fix: write reliability and error-handling fixes

.github/workflows/check.yml

@@ -0,0 +1,23 @@
+name: Check
+
+on:
+  pull_request:
+  push:
+    branches-ignore:
+      - master
+
+jobs:
+  lint-and-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: astral-sh/setup-uv@v6
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.9"
+
+      - run: uv run --group dev ruff check .
+
+      - run: uv run --group dev pytest

.github/workflows/release-please.yml

@@ -14,5 +14,3 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: googleapis/release-please-action@v4
-        with:
-          release-type: python

.release-please-manifest.json

@@ -0,0 +1,3 @@
+{
+  ".": "0.4.0"
+}

README.md

@@ -1,6 +1,31 @@
 Populate Gitlab Project Variables from .env file
 =================================================
 
+## Overview
+
+A command-line tool for managing a Gitlab project's CI/CD variables, scoped to a
+Gitlab [environment](https://docs.gitlab.com/ee/ci/environments/) (e.g. `uat`,
+`production`). It talks to the Gitlab API using a personal access token and lets
+you move variables between a local `.env` file and Gitlab in both directions.
+
+It provides four commands:
+
+- `write` — read a local `.env` file and create or update the matching
+  project variables in the given environment scope. Supports `--include` /
+  `--exclude` filtering and `--mask` to mask values whose key contains the
+  substring `KEY`, `SECRET`, or `TOKEN` (e.g. `APP_KEY`, `PUBLIC_KEY`,
+  `AUTH_TOKEN` will all be masked). Masking is one-way: an already-masked
+  variable is never un-masked by this tool.
+- `list` — print the variables for an environment in a table. Masked values are
+  hidden unless you pass `--sensitive`.
+- `get` — print the variables for an environment, optionally appending them to a
+  `<scope>.env` file with `--export`.
+- `download` — write an environment's variables to a `<environment>.env` file,
+  prompting before overwriting an existing file.
+
+All commands target both the requested environment and globally-scoped (`*`)
+variables. Requires a `GITLAB_TOKEN` environment variable.
+
 ## Install
 
 Install as a global user tool (isolated environment, command on your PATH):
@@ -56,3 +81,9 @@ populate-secrets-gitlab write \
 ```shell
 populate-secrets-gitlab get --environment uat --gitlab-host gitlab.example.com --project my-group/my-project --export
 ```
+
+### Download variables to an .env file
+
+```shell
+populate-secrets-gitlab download --environment uat --gitlab-host gitlab.example.com --project my-group/my-project --output-dir .
+```

pyproject.toml

@@ -25,5 +25,8 @@ Issues = "https://github.com/deploymode/populate-secrets-gitlab/issues"
 [project.scripts]
 populate-secrets-gitlab = "populate_secrets_gitlab.__main__:main"
 
+[dependency-groups]
+dev = ["pytest>=8", "ruff>=0.8"]
+
 [tool.setuptools.packages.find]
 where = ["src"]

release-please-config.json

@@ -0,0 +1,17 @@
+{
+  "packages": {
+    ".": {
+      "release-type": "python",
+      "changelog-sections": [
+        {"type": "feat", "section": "Features"},
+        {"type": "fix", "section": "Bug Fixes"},
+        {"type": "perf", "section": "Performance"},
+        {"type": "docs", "section": "Documentation", "hidden": true},
+        {"type": "test", "section": "Tests", "hidden": true},
+        {"type": "ci", "section": "CI", "hidden": true},
+        {"type": "refactor", "section": "Refactoring", "hidden": true},
+        {"type": "chore", "section": "Miscellaneous", "hidden": true}
+      ]
+    }
+  }
+}

src/populate_secrets_gitlab/app.py

@@ -16,7 +16,7 @@
 logging.basicConfig(
         level=logging.INFO,
         format='%(asctime)s %(levelname)s\t%(message)s',
-        datefmt='%Y-%m-%d_%H:%M:%S.%s',
+        datefmt='%Y-%m-%d_%H:%M:%S',
         handlers=[
             logging.StreamHandler()
         ],
@@ -138,7 +138,7 @@ def write(env_file, environment, gitlab_host, project, include, exclude, mask, d
 
         # Write to Gitlab API
         try:
-            if key in gitlab_project_variable_keys_by_scope[environment]:
+            if key in gitlab_project_variable_keys_by_scope.get(environment, []):
                 is_update = True
                 # Update
                 project_var = [v for v in gl_project_vars if v.key == key][0]
@@ -164,8 +164,8 @@ def write(env_file, environment, gitlab_host, project, include, exclude, mask, d
             logger.info("Failed to write {} due to error from Gitlab API".format(key))
             print_exc()
             continue
-        except Exception:
-            logger.info("Failed to write {} due to unexpected error".format(key))
+        except gitlab.exceptions.GitlabError:
+            logger.info("Failed to write {} due to unexpected Gitlab error".format(key))
             print_exc()
             continue
 
@@ -209,7 +209,7 @@ def get(environment, gitlab_host, project, export, debug):
     try:
         gitlab_token = os.environ["GITLAB_TOKEN"]
     except KeyError:
-        raise Exception(
+        raise click.ClickException(
             f"GITLAB_TOKEN must be set. Get token from https://{gitlab_host}/-/profile/personal_access_tokens"
         )
 
@@ -232,15 +232,18 @@ def get(environment, gitlab_host, project, export, debug):
 
 
     gitlabProjectVariables = gitlabProject.variables.list(get_all=True)
+    export_opened = set()
     for variable in sorted(gitlabProjectVariables, key=lambda v: v.key):
         scope = 'global' if variable.environment_scope == '*' else variable.environment_scope
         if scope == environment or scope == 'global':
             click.secho(f"[{variable.environment_scope}] {variable.key}={variable.value}", fg='yellow')
 
             if export:
                 logger.debug(f"Writing {variable.key} to {scope}.env")
-                with open(f"{scope}.env", 'a+') as f:
+                mode = "a" if scope in export_opened else "w"
+                with open(f"{scope}.env", mode) as f:
                     f.write(f"{variable.key}={variable.value}\n")
+                export_opened.add(scope)
 
     logger.info("Done")
 

src/populate_secrets_gitlab/gitlab_server.py

@@ -3,5 +3,3 @@
 
 def gitlab_client(gitlab_host, gitlab_token):
     return gitlab.Gitlab(util.prepare_gitlab_host(gitlab_host), private_token=gitlab_token)
-
-