feat(secrets): add ability to fetch and view all secrets across projects and groups, include scopeName, and improve frontend merging/filtering

2026-02-24 21:09:17 +00:00
parent ee3f01993f
commit 179bb9223e
11 changed files with 156 additions and 23 deletions
--- a/changelog.md
+++ b/changelog.md
@@ -1,5 +1,14 @@
 # Changelog

+## 2026-02-24 - 2.7.0 - feat(secrets)
+add ability to fetch and view all secrets across projects and groups, include scopeName, and improve frontend merging/filtering
+
+- Add new typed request and handler getAllSecrets to opsserver to bulk-fetch secrets across projects or groups (batched and using Promise.allSettled for performance).
+- Extend ISecret with scopeName and update provider mappings (Gitea/GitLab) and secret return values to include scopeName.
+- Frontend: add fetchAllSecretsAction, add an "All" option in the Secrets view, filter table by selected entity or show all, and disable "Add Secret" when "All" is selected.
+- Create/update actions now merge only the affected entity's secrets into state instead of replacing the entire list; delete now filters by key+scope+scopeId to avoid removing unrelated secrets.
+- UI: table now shows a Scope column using scopeName (or fallback to scopeId), selection changes trigger reloading of entities and secrets.
+
 ## 2026-02-24 - 2.6.2 - fix(meta)
 update file metadata only (no source changes)

--- a/ts/00_commitinfo_data.ts
+++ b/ts/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/gitops',
-  version: '2.6.2',
+  version: '2.7.0',
  description: 'GitOps management app for Gitea and GitLab - manage secrets, browse projects, view CI pipelines, and stream build logs'
 }
--- a/ts/opsserver/handlers/secrets.handler.ts
+++ b/ts/opsserver/handlers/secrets.handler.ts
@@ -12,6 +12,58 @@ export class SecretsHandler {
  }

  private registerHandlers(): void {
+    // Get all secrets (bulk fetch across all entities)
+    this.typedrouter.addTypedHandler(
+      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetAllSecrets>(
+        'getAllSecrets',
+        async (dataArg) => {
+          await requireValidIdentity(this.opsServerRef.adminHandler, dataArg);
+          const provider = this.opsServerRef.gitopsAppRef.connectionManager.getProvider(
+            dataArg.connectionId,
+          );
+
+          const allSecrets: interfaces.data.ISecret[] = [];
+
+          if (dataArg.scope === 'project') {
+            const projects = await provider.getProjects();
+            // Fetch in batches of 5 for performance
+            for (let i = 0; i < projects.length; i += 5) {
+              const batch = projects.slice(i, i + 5);
+              const results = await Promise.allSettled(
+                batch.map(async (p) => {
+                  const secrets = await provider.getProjectSecrets(p.id);
+                  return secrets.map((s) => ({ ...s, scopeName: p.fullPath || p.name }));
+                }),
+              );
+              for (const result of results) {
+                if (result.status === 'fulfilled') {
+                  allSecrets.push(...result.value);
+                }
+              }
+            }
+          } else {
+            const groups = await provider.getGroups();
+            for (let i = 0; i < groups.length; i += 5) {
+              const batch = groups.slice(i, i + 5);
+              const results = await Promise.allSettled(
+                batch.map(async (g) => {
+                  const secrets = await provider.getGroupSecrets(g.id);
+                  return secrets.map((s) => ({ ...s, scopeName: g.fullPath || g.name }));
+                }),
+              );
+              for (const result of results) {
+                if (result.status === 'fulfilled') {
+                  allSecrets.push(...result.value);
+                }
+              }
+            }
+          }
+
+          return { secrets: allSecrets };
+        },
+      ),
+    );
+
    // Get secrets
    this.typedrouter.addTypedHandler(
      new plugins.typedrequest.TypedHandler<interfaces.requests.IReq_GetSecrets>(
--- a/ts/providers/classes.giteaprovider.ts
+++ b/ts/providers/classes.giteaprovider.ts
@@ -72,7 +72,7 @@ export class GiteaProvider extends BaseProvider {
    value: string,
  ): Promise<interfaces.data.ISecret> {
    await this.client.setRepoSecret(projectId, key, value);
-    return { key, value: '***', protected: false, masked: true, scope: 'project', scopeId: projectId, connectionId: this.connectionId, environment: '*' };
+    return { key, value: '***', protected: false, masked: true, scope: 'project', scopeId: projectId, scopeName: projectId, connectionId: this.connectionId, environment: '*' };
  }

