I am setting up Actions in Github, some of them require a Token for authentication. This is the process I follow to generate them, which is detailed in the Actions Docs:
Go to my Account, generate a PAT
Go to the project and add a Secret using that PAT value
Add the variable name in the Action yml file, for example:
env:
# used by semantic-release to authenticate at github and write to master
# I used the developer tab to generate the token and then paste it to several projs
# as a secret
GH_TOKEN: ${{secrets.GH_TOKEN}}
# used by semantic release to authenticate when publishing to npm
# Generate it in NPM (you just need to be registered at npm which is simple)
NPM_TOKEN: ${{secrets.NPM_TOKEN}}
Now, this is rather tedious, even having a single PAT, I'd still need to create a secret per project.
I have noticed though, that if you create an organization, you can create secrets at the ORG level.
Can you do something similar without having an organization? Can you create user secrets? Or maybe there is a way to use the user settings in the Project's Action?
Related
I've read several tutorials and the docs for adding secrets. This is what confuses me:
If you go to github.com/username/repo -> Settings->Secrets->Actions
You can create a secret, which apparently you could reference from that repo using ${{ secrets.MYSEC }}. For me as a user at least (not an org) this does not work well.
After reading the last lines of the docs:
If you need a token that requires permissions that aren't available in the GITHUB_TOKEN, you can create a personal access token and set it as a secret in your repository
I think the problem is that the tokens created on the repo don't have enough privileges/can't authenticate me, for some reason.
Can you explain why? Is this detailed somewhere? What am I misunderstanding about the environment secret?
What I normally do is
Create a personal access token with the right permissions
or use GITHUB_TOKEN which is normally enough
I'm setting up a self-hosted github runner on a k8s cluster. The runner deployment requires that I supply it a token so that it can link to the proper repository/github account.
There are a lot of examples that I've seen that use a Personal Access Token as a secret resource. It seems like bad practice to use a single user's PAT for what should be a service account token. I am wondering if there are recommended way to use a repository or organization-level token stored as a secret.
Possibly the GITHUB_TOKEN, but this seems too transient as it appears to expire following the completion of a workflow.
Curious about best practices in this case.
You can create a registration token for an organization following this doc.
From this doc Github recommends that you only use self-hosted runners with private repositories. This is because forks of your public repository can potentially run dangerous code on your self-hosted runner machine by creating a pull request that executes the code in a workflow.
Do not store secrets in the host runner When a GitHub Action uses the self-hosted runner, it clones the code in a workdir _work.We must ensure that no secrets (application, system, ..) are accessible in this folder.
For more information follow this doc.
I'm on the CI part of the course
I'll start by saying all works well, and I could follow the process with ease. However, there something that works, and I cannot figure out how. Lets take this part of the main.yml file:
- name: Log in to GitHub Packages
run: echo ${GITHUB_TOKEN} | docker login -u ${GITHUB_ACTOR} --password-stdin docker.pkg.github.com
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
I have these params like GITHUB_ACTOR and GITHUB_TOKEN, that I didn't define as any part of my code, or write into a panel inside github. Are they automaticly filled in by github? If I change my token, will this code still work?
Thanks in advance
This is documented in "Automatic token authentication"
At the start of each workflow run, GitHub automatically creates a unique GITHUB_TOKEN secret to use in your workflow.
You can use the GITHUB_TOKEN to authenticate in a workflow run.
When you enable GitHub Actions, GitHub installs a GitHub App on your repository.
The GITHUB_TOKEN secret is a GitHub App installation access token. You can use the installation access token to authenticate on behalf of the GitHub App installed on your repository. The token's permissions are limited to the repository that contains your workflow
You have Default environment variables, including:
GITHUB_ACTOR: The name of the person or app that initiated the workflow.
For example, octocat.
The official boilerplate code injects the npm token as follows
NODE_AUTH_TOKEN: ${{secrets.npm_token}}
How do I access and set this variable? I cant find it in the GUI.
Go to your project in Github
Select the Settings tab
Click the Secrets section in the left hand menu
Add a new secret and provide a name (e.g. npm_token) and a value.
In addition to the GUI, you now (January 2020) have a GitHub Actions API(!, still beta though), as announced here.
And it does include a GitHub Actions Secrets API:
Create or update an repository secret:
Creates or updates an organization secret with an encrypted value. Encrypt your secret using LibSodium.
You must authenticate using an access token with the admin:repo scope to use this endpoint.
GitHub Apps must have the secrets organization permission to use this endpoint.
PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}
Get a repository secret
Gets a single secret without revealing its encrypted value.
Anyone with write access to the repository can use this endpoint.
GitHub Apps must have the secrets permission to use this endpoint.
GET /repos/:owner/:repo/actions/secrets/:name
So the GUI is no longer the sole option: you can script and get/set an Actions secret through this new API.
This page is hard to find, but it exists in the official docs here: Creating and using secrets (encrypted variables).
Copied from the docs below for convenience:
Secret names cannot include any spaces. To ensure that GitHub redacts
your secret in logs, avoid using structured data as the values of
secrets, like JSON or encoded Git blobs.
On GitHub, navigate to the main page of the repository.
Under your repository name, click Settings.
In the left sidebar, click Secrets.
Type a name for your secret in the "Name" input box.
Type the value for your secret.
Click Add secret.
The link above has a bit more info around using secrets as well.
I've created a simple CLI that can help you achieve that - https://github.com/unfor19/githubsecrets
This CLI is based on the official API. You can install it with pip or use Docker, read the README.md for more information
To encrypt GitHub tokens to use them in your .travis.yml you seem to need the Travis CI CLI tool - which I can't install right now.
Therefore I didn't put the GitHub token in my .travis.yml but rather created a new environment variable GITHUB_TOKEN in the repository settings at https://travis-ci.org and use it like this:
github_token: $GITHUB_TOKEN
Now I can use the token to deploy to GitHub releases, for example.
Is this safe? Or are my environment variables in Travis CI somehow publicly accessible?
I found out by now: No, in general, they're not public. Yes, if you follow some rules, it seems perfectly safe to use them for sensitive information. To quote directly from the docs at https://docs.travis-ci.com/user/environment-variables#Defining-Variables-in-Repository-Settings about environment variables:
Define variables in the Repository Settings that (...) contain sensitive data, such as third-party credentials.
Some reasonable rules to keep in mind:
Most importantly: Hide them from the logs with the ON/OFF switch in the settings.
By default, the value of these new environment variables is hidden from the export line in the logs. This corresponds to the behavior of encrypted variables in your .travis.yml. The variables are stored encrypted in our systems, and get decrypted when the build script is generated.
Define them correctly with " if necessary.
These values are used directly in your build, so make sure to escape special characters (for bash) accordingly. In particular, if a value contains spaces, you should put quotes around that value. E.g. my secret passphrase should be written "my secret passphrase".
Also important to know: even if your environment variables are hidden in the logs, someone could still submit a pull request to your repository with malicious code and access the variable this way. Therefore, the variables are not available within builds from pull requests:
Similarly, we do not provide these values to untrusted builds, triggered by pull requests from another repository.