I'm trying to add a Github Actions workflow to a repository. This action is from a third party and I'm not sure how much I can trust it so I'd prefer to use a dedicated secret instead of using the standard GITHUB_TOKEN. Is this a good practice?
I'm trying to do something like:
name: 'coverage'
on:
pull_request:
branches:
- master
- main
jobs:
coverage:
runs-on: ubuntu-latest
if: "!contains(github.event.head_commit.message, '[skip ci]')"
steps:
- uses: actions/checkout#v1
- uses: unreliable/action#v1
with:
github-token: ${{ secrets.NEW_SECRET_TOKEN }}
where secrets.NEW_SECRET_TOKEN is a repo secret.
But what I get is a 401 error, bad credentials. How can I use NEW_SECRET_TOKEN for my new action?
You can add them in repo settings -> Secrets.
Related
I want to read version from a file and create tag as v11.0.5.1.aws using the workflow . Then I want to use that tag in the docker image.
For that, I have created a branch as devops.
First created a VERSION file as
1.1.3 20 Apr, 2022
Created a workflow as release-version.yml
name: Release Version
on:
push:
branches:
- devops
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#master
- name: Bump version and push tag
uses: melheffe/version_release_composer#master
env:
PREPEND: 'v'
APPEND: '.aws' # must include '.' or it will append without separation
DRAFT: 'false'
PRERELEASE: 'true'
TOKEN: ${{ secrets.AUTH_TOKEN }}
TRIGGER: ${{ github.event.pull_request.base.ref }} # can use the triggering branch or define a fixed one like this: 'master'
REPO_OWNER: rohit
VERSION_FILE_NAME: 'VERSION'
Then created another workflow as ci.yml which will get tag from release-version workflow
name: CI
# Only trigger, when the build workflow succeeded
on:
workflow_run:
workflows: ["Release Version"]
types:
- completed
jobs:
# This workflow contains a single job called "build"
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
DeployDev:
# Steps represent a sequence of tasks that will be executed as part of the job
name: Deploy to Dev
needs: [Build]
runs-on: ubuntu-latest
environment:
name: Dev
steps:
- uses: actions/checkout#v2
with:
token: ${{ secrets.AUTH_TOKEN }}
- name: Build, tag, and push image to Amazon ECR
id: build-image
#env:
# IMAGE_TAG: ${{ github.sha }}
run: |
# Build a docker container and push it to ECR so that it can
# be deployed to ECS.
echo "$GITHUB_REF_NAME"
docker build -t ${{secrets.ECR_REPO_URI}}/${{secrets.REPO_NAME}}:$GITHUB_REF_NAME .
docker push ${{secrets.ECR_REPO_URI}}/${{secrets.REPO_NAME}}:$GITHUB_REF_NAME
I'm able to trigger release version workflow after making changes on devops branch but ci workflow is not getting triggered after triggering the release-version.
Any suggestion will be helpful for me.
If the workflow_run trigger isn't working as expected, there are two other ways to achieve what you want (triggering a workflow from another workflow, sending an input parameter from the first one to use in the second one).
The workflow_dispatch event.
The repository_dispatch event.
The documentation is very good about how to use them, but I'll add here some references that can help as well:
Triggering Github Action using a POST request (Github REST API)
How to trigger a workflow_dispatch from Github API?
Triggering GitHub workflow using gh CLI
As you can see, you can trigger those events using directly the Github API in a step (with a CURL request) or using some actions from the Github Marketplace that perform the same operation.
The answer below also explains the difference between both events (as they are similar, and CURL payload differences may be confusing)
Correct request with client-payload to run workflow_dispatch in github action
I'll also add here an example that can be useful to understand how to use the repository_dispatch event to receive a callback from the other workflow to the first one:
workflow A
workflow B
Note that you will also need to use a PAT to trigger a workflow using a dispatch event.
we have a repo with an github action for example:
name: our-deployment
on:
push:
branches:
- main
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: checkout code
uses: actions/checkout#v2
- name: setup environment
run: echo "${{ secrets.SUPERSECRETENVVARIABLE }}"
...
we also have a branch protection rule: pushing directly on master is not allowed
at least, we do not want to give (external) maintainers the ability to push the code unproved to the cloud (function) or access our secrets
but one of the maintainers come to the clue to simply add his branchname to the push-on-branches array in his branch π
name: our-deployment
on:
push:
branches:
- main
- maintainers-branch
... and everything went live ...
also, if he has bad intentions, he could find a way to read our secret credentials with one custom action
that leads me to my question:
Is it possible and how could i prevent execution of actions from other than the default branch?
