Add environment variables/secrets, repository and org dependabot secrets

docs/reference/organization/codespaces_secret.md

@@ -0,0 +1,63 @@
+Definition of a `Codespaces Secret` on organization level, the following properties are supported:
+
+| Key                     | Value          | Description                                    | Note                                                 |
+|-------------------------|----------------|------------------------------------------------|------------------------------------------------------|
+| _name_                  | string         | The name of the secret                         |                                                      |
+| _selected_repositories_ | list[string]   | List of repositories that can use the codespaces secret   | only applicable if `visibility` is set to `selected` |
+| _value_                 | string         | The codespaces secret value                               |                                                      |
+| _visibility_            | string         | Controls which repositories can use the codespaces secret | `public`, `private` or `selected`                    |
+
+The codespaces secret value can be resolved via a credential provider. The supported format is `<credential_provider>:<provider specific data>`.
+
+- Bitwarden: `bitwarden:<bitwarden item id>@<custom_field_key>`
+
+    ``` json
+    "secret": "bitwarden:118276ad-158c-4720-b68d-af8c00fe3481@secret"
+    ```
+
+- Pass: `pass:<path/to/secret>`
+
+    ``` json
+    "secret": "pass:path/to/org/secret"
+    ```
+
+!!! note
+
+    After executing an `import` operation, the codespaces secret will be set to `********` as GitHub will not disclose the
+    secret value anymore via its API. You will need to update the configuration with the real secret value, either
+    by entering the secret value (not advised), or referencing it via a credential provider.
+
+    Secrets which have a redacted value defined will be skipped during processing.
+
+## Jsonnet Function
+
+``` jsonnet
+orgs.newOrgCodespacesSecret('<name>') {
+  <key>: <value>
+}
+```
+
+## Validation rules
+
+- redacted codespaces secret values (`********`) trigger a validation info and will skip the secret during processing
+- `visibility` of `private` is not supported by GitHub with a billing plan of type `free`
+- specifying a non-empty list of `selected_repositories` while `visibility` is not set to `selected` triggers a warning
+
+## Example usage
+
+=== "jsonnet"
+    ``` jsonnet
+    orgs.newOrg('OtterdogTest') {
+      ...
+      secrets+: [
+        orgs.newOrgCodespacesSecret('TEST_CODESPACES_SECRET') {
+          selected_repositories+: [
+            "test-repo"
+          ],
+          value: "pass:path/to/my/secret/value",
+          visibility: "selected",
+        },
+      ],
+      ...
+    }
+    ```

docs/reference/organization/dependabot_secret.md

@@ -0,0 +1,63 @@
+Definition of a `Dependabot Secret` on organization level, the following properties are supported:
+
+| Key                     | Value          | Description                                    | Note                                                 |
+|-------------------------|----------------|------------------------------------------------|------------------------------------------------------|
+| _name_                  | string         | The name of the secret                         |                                                      |
+| _selected_repositories_ | list[string]   | List of repositories that can use the dependabot secret   | only applicable if `visibility` is set to `selected` |
+| _value_                 | string         | The dependabot secret value                               |                                                      |
+| _visibility_            | string         | Controls which repositories can use the dependabot secret | `public`, `private` or `selected`                    |
+
+The dependabot secret value can be resolved via a credential provider. The supported format is `<credential_provider>:<provider specific data>`.
+
+- Bitwarden: `bitwarden:<bitwarden item id>@<custom_field_key>`
+
+    ``` json
+    "secret": "bitwarden:118276ad-158c-4720-b68d-af8c00fe3481@secret"
+    ```
+
+- Pass: `pass:<path/to/secret>`
+
+    ``` json
+    "secret": "pass:path/to/org/secret"
+    ```
+
+!!! note
+
+    After executing an `import` operation, the dependabot secret will be set to `********` as GitHub will not disclose the
+    secret value anymore via its API. You will need to update the configuration with the real secret value, either
+    by entering the secret value (not advised), or referencing it via a credential provider.
+
+    Secrets which have a redacted value defined will be skipped during processing.
+
+## Jsonnet Function
+
+``` jsonnet
+orgs.newOrgDependabotSecret('<name>') {
+  <key>: <value>
+}
+```
+
+## Validation rules
+
+- redacted dependabot secret values (`********`) trigger a validation info and will skip the secret during processing
+- `visibility` of `private` is not supported by GitHub with a billing plan of type `free`
+- specifying a non-empty list of `selected_repositories` while `visibility` is not set to `selected` triggers a warning
+
+## Example usage
+
+=== "jsonnet"
+    ``` jsonnet
+    orgs.newOrg('OtterdogTest') {
+      ...
+      secrets+: [
+        orgs.newOrgDependabotSecret('TEST_DEPENDABOT_SECRET') {
+          selected_repositories+: [
+            "test-repo"
+          ],
+          value: "pass:path/to/my/secret/value",
+          visibility: "selected",
+        },
+      ],
+      ...
+    }
+    ```

docs/reference/organization/index.md

@@ -8,18 +8,22 @@ This resource represents a GitHub organization with all supported settings and n
         settings+: { ... }, // (1)!
         webhooks+: [ ... ], // (2)!
         secrets+: [ ... ], // (3)!
-        variables+: [ ... ], // (4)!
-        rulesets+: [ ... ], // (5)!
-        _repositories+:: [ ... ], // (6)!
+        dependabot_secrets+: [ ... ], // (4)!
+        codespaces_secrets+: [ ... ], // (5)!
+        variables+: [ ... ], // (6)!
+        rulesets+: [ ... ], // (7)!
+        _repositories+:: [ ... ], // (8)!
     }
     ```
 