  async updateProjectSecret(
@@ -100,7 +100,7 @@ export class GiteaProvider extends BaseProvider {
    value: string,
  ): Promise<interfaces.data.ISecret> {
    await this.client.setOrgSecret(groupId, key, value);
-    return { key, value: '***', protected: false, masked: true, scope: 'group', scopeId: groupId, connectionId: this.connectionId, environment: '*' };
+    return { key, value: '***', protected: false, masked: true, scope: 'group', scopeId: groupId, scopeName: groupId, connectionId: this.connectionId, environment: '*' };
  }

  async updateGroupSecret(
@@ -175,7 +175,7 @@ export class GiteaProvider extends BaseProvider {
    };
  }

-  private mapSecret(s: plugins.giteaClient.IGiteaSecret, scope: 'project' | 'group', scopeId: string): interfaces.data.ISecret {
+  private mapSecret(s: plugins.giteaClient.IGiteaSecret, scope: 'project' | 'group', scopeId: string, scopeName?: string): interfaces.data.ISecret {
    return {
      key: s.name || '',
      value: '***',
@@ -183,6 +183,7 @@ export class GiteaProvider extends BaseProvider {
      masked: true,
      scope,
      scopeId,
+      scopeName: scopeName || scopeId,
      connectionId: this.connectionId,
      environment: '*',
    };
--- a/ts/providers/classes.gitlabprovider.ts
+++ b/ts/providers/classes.gitlabprovider.ts
@@ -149,6 +149,7 @@ export class GitLabProvider extends BaseProvider {
    v: plugins.gitlabClient.IGitLabVariable,
    scope: 'project' | 'group',
    scopeId: string,
+    scopeName?: string,
  ): interfaces.data.ISecret {
    return {
      key: v.key || '',
@@ -157,6 +158,7 @@ export class GitLabProvider extends BaseProvider {
      masked: v.masked || false,
      scope,
      scopeId,
+      scopeName: scopeName || scopeId,
      connectionId: this.connectionId,
      environment: v.environment_scope || '*',
    };
--- a/ts_bundled/bundle.ts
+++ b/ts_bundled/bundle.ts
--- a/ts_interfaces/data/secret.ts
+++ b/ts_interfaces/data/secret.ts
@@ -5,6 +5,7 @@ export interface ISecret {
  masked: boolean;
  scope: 'project' | 'group';
  scopeId: string;
+  scopeName: string;
  connectionId: string;
  environment: string;
 }
--- a/ts_interfaces/requests/secrets.ts
+++ b/ts_interfaces/requests/secrets.ts
@@ -1,6 +1,21 @@
 import * as plugins from '../plugins.ts';
 import * as data from '../data/index.ts';

+export interface IReq_GetAllSecrets extends plugins.typedrequestInterfaces.implementsTR<
+  plugins.typedrequestInterfaces.ITypedRequest,
+  IReq_GetAllSecrets
+> {
+  method: 'getAllSecrets';
+  request: {
+    identity: data.IIdentity;
+    connectionId: string;
+    scope: 'project' | 'group';
+  };
+  response: {
+    secrets: data.ISecret[];
+  };
+}
+
 export interface IReq_GetSecrets extends plugins.typedrequestInterfaces.implementsTR<
  plugins.typedrequestInterfaces.ITypedRequest,
  IReq_GetSecrets
--- a/ts_web/00_commitinfo_data.ts
+++ b/ts_web/00_commitinfo_data.ts
@@ -3,6 +3,6 @@
 */
 export const commitinfo = {
  name: '@serve.zone/gitops',
-  version: '2.6.2',
+  version: '2.7.0',
  description: 'GitOps management app for Gitea and GitLab - manage secrets, browse projects, view CI pipelines, and stream build logs'
 }
--- a/ts_web/appstate.ts
+++ b/ts_web/appstate.ts
@@ -304,6 +304,27 @@ export const fetchSecretsAction = dataStatePart.createAction<{
  }
 });

