Add GitHub secrets provider

[phucnguyen1707]

Adds a GitHub Secrets provider under packages/secrets/github for the environment-updater work in #710. It supports listing secret metadata with gh secret list and pushing repository, environment, organization, or user scoped secrets with gh secret set without logging secret values.\n\nAlso registers the provider in the CLI adapter registry and adds tests for list parsing, repository environment pushes, and organization visibility args.\n\nChecks run:\n- pnpm --filter @profullstack/sh1pt-core build\n- pnpm vitest run packages/secrets/github/src/index.test.ts\n- pnpm --filter @profullstack/sh1pt-secrets-github typecheck\n- pnpm --filter @profullstack/sh1pt typecheck

[greptile-apps]

Greptile Summary

This PR introduces a new @profullstack/sh1pt-secrets-github package that wraps the GitHub CLI (gh) to list and push repository, environment, organization, and user-scoped secrets, then registers the adapter in the CLI registry.

• Provider logic (packages/secrets/github/src/index.ts): Implements connect (runs gh auth status), pull (calls gh secret list --json with parseSecretList and proper try/catch), and push (calls gh secret set --body <value> with secret values redacted from logs). Scope-validation helpers (targetArgs, scopeVisibilityArgs, app) guard invalid combinations (user + non-Codespaces app, org + env, user + noReposSelected, etc.).
• Tests (src/index.test.ts): Covers connect, pull with invalid JSON, environment push, org visibility args, user-scoped secrets, and mutual-exclusion guards across all major config combinations.

Confidence Score: 5/5

The new provider is safe to merge. All four issues raised in the prior review round have been addressed, and secret values are correctly redacted from logs and never passed through a shell.

The implementation correctly validates all mutually exclusive scope combinations, wraps JSON parsing in a try/catch with a helpful message, runs gh auth status at connect time, and defaults to codespaces for user-scoped secrets. The two remaining gaps would produce clear gh CLI errors rather than silent misbehaviour, so neither affects data integrity or security.

packages/secrets/github/src/index.ts — specifically the targetArgs function around the environment field and the scopeVisibilityArgs noReposSelected branch.

Important Files Changed

Filename	Overview
packages/secrets/github/src/index.ts	Core provider implementation; all four previously raised issues are now fixed. Two minor gaps remain: environment without repo builds an invalid gh command, and repos is silently dropped when noReposSelected: true for org secrets.
packages/secrets/github/src/index.test.ts	Comprehensive test suite covering connect, pull (including invalid JSON), repo+environment push, org visibility args, conflicting options, user-scoped secrets, and mutual-exclusion guards. No issues found.
packages/cli/src/adapter-registry.ts	Registers the new github adapter in the secrets category with an updated description. Alphabetical ordering is maintained.
packages/secrets/github/package.json	Standard package config with correct workspace dependency on @profullstack/sh1pt-core, proper publishConfig for the dist output, and "type": "module".
packages/secrets/github/tsconfig.json	Extends the workspace base tsconfig; outDir and rootDir correctly set for the build pipeline.
packages/secrets/github/README.md	Clear documentation of features, usage, and development commands. No issues.
pnpm-lock.yaml	Lock file updated to add the new packages/secrets/github importer with the correct workspace:* link to core.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[caller] -->|connect| B[gh auth status]
    B --> C{exitCode == 0?}
    C -->|yes| D[return accountId]
    C -->|no| E[throw]

    A -->|pull| F[app config]
    F --> G{user?}
    G -->|yes, app!=codespaces| E
    G -->|else| H[targetArgs]
    H --> I{invalid scope combo?}
    I -->|yes| E
    I -->|no| J[gh secret list --json]
    J --> K[parseSecretList]
    K --> L{valid JSON array?}
    L -->|no| E
    L -->|yes| M[return SecretRef array]

    A -->|push| N[app + targetArgs + scopeVisibilityArgs]
    N --> O{invalid visibility combo?}
    O -->|yes| E
    O -->|no| P[for each secret]
    P --> Q[assertSecretKey]
    Q --> R{value from arg or vault?}
    R -->|undefined| E
    R -->|present| S[log redacted - gh secret set --body value]
    S --> T{exitCode == 0?}
    T -->|yes| P
    T -->|no| E
    P -->|done| U[return count]

Loading

_{Reviews (5): Last reviewed commit: "Validate GitHub secret target scopes" | Re-trigger Greptile}