I know I can use curl to list the secrets of a repo via curl like so:
curl -H "Accept: application/vnd.github.v3+json" \
-H "Authorization: token [personal access token]" \
https://api.github.com/repos/[user]/[repo]/actions/secrets
This returns something like this:
{
"total_count": 1,
"secrets": [
{
"name": "A_TEST_SECRET",
"created_at": "2022-04-14T13:12:22Z",
"updated_at": "2022-04-14T13:12:22Z"
}
]
}
But is it somehow possible to also retrieve the secret's value?
My use case is this:
I have a step in a Github Actions workflow that uses a secret and needs to be executed before I can run my build step, which just contains a script to run.
Now sometimes I want to also run my buildscript on my local machine, but to do that I also need to run the step before it, which needs the secret. Is there any way I can retrieve the secret's value to a local machine from Github to do that?
As stated by Github Partner brightran on this Github Community Thread:
We have no safe way to fetch the values of secrets, and actually it is not recommended to try fetching and sharing the secrets.
He also shared in that post two ways to use the repository secrets in the source code files of your project when you build the project in the workflow runs, maybe you can try them with your buildscript in a Github Actions workflow that could be triggered manually (using a workflow_dispatch event, for example).
Related
Within a GitHub Actions workflow in repository A we are trying to download release assets from another private repository B. Therefore the runner (running in a workflow in repo A) needs to authenticate against repository B.
There seem to be 2 possible solutions for that:
Create a private access token (PAT)
Create a GitHub application and use that for authenticating
Since we do not want this setup to be dependent on individual users, option 1) seems like the wrong approach. But we somehow got stuck with option 2). What we did so far:
Create a GitHub application (not oauth, since it should be independent of the user)
Grant all permissions for repositories to this app
Install the app in our organisation
Generate an app private key and create a JWT token following the documentation here
Sending a curl request with this generated JWT token, like
curl -i -X POST \
-H "Authorization: Bearer YOUR_JWT" \
-H "Accept: application/vnd.github+json" \
https://api.github.com/app/installations/:installation_id/access_tokens
But this request always gives us a 401.
So first question is: are we on the right track here? Second question would be: how can we make this work?
It also puzzles us that we would have to re-create the JWT token with every workflow run (since we cannot use a long enough expiration time), and would rather like to have something that can be put into the secrets store of the workflow.
I'm attempting to create a Terraform-integrated script that will create and configure a Google Cloud VM that will install Github Runner as self-hosted. The repository is under my workplace's 'organization' and it is closed to the public. Everything goes smoothly until I need to configure the runner. In repository instructions for creating self-hosted runner written as this:
# Create the runner and start the configuration experience
$ ./config.cmd --url https://github.com/my_work_place_organizaiton_name/repository_name --token ASZER2QS4UVEAL3YLMZ3DIMUIC
The issue is that, because it is an unattended script, it will run entirely on its own with no strings attached, and everything should be generated as automatically as possible. So I need a way to generate/retrieve this token ASZER2QS4UVEAL3YLMZ3DIMUIC automatically.
I think I found a way (correct me if I wrong) here: Create a registration token for an organization. So far so good. I managed to create a powershell script to execute all steps in new Github self-hosted runner until the step where I need to generate token. Once I run the command (even in Github CLI) I get an error back like this:
gh api --method POST -H "Accept: application/vnd.github+json" /orgs/my_work_place_organizaiton_name/actions/runners/registration-token
{
"message": "Must have admin rights to Repository.",
"documentation_url": "https://docs.github.com/rest/reference/actions#create-a-registration-token-for-an-organization"
}
gh: Must have admin rights to Repository. (HTTP 403)
gh: This API operation needs the "admin:org" scope. To request it, run: gh auth refresh -h github.com -s admin:org
I am an admin in this repository but not in the organization, and I am afraid that no one will grant me admin access to the organization, and even more, I cannot simply put admin:org credentials in some script - this is a "no go."
So, my question is, how can I fully automate the generation of this Github token (which is generated for everyone in the instructions page without any admin privileges)?
After a lot of try and catches it seems I found an answer. What is work for me is generating token for repository and not generating token for repository in organization.
According to Github documentation: Create a registration token for a repository this is a POST request you must send from Github CLI for example:
gh api \
--method POST \
-H "Accept: application/vnd.github+json" \
/repos/OWNER/REPO/actions/runners/registration-token
and according to documentation:
OWNER
string
Required
The account owner of the repository. The name is not case sensitive.
REPO
string
Required
The name of the repository. The name is not case sensitive.
So I put my organization name as an OWNER and not my username and voila ! it is worked !
so - instead sending request as:
/repos/my_user_name/REPO/actions/runners/registration-token
I send it as:
/repos/my_organization_name/REPO/actions/runners/registration-token
and immediately get a valid token back.
Prequisite: I have read: https://docs.aws.amazon.com/codebuild/latest/userguide/sample-github-pull-request.html
I also read this: https://docs.aws.amazon.com/codebuild/latest/userguide/build-env-ref-env-vars.html
and this: Accessing GitHub pull request details within AWS CodeBuild
We have several codebuild jobs that trigger on Github pull requests/pull request updates.
As that other question states, far I have seen $CODEBUILD_WEBHOOK_EVENT which shows something like PULL_REQUEST_UPDATED and CODEBUILD_WEBHOOK_TRIGGER which shows something like pr/123
However I am trying to get the actual payload of the webhook event - specifically the title and description of the PR. How can I obtain these?