+export const fetchAllSecretsAction = dataStatePart.createAction<{
+  connectionId: string;
+  scope: 'project' | 'group';
+}>(async (statePartArg, dataArg) => {
+  const context = getActionContext();
+  try {
+    const typedRequest = new plugins.domtools.plugins.typedrequest.TypedRequest<
+      interfaces.requests.IReq_GetAllSecrets
+    >('/typedrequest', 'getAllSecrets');
+    const response = await typedRequest.fire({
+      identity: context.identity!,
+      connectionId: dataArg.connectionId,
+      scope: dataArg.scope,
+    });
+    return { ...statePartArg.getState(), secrets: response.secrets };
+  } catch (err) {
+    console.error('Failed to fetch all secrets:', err);
+    return statePartArg.getState();
+  }
+});
+
 export const createSecretAction = dataStatePart.createAction<{
  connectionId: string;
  scope: 'project' | 'group';
@@ -320,7 +341,7 @@ export const createSecretAction = dataStatePart.createAction<{
      identity: context.identity!,
      ...dataArg,
    });
-    // Re-fetch secrets
+    // Re-fetch only the affected entity's secrets and merge
    const listReq = new plugins.domtools.plugins.typedrequest.TypedRequest<
      interfaces.requests.IReq_GetSecrets
    >('/typedrequest', 'getSecrets');
@@ -330,7 +351,11 @@ export const createSecretAction = dataStatePart.createAction<{
      scope: dataArg.scope,
      scopeId: dataArg.scopeId,
    });
-    return { ...statePartArg.getState(), secrets: listResp.secrets };
+    const state = statePartArg.getState();
+    const otherSecrets = state.secrets.filter(
+      (s) => !(s.scopeId === dataArg.scopeId && s.scope === dataArg.scope),
+    );
+    return { ...state, secrets: [...otherSecrets, ...listResp.secrets] };
  } catch (err) {
    console.error('Failed to create secret:', err);
    return statePartArg.getState();
@@ -353,7 +378,7 @@ export const updateSecretAction = dataStatePart.createAction<{
      identity: context.identity!,
      ...dataArg,
    });
-    // Re-fetch
+    // Re-fetch only the affected entity's secrets and merge
    const listReq = new plugins.domtools.plugins.typedrequest.TypedRequest<
      interfaces.requests.IReq_GetSecrets
    >('/typedrequest', 'getSecrets');
@@ -363,7 +388,11 @@ export const updateSecretAction = dataStatePart.createAction<{
      scope: dataArg.scope,
      scopeId: dataArg.scopeId,
    });
-    return { ...statePartArg.getState(), secrets: listResp.secrets };
+    const state = statePartArg.getState();
+    const otherSecrets = state.secrets.filter(
+      (s) => !(s.scopeId === dataArg.scopeId && s.scope === dataArg.scope),
+    );
+    return { ...state, secrets: [...otherSecrets, ...listResp.secrets] };
  } catch (err) {
    console.error('Failed to update secret:', err);
    return statePartArg.getState();
@@ -388,7 +417,9 @@ export const deleteSecretAction = dataStatePart.createAction<{
    const state = statePartArg.getState();
    return {
      ...state,
-      secrets: state.secrets.filter((s) => s.key !== dataArg.key),
+      secrets: state.secrets.filter(
+        (s) => !(s.key === dataArg.key && s.scopeId === dataArg.scopeId && s.scope === dataArg.scope),
+      ),
    };
  } catch (err) {
    console.error('Failed to delete secret:', err);
--- a/ts_web/elements/views/secrets/index.ts
+++ b/ts_web/elements/views/secrets/index.ts
@@ -36,7 +36,7 @@ export class GitopsViewSecrets extends DeesElement {
  accessor selectedScope: 'project' | 'group' = 'project';

  @state()
-  accessor selectedScopeId: string = '';
+  accessor selectedScopeId: string = '__all__';

  private _autoRefreshHandler: () => void;

@@ -70,6 +70,13 @@ export class GitopsViewSecrets extends DeesElement {
    viewHostCss,
  ];

+  private get filteredSecrets() {
+    if (this.selectedScopeId === '__all__') {
+      return this.dataState.secrets;
+    }
+    return this.dataState.secrets.filter((s) => s.scopeId === this.selectedScopeId);
+  }
+
  public render(): TemplateResult {
    const connectionOptions = this.connectionsState.connections.map((c) => ({
      option: `${c.name} (${c.providerType})`,
@@ -81,10 +88,17 @@ export class GitopsViewSecrets extends DeesElement {
      { option: 'Group', key: 'group' },
    ];

-    const entityOptions = this.selectedScope === 'project'
+    const entities = this.selectedScope === 'project'
      ? this.dataState.projects.map((p) => ({ option: p.fullPath || p.name, key: p.id }))
      : this.dataState.groups.map((g) => ({ option: g.fullPath || g.name, key: g.id }));

