHES support

Do you have an idea how? I guess through opts.config.authentication you could get the host but there is no flag like isGhes. I could check if the host is something else than github.com or *.ghe.com?
Easier would be of course to just let the api throw an error 👼

@tenjaa tenjaa requested a review from Copilot May 13, 2026 16:51
Copilot AI reviewed May 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 3 comments.

Comment thread pkg/cmd/secret/list/list_test.go
Comment on lines +77 to +83
{
name: "Agents repo",
cli: "--app Agents",
wants: ListOptions{
Application: "Agents",
},
},
Comment thread pkg/cmd/secret/delete/delete_test.go
Comment on lines +92 to +99
{
name: "Agents org",
cli: "cool --app agents --org UmbrellaCorporation",
wants: DeleteOptions{
SecretName: "cool",
OrgName: "UmbrellaCorporation",
Application: "Agents",
},
Comment thread pkg/cmd/secret/set/set_test.go
Comment on lines +217 to +227
name: "Agents org",
args: `random_secret --org coolOrg --body "random value" --visibility selected --repos "coolRepo,cli/cli" --app Agents`,
wants: SetOptions{
SecretName: "random_secret",
Visibility: shared.Selected,
RepositoryNames: []string{"coolRepo", "cli/cli"},
Body: "random value",
OrgName: "coolOrg",
Application: "Agents",
},
},
@BagToad
Copy link
Copy Markdown
Member

BagToad commented May 13, 2026
edited
Loading

@tenjaa honestly, I'm leaning towards not doing anything at all for GHES in this specific case. Since these fields are optional, the API will return an error, like you mentioned, and that's probably good enough. I'm still thinking about it, and I will check with the other maintainers to make sure they agree.

But for your knowledge and context, here's how GHES in gh works: we typically do this host checking in this feature detection package which calls out to our cli/go-gh packages for host categorization. Example:

cli/internal/featuredetection/feature_detection.go

Lines 158 to 160 in 2b7e776

if !ghauth.IsEnterprise(d.host) {
return allIssueFeatures, nil
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@BagToad BagToad Awaiting requested review from BagToad BagToad is a code owner automatically assigned from cli/code-reviewers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

external pull request originating outside of the CLI core team unmet-requirements

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support gh secret set --app agents

3 participants

@tenjaa @BagToad