Although I am also an encryption-noob (who isn’t?), I just recently created a CLI that pushes secrets to GitHub using the API, so the information is fresh in my mind.

I didn’t see nor use any private key in the process.

The same documentation page you referenced has examples in several languages (not R unfortunately) further down the page.

In general, the process as described is this (pseudocode):

# API call to get the public key for the repo
base64_encoded_public_key, key_id = get_public_key_from_github(repo_name)
Base64 decode the key
public_key = base64_decode(base64_encoded_public_key)
Encrypt the secret with sodium and the public key
plain_secret = "secret"

encrypted_secret = sodium_encrypt(public_key, plain_secret)
Base64 encode the encrypted secret
base64_encoded_secret = base64_encode(encrypted_secret)
Send it to GitHub using the API, and including the key_id as received in step 1
push_secret_to_github(key_id, base64_encoded_secret)

And this is the example in Ruby:

key = Base64.decode64("+ZYvJDZMHUfBkJdyq5Zm9SKqeuBQ4sj+6sfjlH4CgG0=")
public_key = RbNaCl::PublicKey.new(key)
box = RbNaCl::Boxes::Sealed.from_public_key(public_key)

encrypted_secret = box.encrypt("my_secret")
Print the base64 encoded secret
puts Base64.strict_encode64(encrypted_secret)

In my development, I also tested that I can decrypt it back. For this you will need to use sodium to generate a public/private key pair (instead of the one you receive from GitHub), then follow the encryption steps as above, using the public key, and then decrypt it with the same sodium method, only this time using the private key - to verify the output is decrypting properly.

If it will help, or if you are in need of a way to do it and are not married to doing it in R, I can share a link to my CLI (in Ruby).

Is there a way to do this with only using the sodium package in R? Why do we have to decode the public key and encode the secret with base64 encoding? How do you know to use base64, are there other methods that can be used?