Node.JS examples based on `tweetsodium` need to be replaced as it is deprecated

[thispsj]

Code of Conduct

• [X] I have read and agree to the GitHub Docs project's Code of Conduct

What article(s) on docs.github.com is/are affected?

Four articles :

1) * https://docs.github.com/rest/actions/secrets#create-or-update-an-organization-secret

• https://docs.github.com/rest/actions/secrets#create-or-update-a-repository-secret
• https://docs.github.com/rest/actions/secrets#create-or-update-an-environment-secret 1) * https://docs.github.com/rest/dependabot/secrets#create-or-update-an-organization-secret
• https://docs.github.com/rest/dependabot/secrets#create-or-update-a-repository-secret 1) https://docs.github.com/en/rest/codespaces/secrets#example-encrypting-a-secret-using-nodejs 1) https://docs.github.com/en/rest/codespaces/repository-secrets#example-of-encrypting-a-secret-using-nodejs

What part(s) of the article would you like to see updated?

Some points which I would like to highlight here :

• tweetsodium the JS lib based on sodium maintained by GitHub is now no more maintained and updated. It has been marked deprecated in the latest release (i.e. 0.0.6 ).
• Moreover they've removed the dists folder which contained the scripts that contained all the functions. Therefore any user calling require('tweetsodium') in their code would get an error that index.umd.js is missing (as it was present in the dists folder).
• So the current users of tweetsodium should migrate to some other sodium based library.
• In my opinion I recommend libsodium-wrappers which is also recommended by tweetsodium authors as it is easy to use, opensource and by the same author who authored the C library libsodium. (Source Code)
• So we should change the code snippets to use libsodium-wrappers (instead of tweetsodium) which are given for encrypting the secrets with public key before they're sent over the API because currently those snippets will give errors.

Additional information

I am also providing the replacement script below:

// Written with ❤️ by PSJ and free to use under The Unlicense.
const sodium=require('libsodium-wrappers')
const secret = 'plain-text-secret' // replace with secret before running the script.
const key = 'base64-encoded-public-key' // replace with the Base64 encoded public key.

//Check if libsodium is ready and then proceed.

sodium.ready.then( ()=>{

// Convert Secret & Base64 key to Uint8Array.
let binkey= sodium.from_base64(key, sodium.base64_variants.ORIGINAL) //Equivalent of Buffer.from(key, 'base64')
let binsec= sodium.from_string(secret) // Equivalent of Buffer.from(secret)

//Encrypt the secret using LibSodium
let encBytes= sodium.crypto_box_seal(binsec,binkey) // Similar to tweetsodium.seal(binsec,binkey)

// Convert encrypted Uint8Array to Base64
let output=sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL) //Equivalent of Buffer.from(encBytes).toString('base64')

console.log(output)
});

async/await can also be used instead.

---

UPDATE

REST API reference for codespaces secrets (both user and repository) is also affected and hence added.

[ramyaparimi]

@thispsj Thanks so much for opening an issue! I'll triage this for the team to review :eyes:

[thispsj]

Someone please add the codespaces label also.

[mchammer01]

Hi @thispsj 👋🏻 - thanks for creating this issue ✨ Just to let you know that I've asked the relevant team for a technical review on your observations and suggestions. Thanks for your patience 😃

[github-actions[bot]]

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert :eyes:

[github-actions[bot]]

This is a gentle bump for the docs team that this issue is waiting for technical review.

[lgarron]

@thispsj Do you think you'll get around to this at some point? We'd love to see the docs updated to avoid recommending our deprecated library.

[thispsj]

@thispsj Do you think you'll get around to this at some point? We'd love to see the docs updated to avoid recommending our deprecated library.

@lgarron Ya sure I can implement this provided that I can edit REST docs. 😅

[skedwards88]

Thanks for opening this issue and for writing a replacement script @thispsj 💖 As you noted, this needs to be fixed internally in the OpenAPI schema, so I will add a label to start that process.

[docubot]

Thank you for opening this issue! Updates to the REST/GraphQL API description must be made internally. I have copied your issue to an internal issue, so I will close this issue.