To log in from GitHub to my external server I use/test appleboy/ssh-action. As soon as I am on the server I start a git pull to get the latest changes to the server. However, this also includes the .github/workflows folder. And in a GH action yml file is my SSH password. I would like to avoid this. But I don't know how. Somebody know how to do this?
You should not store the password in the YAML file itself. Instead, use the GitHub Actions secrets functionality in the repository settings to store the password as a secret, and then pass it in through the environment. For example, you can pipe a secret like so:
- run: echo $PASSWORD | my-program-here
env:
PASSWORD: ${{secrets.SSH_PASSWORD}}
You can see an example of how this kind of approach is use in the Git LFS release workflow.
Related
I'm on the CI part of the course
I'll start by saying all works well, and I could follow the process with ease. However, there something that works, and I cannot figure out how. Lets take this part of the main.yml file:
- name: Log in to GitHub Packages
run: echo ${GITHUB_TOKEN} | docker login -u ${GITHUB_ACTOR} --password-stdin docker.pkg.github.com
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
I have these params like GITHUB_ACTOR and GITHUB_TOKEN, that I didn't define as any part of my code, or write into a panel inside github. Are they automaticly filled in by github? If I change my token, will this code still work?
Thanks in advance
This is documented in "Automatic token authentication"
At the start of each workflow run, GitHub automatically creates a unique GITHUB_TOKEN secret to use in your workflow.
You can use the GITHUB_TOKEN to authenticate in a workflow run.
When you enable GitHub Actions, GitHub installs a GitHub App on your repository.
The GITHUB_TOKEN secret is a GitHub App installation access token. You can use the installation access token to authenticate on behalf of the GitHub App installed on your repository. The token's permissions are limited to the repository that contains your workflow
You have Default environment variables, including:
GITHUB_ACTOR: The name of the person or app that initiated the workflow.
For example, octocat.
Ever since Github changed it's policy to not accept username/password anymore, I'm having a difficult time logging in when I push a branch to the remote repo.
I've tried a PKA key, but I forget it sometimes and I have to regenerate. Then I stored it in a plain text file and copy-paste when needed. And this PKA key seems like an API key for one project, instead of a way to log in manually to push changes. This seems to me like not-the-way to go. And I can imagine professionals do this in a better way.
I'm using a Linux machine and git from the terminal. And a Windows 10 machine with Git Bash (Git for Windows). How should I configure my account and computers so that I can easily run git push origin master?
Is it possible to use 2FA in a way where I log in with my account username and password and verify my login with an authenticator app on my phone? And preferably trust my computer from future logins.
It seems like you want to store your credentials globally on your machine. Store your credentials in global git configuration file.
WARNING: Your credentials would be visible to everyone who uses your machine, but the config file is usually hidden /.config.
Store your credentials on your machine globally:
git config --global credential.helper store
Next time you enter your credentials, this will store your credentials. In next consequent times, you won't be prompt to enter credentials anymore.
I would like to create a webhook within Gitlab to automatically update a mirror repository on Github, whenever a push event happens. I've checked this page, but I didn't understand how it is done.
My Gitlab version is 6.5. Here is the configuration page:
What should I put in URL? Where do I need to place the script to update the repository?
You don't need a webhook for that. A regular post-receive hook will work very well.
To create and use such a hook you just have to login on the server where your gitlab is installed and create an ssh key for git user.
sudo -u git ssh-keygen -f /home/git/.ssh/reponame_key
(do not type any passphrase when prompted)
Go to your github account and add the public key (it's been created as /home/git/ssh/reponame_key.pub) to your project as a deploy key.
have a look at https://help.github.com/articles/managing-deploy-keys if you need help with that.
Once that is done, you just have to configure the connection between your git server and github's:
add an alias to git user's ssh configuration (add following lines to /home/git/.ssh/config - create it if it's not present)
Host reponame
IdentityFile /home/git/.ssh/reponame_key
HostName github.com
User git
Now add the new remote (using the alias you just created) to your repository:
cd /home/git/repositories/namespace/reponame.git
git remote add --mirror github reponame:youruser/reponame.git
Now that everything is in place you'll have to create the actual hook:
cd /home/git/repositories/namespace/reponame.git/hooks
echo "exec git push --quiet github &" >> post-receive
chmod 755 post-receive
The lastcommand is very important because git will check if a hook is executable before running it.
That's it!
(Replace reponame, namespace and youruser according to your real accounts and enjoy).
Last note: if you want your name andavatar near commits on github, make sure that the email address you are using on gitlab is one of the addresses inked to your github account as well. You'll see your gitlab username otherwise.
If you aren't hosting your own GitLab, GitLab.com has introduced this feature directly, without any workarounds.
From within a project use the gear icon to select Mirror Repository
Scroll down to Push to a remote repository
Checkmark Remote mirror repository: Automatically update the remote mirror's branches, tags, and commits from this repository every hour.
Enter the repository you want to update; for GitHub you can include your username and password in the URL, like so: https://yourgithubusername:yourgithubpassword#github.com/agaric/guts_discuss_resource.git —as noted in the comments, it is much better securitywise to use your GitHub access token here instead of login credentials; will update the answer when i've tested.
For WebHooks processing I'm using sinatra web server.
require 'sinatra'
post '/pew' do
puts JSON.parse request.body.read
# here can be placed signal code to run commit processing script
end
register webhook for push events(or other) to http://localhost:4567/pew within GitLab
and since this moment on each commit gitlab will be sending commit info to url.
