Create main.yml

[Pay201]

Summary by Sourcery

CI:

• Introduce a main GitHub Actions workflow with separate jobs for secret generation and consumption across Ubuntu and macOS runners.

[sourcery-ai]

Reviewer's Guide

Adds a new GitHub Actions workflow that generates a secret in one job and consumes it in a dependent job using a secret-store action, wiring outputs between jobs and masking secrets in logs.

Sequence diagram for secret generation and consumption workflow

sequenceDiagram
    actor Developer
    participant GitHubActions
    participant SecretGeneratorJob
    participant SecretStoreAction
    participant SecretConsumerJob

    Developer->>GitHubActions: Push to repository
    GitHubActions->>SecretGeneratorJob: Start job on ubuntu-latest
    SecretGeneratorJob->>SecretStoreAction: Configure with credentials and instance
    SecretGeneratorJob->>SecretGeneratorJob: Generate random secret
    SecretGeneratorJob->>SecretStoreAction: Store secret
    SecretStoreAction-->>SecretGeneratorJob: Return secret handle
    SecretGeneratorJob->>GitHubActions: Set job output handle

    GitHubActions->>SecretConsumerJob: Start job on macos-latest (needs secret-generator)
    SecretConsumerJob->>SecretStoreAction: Configure with credentials and instance
    SecretConsumerJob->>SecretStoreAction: Retrieve secret using handle
    SecretStoreAction-->>SecretConsumerJob: Return secret value
    SecretConsumerJob->>SecretConsumerJob: Mask retrieved secret in logs
    SecretConsumerJob->>Developer: Log masked confirmation message

Loading

File-Level Changes

Change	Details	Files
Introduce a two-job GitHub Actions workflow that generates a secret, stores it via a secret-store action, and consumes it in a downstream job using the stored handle.	Configure workflow to run on every push event. Define a secret-generator job on ubuntu-latest that calls a secret-store action with repository secrets for credentials and instance configuration. Implement a bash step to generate a random secret, mask it in logs, store it via the secret-store CLI, and expose the resulting handle as a job output. Define a secret-consumer job on macos-latest that depends on secret-generator and reuses the secret-store action credentials and instance. Implement a bash step that retrieves the secret using the propagated handle, masks the retrieved value, and prints a confirmation message.	.github/workflows/main.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've found 3 issues, and left some high level feedback:

• The concurrency: key at the end of the file is incomplete and will cause a YAML/Actions parsing error; either remove it or provide a full configuration block (e.g., concurrency: { group: ..., cancel-in-progress: ... }).
• If the secret handle itself is sensitive, consider masking it or avoiding printing it in logs by treating it similarly to the secret value (e.g., using ::add-mask:: or not echoing it at all).

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `concurrency:` key at the end of the file is incomplete and will cause a YAML/Actions parsing error; either remove it or provide a full configuration block (e.g., `concurrency: { group: ..., cancel-in-progress: ... }`).
- If the secret handle itself is sensitive, consider masking it or avoiding printing it in logs by treating it similarly to the secret value (e.g., using `::add-mask::` or not echoing it at all).

## Individual Comments

### Comment 1
<location> `.github/workflows/main.yml:17` </location>
<code_context>
+      id: generate-secret
+      shell: bash
+      run: |
+        GENERATED_SECRET=$((RANDOM))
+        echo "::add-mask::$GENERATED_SECRET"
+        SECRET_HANDLE=$(secret-store store-secret "$GENERATED_SECRET")
</code_context>

<issue_to_address>
**🚨 suggestion (security):** Use a stronger source of randomness for generated secrets

`$RANDOM` has only 0–32767 possible values and is not cryptographically secure. If this is used as a secret/token, please switch to a higher‑entropy, crypto‑secure source (e.g., `head -c 32 /dev/urandom | base64` or `openssl rand -hex 32`) to avoid predictability.

```suggestion
        GENERATED_SECRET="$(openssl rand -hex 32)"
```
</issue_to_address>

### Comment 2
<location> `.github/workflows/main.yml:32-35` </location>
<code_context>
+        SECRET_HANDLE="${{ needs.secret-generator.outputs.handle }}"
+        RETRIEVED_SECRET=$(secret-store retrieve-secret "$SECRET_HANDLE")
+        echo "::add-mask::$RETRIEVED_SECRET"
+        echo "We retrieved our masked secret: $RETRIEVED_SECRET"
+concurrency: 
</code_context>

<issue_to_address>
**🚨 suggestion (security):** Avoid echoing secrets even when masked in logs

Even with masking, it’s safer not to print secrets at all, as masking can fail in edge cases (e.g., partial matches, formatting). If this is only for debugging, consider removing the echo or guarding it behind a debug flag.

```suggestion
        SECRET_HANDLE="${{ needs.secret-generator.outputs.handle }}"
        RETRIEVED_SECRET=$(secret-store retrieve-secret "$SECRET_HANDLE")
        echo "::add-mask::$RETRIEVED_SECRET"
```
</issue_to_address>

### Comment 3
<location> `.github/workflows/main.yml:36` </location>
<code_context>
+        RETRIEVED_SECRET=$(secret-store retrieve-secret "$SECRET_HANDLE")
+        echo "::add-mask::$RETRIEVED_SECRET"
+        echo "We retrieved our masked secret: $RETRIEVED_SECRET"
+concurrency: 
</code_context>

<issue_to_address>
**issue (bug_risk):** Fix the empty `concurrency` configuration to avoid workflow parse/runtime issues

`concurrency:` is currently empty, which produces invalid or unintended workflow YAML. If you want concurrency controls, specify a group (and optionally `cancel-in-progress`), for example:

```yaml
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
```

If not using concurrency, remove the `concurrency:` key to avoid misconfiguration.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

🚨 suggestion (security): Use a stronger source of randomness for generated secrets

$RANDOM has only 0–32767 possible values and is not cryptographically secure. If this is used as a secret/token, please switch to a higher‑entropy, crypto‑secure source (e.g., head -c 32 /dev/urandom | base64 or openssl rand -hex 32) to avoid predictability.

Suggested change

	GENERATED_SECRET=$((RANDOM))
	GENERATED_SECRET="$(openssl rand -hex 32)"

[sourcery-ai]

🚨 suggestion (security): Avoid echoing secrets even when masked in logs

Even with masking, it’s safer not to print secrets at all, as masking can fail in edge cases (e.g., partial matches, formatting). If this is only for debugging, consider removing the echo or guarding it behind a debug flag.

Suggested change

	SECRET_HANDLE="${{ needs.secret-generator.outputs.handle }}"
	RETRIEVED_SECRET=$(secret-store retrieve-secret "$SECRET_HANDLE")
	echo "::add-mask::$RETRIEVED_SECRET"
	echo "We retrieved our masked secret: $RETRIEVED_SECRET"
	SECRET_HANDLE="${{ needs.secret-generator.outputs.handle }}"
	RETRIEVED_SECRET=$(secret-store retrieve-secret "$SECRET_HANDLE")
	echo "::add-mask::$RETRIEVED_SECRET"

[sourcery-ai]

issue (bug_risk): Fix the empty concurrency configuration to avoid workflow parse/runtime issues

concurrency: is currently empty, which produces invalid or unintended workflow YAML. If you want concurrency controls, specify a group (and optionally cancel-in-progress), for example:

group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

If not using concurrency, remove the concurrency: key to avoid misconfiguration.