My fear is that the answer is this information is lost, and that somehow I need to connect to the github API from within the codebuild job in a back and forth. But then they question will be how to authenticate since this is a private repo..
Not sure if you ever found an answer to this, but I ran into something similar. To get other info from GitHub, I used its API. For authentication, you can add the GitHub token as an environment variable in the buildspec file. I'd recommend storing it in Parameter Store as a secure string. Here's a working example file that retrieves the name of the first label on the PR:
version: 0.2
env:
shell: bash
parameter-store:
GITHUB_AUTH_TOKEN: GITHUB_AUTH_TOKEN
phases:
install:
runtime-versions:
nodejs: 16
build:
commands:
- |
PR_NUMBER=$(cut -d "/" -f2 <<< "$CODEBUILD_SOURCE_VERSION")
echo $PR_NUMBER;
PR_LABEL_NAME=$(curl --request GET --url "https://api.github.com/repos/<put repo name here>/pulls/$PR_NUMBER" --header "Authorization:Bearer $GITHUB_AUTH_TOKEN" | jq -r '.labels[0].name');
If the build is triggered by a PR being created or updated, the CODEBUILD_SOURCE_VERSION var will have a value of "pr/1234" where "1234" is the pull request number. I'm using cut to get the number and drop "pr/".
I am looking for some ways to create a github issue from travis.
I am calling some scripts in travis.yaml file and I need to create a github issue when travis is executed. I came across documents on calling github APIS using curl command.
Eg: curl -u $username -i -H "Content-Type: application/json" -X POST --data '{"title":"'$title'", "body":"'$body'"}' https://api.github.com/repos/$username/$repo_name/issues
Instead of username , since the build is triggered via travis, should I use github tokens? Is there any environment variable available which represents github token.
Found the answer myself. Create a github token using the github API and add that as ENV variable to your Travis CI settings.
This token can be used to perform the curl operation in travis shell script.
Helpful link : https://blogs.infosupport.com/accessing-githubs-rest-api-with-curl/
I have to send a lot of pull requests, so I would rather use the bash command line than bitbucket's web interface.
Usage example: $ git-req username
Here is such a script for Github: http://pastebin.com/F9n3nPuu
Is there one for Bitbucket?
Bitbucket with it's RESTful API 2.0 supports managing pull requests without interface. In CLI you can request it with CURL. This older version of the documentation has better interface details.
Get pull request data with CURL
To get full data about specific pull request:
$ curl --user s3m3n:bbpassword https://bitbucket.org/api/2.0/repositories/s3m3n/reponame/pullrequests/4
In return I get JSON with full info about my pull request #4 (put your username twice, password and reponame in command).
Create new pull request with RESTClient
To create new pull request we need to provide a lot of data with POST command, below how it looks in my RESTClient:
After firing Bitbucket shows pull request immediately:
Create new pull request with CURL
You can still create the same pull request with one liner:
$ curl -X POST -H "Content-Type: application/json" -u s3m3n:bbpassword https://bitbucket.org/api/2.0/repositories/s3m3n/reponame/pullrequests -d '{ "title": "Merge some branches", "description": "stackoverflow example", "source": { "branch": { "name": "choose branch to merge with" }, "repository": { "full_name": "s3m3n/reponame" } }, "destination": { "branch": { "name": "choose branch that is getting changes" } }, "reviewers": [ { "username": "some other user needed to review changes" } ], "close_source_branch": false }'
REST browser tool (discontinued)
If you want to test all possible methods of API hop to REST browser tool of Bitbucket. It will show you all possible requests while returning your real repo's data.
Tried and tested :
Generate personal access token by clicking here
Save the Unique token id, append it after "Bearer in header".
For example: "Authorization : Bearer MDg4MzA4NTcfhtrhthyt/Thyythyh "
Complete JSON sample here:
Step 1 to enter the details and necessary headers
Try running it
Step 2
Output on BitBucket, You will be able to see the pull request
Final output
Command Line Syntax:
curl -i -X POST -H "Authorization:Bearer MDg4MzA4NTk/TlMSS6Ea" -H "X-Atlassian-Token:no-check" -H "Content-Type:application/json" -d '{"description":"1. Changes made 2. Changes made 3. Hello hanges","closed":false,"fromRef":{"id":"refs\/heads\/branch","repository":{"name":"From Repository ","project":{"key":"ProjectName"},"slug":"From Repository "}},"state":"OPEN","title":"Merge changes from branch to master","locked":false,"reviewers":[],"open":true,"toRef":{"id":"refs\/heads\/master","repository":{"name":"RepoName","project":{"key":"ProjectName"},"slug":"RepoName"}}}' 'https://bitbucket.agile.com/rest/api/1.0/projects/projectName/repos/repoName/pull-requests'
There are 2 repos on bitbucket that could help:
the Attlassian team have stash (ruby): https://bitbucket.org/atlassian/bitbucket-server-cli
Zhemao has bitbucket-cli (python): https://bitbucket.org/zhemao/bitbucket-cli
both have pull request feature from command line.
I wasn't too satisfied with the answers in this thread, so I created an package for it:
https://www.npmjs.com/package/bitbucket-pr
Instructions:
npm i -g bitbucket-pr
... Go to folder where you want to create a pull request ...
bitbucket-pr
I have created a pull request cli utility to ease my tasks.
Currently,
it can create/delete pr's right from the terminal
show basic diff for a raised PR
I have tested it with bitbucket enterprise 6.10.10
Source code: https://github.com/psadi/bbcli