I am trying to use grunt-gh-pages extension to commit to my gh-branch. It works fine locally but when I use TRAVIS-CI it fails. It gives the following error message -
Warning: fatal: remote error:
You can't push to git://github.com/tusharmath/tusharm.com.git
Use https://github.com/tusharmath/tusharm.com.git
Use --force to continue.
And when I update the repo option I get the following error -
Warning: remote: Anonymous access to tusharmath/tusharm.com.git denied.
fatal: Authentication failed for 'https://github.com/tusharmath/tusharm.com.git/'
Use --force to continue.
Aborted due to warnings.
So basically I just want Travis-ci to commit the files in the gh-pages branch of my repo. Is there a way to do that?
Update The final .travis.yml that solved the problem
language: node_js
node_js:
- '0.11'
before_script:
- git config --global user.email "tusharmath#gmail.com"
- git config --global user.name "Travis-CI"
after_script:
- git config credential.helper "store --file=.git/credentials"
- echo "https://${GH_TOKEN}:#github.com" > .git/credentials
- node ./node_modules/grunt-cli/bin/grunt release
env:
global:
secure: {"lots-of-seemingly-random-characters"}
You certainly can! The first issue, like you discovered, is due to using the git:// URL to push to, but the git protocol can only be used to clone repositories.
As for the "anonymous access denied" error, that's because you need to let Travis log in to your GitHub account in order to push to the repository. Now, you probably don't want to give Travis your GitHub password, and you certainly don't have to. Instead we're going to use OAuth tokens. If you have no idea what that means, don't worry, I'll explain. An OAuth token in most cases works like a password, but it's easier to revoke access to single things.
To generate an OAuth token, go to the GitHub Applications settings page and click "Create new token" under "Personal API Access Token". You probably want to add a note for what this is, that way it's easier to keep track of and easier to revoke if you need to in the future. Note that this token is essentially a password in that it gives access to the same things a password does.
Then, you need to add the token to your .travis.yml file. First, we'll encrypt the token so only Travis can see it. For this, you need the travis Rubygem installed: gem install travis.
travis encrypt GH_TOKEN="the-token-from-github" --add
Your .travis.yml should now look something like this:
…
env:
global:
- secure: "lots-of-seemingly-random-characters"
…
Now, in order for Travis to actually use this token, you need to add some more things to your .travis.yml too.
after_script:
- git config credential.helper "store --file=.git/credentials"
- echo "https://${GH_TOKEN}:#github.com" > .git/credentials
- node ./node_modules/grunt-cli/bin/grunt release
This first tells git to look for credentials in the .git/credentials file. This can be any file you want, really, but make sure it's not one you're going to push to GitHub. Then, we add the token to the .git/credentials file. Git now knows that for pushes to https://github.com, it can use your token to authenticate.
You should be all set!
PS: If you only want to push to GitHub if the build passes, you can change after_script to after_success.
The answer by henrikhodne is great, but the solution doesn't work with grunt-gh-pages because it creates another Git repository somewhere in .grunt/grunt-gh-pages/ sub-directory. Therefore git config made in after_script or after_success section is not used by grunt-gh-pages.
It's possible to add GH_TOKEN to repository URL used by grunt-gh-pages in Gruntfile.js like this:
'gh-pages': {
// your common gh-pages config
travis: {
options: {
repo: 'https://' + process.env.GH_TOKEN + '#github.com/dim2man/csbrowser.git',
silent: true
},
src: ['**']
}
}
Note the silent: true option, it prevents publishing your token value in Travis logs.
Then your after_script or after_success section can be modified like:
after_success: grunt gh-pages:travis
We recently moved our github from one account owner to another, and now all of the sudden when I do a git pull or any git command on the remote repo, it asks me for github username and password.
My git-config says:
[github]
user = kamilski81
token = *********
Any idea how I can stop it asking me for credentials and remember everything, does the new owner have to setup my ssh keys or something of that sort?
Following this article sorted it out for me:
https://help.github.com/articles/why-is-git-always-asking-for-my-password
git remote set-url origin git#github.com:user/repo.git
The github username and token in the gitconfig is only used for interactions with the GitHub API (for instance the hub gem and the github tool).
If you are pushing and pulling from a GitHub repository over https, then you need to specify your credentials every time, or hook into a password manager to remember the credentials for you. How to do this depends on your platform.
The easiest thing to do is to go to your github account and submit your SSH public key to your account, and then switch your github remote to push/pull over ssh instead of https.
[edit] After re-reading the question I noticed that you mentioned it was previously a GitHub repo that was just moved from one owner to another. If that's the case, and you ARE able to push and pull by specifying your credentials, it sounds to me to be one of two scenarios:
The previous remote used ssh, and GitHub has your SSH key; but when the owner changed and you updated the remote, you updated it to go over https.
The previous remote used https, but you had a password manager setup correctly to deal with your credentials, which no longer works.
After doing "remote -v"....the issue was that my remote was using an "https" remote rather than "git" remote. Changing the remote to use git rather than https solved everything.
If you execute only once git pull and Git client still asking you the credential without do the git pull for you, the problem should be because your credential is incorrect or not setup yet.
but if you get the dialog ask for credential one for each operation, it mean that your credential isn't remembered. To do that, you may use Pageant to store your SSH private key, so, everytime you do something, it will retrieve your credential from Pageant instead to asking you.