Merge pull request #1294 from GSA/notify-api-144

make generate-salt command

.github/workflows/deploy.yml

@@ -8,33 +8,9 @@ on:
     branches: [ main ] # Redundant, workflow_run events are only triggered on default branch (`main`)
 
 permissions:
-  contents: write
-  actions: write
+  contents: read
 
 jobs:
-  rotate-secret:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
-
-      - name: Generate new secret value
-        id: generate-secret
-        run: |
-          # Generate a new random secret value
-          NEW_SECRET=$(openssl rand -base64 32)
-          echo "new-secret=$NEW_SECRET" >> $GITHUB_ENV
-      - name: Update GitHub secret
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NEW_SECRET: ${{ env.new-secret }}
-        run: |
-          # Update the secret in the repository
-          curl -X PUT \
-            -H "Authorization: Bearer $GITHUB_TOKEN" \
-            -H "Accept: application/vnd.github.v3+json" \
-            https://api.github.com/repos/${{ github.repository }}/actions/secrets/DANGEROUS_SALT \
-            -d "{\"encrypted_value\":\"$(echo -n $NEW_SECRET | base64)\",\"key_id\":\"$(curl -H 'Authorization: Bearer $GITHUB_TOKEN' https://api.github.com/repos/${{ github.repository }}/actions/secrets/public-key | jq -r '.key_id')\"}"
 
   deploy:
     runs-on: ubuntu-latest

app/commands.py

@@ -1053,3 +1053,13 @@ def add_test_users_to_db(generate, state, admin):
             platform_admin=admin,
         )
         print(f"{num} {user.email_address} created")
+
+
+# generate a new salt value
+@notify_command(name="generate-salt")
+def generate_salt():
+    if getenv("NOTIFY_ENVIRONMENT", "") not in ["development", "test"]:
+        current_app.logger.error("Can only be run in development")
+        return
+    salt = secrets.token_hex(16)
+    print(salt)