+    const entityOptions = [
+      { option: 'All', key: '__all__' },
+      ...entities,
+    ];
+
+    const isAllSelected = this.selectedScopeId === '__all__';
+
    return html`
      <div class="view-title">Secrets</div>
      <div class="view-description">Manage CI/CD secrets and variables</div>
@@ -95,7 +109,9 @@ export class GitopsViewSecrets extends DeesElement {
          .selectedOption=${connectionOptions.find((o) => o.key === this.selectedConnectionId) || connectionOptions[0]}
          @selectedOption=${(e: CustomEvent) => {
            this.selectedConnectionId = e.detail.key;
+            this.selectedScopeId = '__all__';
            this.loadEntities();
+            this.loadSecrets();
          }}
        ></dees-input-dropdown>
        <dees-input-dropdown
@@ -104,7 +120,9 @@ export class GitopsViewSecrets extends DeesElement {
          .selectedOption=${scopeOptions.find((o) => o.key === this.selectedScope)}
          @selectedOption=${(e: CustomEvent) => {
            this.selectedScope = e.detail.key as 'project' | 'group';
+            this.selectedScopeId = '__all__';
            this.loadEntities();
+            this.loadSecrets();
          }}
        ></dees-input-dropdown>
        <dees-input-dropdown
@@ -113,18 +131,21 @@ export class GitopsViewSecrets extends DeesElement {
          .selectedOption=${entityOptions.find((o) => o.key === this.selectedScopeId) || entityOptions[0]}
          @selectedOption=${(e: CustomEvent) => {
            this.selectedScopeId = e.detail.key;
-            this.loadSecrets();
          }}
        ></dees-input-dropdown>
-        <dees-button @click=${() => this.addSecret()}>Add Secret</dees-button>
+        <dees-button
+          .disabled=${isAllSelected}
+          @click=${() => this.addSecret()}
+        >Add Secret</dees-button>
        <dees-button @click=${() => this.loadSecrets()}>Refresh</dees-button>
      </div>
      <dees-table
        .heading1=${'Secrets'}
        .heading2=${'CI/CD variables for the selected entity'}
-        .data=${this.dataState.secrets}
+        .data=${this.filteredSecrets}
        .displayFunction=${(item: any) => ({
          Key: item.key,
+          Scope: item.scopeName || item.scopeId,
          Value: item.masked ? '******' : item.value,
          Protected: item.protected ? 'Yes' : 'No',
          Environment: item.environment || '*',
@@ -141,8 +162,8 @@ export class GitopsViewSecrets extends DeesElement {
            action: async (item: any) => {
              await appstate.dataStatePart.dispatchAction(appstate.deleteSecretAction, {
                connectionId: this.selectedConnectionId,
-                scope: this.selectedScope,
-                scopeId: this.selectedScopeId,
+                scope: item.scope,
+                scopeId: item.scopeId,
                key: item.key,
              });
            },
@@ -158,6 +179,7 @@ export class GitopsViewSecrets extends DeesElement {
    if (conns.length > 0 && !this.selectedConnectionId) {
      this.selectedConnectionId = conns[0].id;
      await this.loadEntities();
+      await this.loadSecrets();
    }
  }

@@ -175,15 +197,15 @@ export class GitopsViewSecrets extends DeesElement {
  }

  private async loadSecrets() {
-    if (!this.selectedConnectionId || !this.selectedScopeId) return;
-    await appstate.dataStatePart.dispatchAction(appstate.fetchSecretsAction, {
+    if (!this.selectedConnectionId) return;
+    await appstate.dataStatePart.dispatchAction(appstate.fetchAllSecretsAction, {
      connectionId: this.selectedConnectionId,
      scope: this.selectedScope,
-      scopeId: this.selectedScopeId,
    });
  }

  private async addSecret() {
+    if (this.selectedScopeId === '__all__') return;
    await plugins.deesCatalog.DeesModal.createAndShow({
      heading: 'Add Secret',
      content: html`
@@ -234,8 +256,8 @@ export class GitopsViewSecrets extends DeesElement {
            const input = modal.shadowRoot.querySelector('dees-input-text');
            await appstate.dataStatePart.dispatchAction(appstate.updateSecretAction, {
              connectionId: this.selectedConnectionId,
-              scope: this.selectedScope,
-              scopeId: this.selectedScopeId,
+              scope: item.scope,
+              scopeId: item.scopeId,
              key: item.key,
              value: input?.value || '',
            });