Maybe something similar to "branch protection rules" alΓ "action protection rules" π
This is the first workflow I'm writing with Github Actions, I am using this worfklow combined with AWS CodeDeploy to automate deployment.
# .github/workflows/deployment.yml
on:
push:
branches:
- Production
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: aws-actions/configure-aws-credentials#v1
with:
aws-access-key-id: //AWS_ACCESS_KEY_ID
aws-secret-access-key: //AWS_SECRET_KEY
aws-region: // region
- uses: actions/checkout#v2
- id: deploy
uses: webfactory/create-aws-codedeploy-deployment#v0.2.2
- uses: peter-evans/commit-comment#v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
body: |
#${{ github.actor }} this was deployed as [${{ steps.deploy.outputs.deploymentId }}](https://console.aws.amazon.com/codesuite/codedeploy/deployments/${{ steps.deploy.outputs.deploymentId }}?region=eu-central-1) to group `${{ steps.deploy.outputs.deploymentGroupName }}`.
Everything is working perfectly when I push new commits to the branch "Production" but the problem is that with every new pull request to merge feature branches into the "dev" branch , Github runs checks on the pull requests and executes the workflow, which is not needed or written in its code.
I found the cause. In previous commmits, I had the worfklow written with the event on pull request and feature branches that are still not up to date with the workflow.yml still use the old version which has the "on pull request event trigger".
Problem: We use github actions workflow for CI and we have many github repositories. I need to be able change everything repeatable for every repository at once.
Is it possible to use in github action workflow yml file some snippet that located mb in different repository.
You can include other public and local actions in your workflow, which lets you reuse common steps. Using versioned actions with {owner}/{repo}#{ref}:
steps:
- uses: actions/setup-node#74bc508 # Reference a specific commit
- uses: actions/setup-node#v1 # Reference the major version of a release
- uses: actions/setup-node#v1.2 # Reference a minor version of a release
- uses: actions/setup-node#master # Reference a branch
..or local actions with ./path/to/dir:
jobs:
my_first_job:
steps:
- name: Check out repository
uses: actions/checkout#v2
- name: Use local my-action
uses: ./.github/actions/my-action
https://help.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsuses
One way of doing this is having a central CICD / GitHub actions repository with shared workflows which are triggered on repository_dispatch events.
on:
repository_dispatch:
types:
- your_event
jobs:
job1:
name: Do something
runs-on: ubuntu-latest
env:
SOURCE_BRANCH: ${{ github.event.client_payload.source_branch }}
SOURCE_REPO: ${{ github.event.client_payload.source_repo }}
# do all your stuff
Then in each github repo you write a small workflow file which outlines the triggers for the local repo, pushing to master / opening a PR etc. That action simply dispatches a repository_dispatch event to your central CICD repo with the repo and branchname it came from.
name: Trigger external CICD
on:
push:
branches:
- master
jobs:
trigger_cicd:
name: Trigger external CICD
runs-on: ubuntu-latest
steps:
- name: Send repository_dispatch event
uses: peter-evans/repository-dispatch#v1
with:
token: ${{ secrets.CICD_GITHUB_TOKEN }}
repository: yourorg/centralcicdrepo
event-type: ${{ env.EVENT_TYPE }}
client-payload: '{"source_branch": "${{ github.ref }}", "source_repo": "${{ github.repository }}" }'
One gotcha is that you need an access token to talk between repos, in the above example it's added as a secret called CICD_GITHUB_TOKEN. The easiest is to just use your own account but this will label all your central CICD runs as 'triggered by you'. You can also create a bot account or you can have each developer add their access tokens as secrets then map the right author to the right access token.
There is currently (Feb. 3, 2021) no supported method for reusing workflows or snippets from a centralized repository. There are hacks, as Michael Parker has cleverly demonstrated, but these come with significant downsides (eg. observability, opacity, etc.).
I've written this blog post that describes the problem you have in more detail, along with an open-source solution.
ββ
Similar topics:
DRYing GH Actions workflows
External workflow configuration
Bringing this issue to GH's attention:
Raise this issue with GH
GH Roadmap item
So I'm quite new to Github actions and trying to implement an action in a workflow.
I need to clone/checkout repo_2 into where my workflow is located, repo_1. Both are private repos.
It looks like this
job:
name: Cloning private repo
runs-on: ubuntu-latest
steps:
- name: Cloning
uses: actions/checkout#v1
with:
repository: my-username/repo_2
token: ${{ secrets.PAT }}
I created a PAT and added it as a secret key to repo_2. However whenever I run the workflow I get the following error:
[error]fatal: repository 'https://github.com/my-username/repo_2/' not
found
Seems to me like the authentication couldn't be verified. Is this what's happening? How do I fix it?