     1. see [Organization Settings](settings.md)
     2. see [Organization Webhook](webhook.md)
     3. see [Organization Secret](secret.md)
-    4. see [Organization Variable](variable.md)
-    5. see [Organization Ruleset](ruleset.md)
-    6. see [Repository](repository/index.md)
+    4. see [Organization Dependabot Secret](dependabot_secret.md)
+    5. see [Organization Codespaces Secret](codespaces_secret.md)
+    6. see [Organization Variable](variable.md)
+    7. see [Organization Ruleset](ruleset.md)
+    8. see [Repository](repository/index.md)
 
 !!! note
 
@@ -70,6 +74,16 @@ The configuration of a GitHub Organization is considered to be valid if all nest
           value: "pass:bots/adoptium.aqavit/github.com/project-token",
         },
       ],
+      dependabot_secrets+: [
+        orgs.newOrgDependabotSecret('DEPENDABOT_ADOPTIUM_AQAVIT_BOT_TOKEN') {
+          value: "pass:bots/adoptium.aqavit/github.com/dependabot-token",
+        },
+      ],
+      codespaces_secrets+: [
+        orgs.newOrgCodespacesSecret('CODESPACES_ADOPTIUM_AQAVIT_BOT_TOKEN') {
+          value: "pass:bots/adoptium.aqavit/github.com/codespaces-token",
+        },
+      ],
       variables+: [
         orgs.newOrgVariable('SONAR_USERNAME') {
           value: "xxxxx",

docs/reference/organization/repository/branch-or-tag.md

@@ -1,4 +1,4 @@
-A BranchOrTag represents either a branch or tag pattern to use within an [Environment](environment.md).
+A BranchOrTag represents either a branch or tag pattern to use within an [Environment](environment/index.md).
 The following format is used to distinguish between tags and branches:
 
 | Type   | Format          | Example                                 |

docs/reference/organization/repository/codespaces_secret.md

@@ -0,0 +1,60 @@
+Definition of a `Codespaces Secret` on repository level, the following properties are supported:
+
+| Key                     | Value          | Description                                    | Note |
+|-------------------------|----------------|------------------------------------------------|------|
+| _name_                  | string         | The name of the secret                         |      |
+| _value_                 | string         | The secret value                               |      |
+
+The codespaces secret value can be resolved via a credential provider. The supported format is `<credential_provider>:<provider specific data>`.
+
+- Bitwarden: `bitwarden:<bitwarden item id>@<custom_field_key>`
+
+    ``` json
+    "secret": "bitwarden:118276ad-158c-4720-b68d-af8c00fe3481@secret"
+    ```
+
+- Pass: `pass:<path/to/secret>`
+
+    ``` json
+    "secret": "pass:path/to/repo/secret"
+    ```
+
+!!! note
+
+    After executing an `import` operation, the codespaces secret will be set to `********` as GitHub will not disclose the
+    secret value anymore via its API. You will need to update the configuration with the real secret value, either
+    by entering the secret value (not advised), or referencing it via a credential provider.
+
+    Secrets which have a redacted value defined will be skipped during processing.
+
+## Jsonnet Function
+
+``` jsonnet
+orgs.newRepoCodespacesSecret('<name>') {
+  <key>: <value>
+}
+```
+
+## Validation rules
+
+- redacted dependabot secret values (`********`) trigger a validation info and will skip the secret during processing
+
+## Example usage
+
+=== "jsonnet"
+    ``` jsonnet
+    orgs.newOrg('OtterdogTest') {
+      ...
+      _repositories+:: [
+        ...
+        orgs.newRepo('test-repo') {
+          ...
+          codespaces_secrets+: [
+            orgs.newRepoCodespacesSecret('TEST_CODESPACES_SECRET') {
+              value: "pass:path/to/secret",
+            },
+          ],
+        }
+      ]
+    }
+    ```

docs/reference/organization/repository/dependabot_secret.md

@@ -0,0 +1,60 @@
+Definition of a `Dependabot Secret` on repository level, the following properties are supported:
+
+| Key                     | Value          | Description                                    | Note |
+|-------------------------|----------------|------------------------------------------------|------|
+| _name_                  | string         | The name of the secret                         |      |
+| _value_                 | string         | The secret value                               |      |
+
+The dependabot secret value can be resolved via a credential provider. The supported format is `<credential_provider>:<provider specific data>`.
+
+- Bitwarden: `bitwarden:<bitwarden item id>@<custom_field_key>`
+
+    ``` json
+    "secret": "bitwarden:118276ad-158c-4720-b68d-af8c00fe3481@secret"
+    ```
+
+- Pass: `pass:<path/to/secret>`
+
+    ``` json
+    "secret": "pass:path/to/repo/secret"
+    ```
+
+!!! note
+
+    After executing an `import` operation, the dependabot secret will be set to `********` as GitHub will not disclose the
+    secret value anymore via its API. You will need to update the configuration with the real secret value, either
+    by entering the secret value (not advised), or referencing it via a credential provider.
+
+    Secrets which have a redacted value defined will be skipped during processing.
+
+## Jsonnet Function
+
+``` jsonnet
+orgs.newRepoDependabotSecret('<name>') {
+  <key>: <value>
+}
+```
+
+## Validation rules
+
+- redacted codespaces secret values (`********`) trigger a validation info and will skip the secret during processing
+
+## Example usage
+
+=== "jsonnet"
+    ``` jsonnet
+    orgs.newOrg('OtterdogTest') {
+      ...
+      _repositories+:: [
+        ...
+        orgs.newRepo('test-repo') {
+          ...
+          dependabot_secrets+: [
+            orgs.newRepoDependabotSecret('TEST_DEPENDABOT_SECRET') {
+              value: "pass:path/to/secret",
+            },
+          ],
+        }
+      ]
+    }
+    ```