The official boilerplate code injects the npm token as follows
NODE_AUTH_TOKEN: ${{secrets.npm_token}}
How do I access and set this variable? I cant find it in the GUI.
Go to your project in Github
Select the Settings tab
Click the Secrets section in the left hand menu
Add a new secret and provide a name (e.g. npm_token) and a value.
In addition to the GUI, you now (January 2020) have a GitHub Actions API(!, still beta though), as announced here.
And it does include a GitHub Actions Secrets API:
Create or update an repository secret:
Creates or updates an organization secret with an encrypted value. Encrypt your secret using LibSodium.
You must authenticate using an access token with the admin:repo scope to use this endpoint.
GitHub Apps must have the secrets organization permission to use this endpoint.
PUT /repos/{owner}/{repo}/actions/secrets/{secret_name}
Get a repository secret
Gets a single secret without revealing its encrypted value.
Anyone with write access to the repository can use this endpoint.
GitHub Apps must have the secrets permission to use this endpoint.
GET /repos/:owner/:repo/actions/secrets/:name
So the GUI is no longer the sole option: you can script and get/set an Actions secret through this new API.
This page is hard to find, but it exists in the official docs here: Creating and using secrets (encrypted variables).
Copied from the docs below for convenience:
Secret names cannot include any spaces. To ensure that GitHub redacts
your secret in logs, avoid using structured data as the values of
secrets, like JSON or encoded Git blobs.
On GitHub, navigate to the main page of the repository.
Under your repository name, click Settings.
In the left sidebar, click Secrets.
Type a name for your secret in the "Name" input box.
Type the value for your secret.
Click Add secret.
The link above has a bit more info around using secrets as well.
I've created a simple CLI that can help you achieve that - https://github.com/unfor19/githubsecrets
This CLI is based on the official API. You can install it with pip or use Docker, read the README.md for more information
Related
I've read several tutorials and the docs for adding secrets. This is what confuses me:
If you go to github.com/username/repo -> Settings->Secrets->Actions
You can create a secret, which apparently you could reference from that repo using ${{ secrets.MYSEC }}. For me as a user at least (not an org) this does not work well.
After reading the last lines of the docs:
If you need a token that requires permissions that aren't available in the GITHUB_TOKEN, you can create a personal access token and set it as a secret in your repository
I think the problem is that the tokens created on the repo don't have enough privileges/can't authenticate me, for some reason.
Can you explain why? Is this detailed somewhere? What am I misunderstanding about the environment secret?
What I normally do is
Create a personal access token with the right permissions
or use GITHUB_TOKEN which is normally enough
I am setting up Actions in Github, some of them require a Token for authentication. This is the process I follow to generate them, which is detailed in the Actions Docs:
Go to my Account, generate a PAT
Go to the project and add a Secret using that PAT value
Add the variable name in the Action yml file, for example:
env:
# used by semantic-release to authenticate at github and write to master
# I used the developer tab to generate the token and then paste it to several projs
# as a secret
GH_TOKEN: ${{secrets.GH_TOKEN}}
# used by semantic release to authenticate when publishing to npm
# Generate it in NPM (you just need to be registered at npm which is simple)
NPM_TOKEN: ${{secrets.NPM_TOKEN}}
Now, this is rather tedious, even having a single PAT, I'd still need to create a secret per project.
I have noticed though, that if you create an organization, you can create secrets at the ORG level.
Can you do something similar without having an organization? Can you create user secrets? Or maybe there is a way to use the user settings in the Project's Action?
I created a few encrypted secrets in a forked repo and want those secrets to carry over to the main repository when I submit a pull request.
How can I make this happen?
You can define encrypted secrets on a repository or, in your case, organization level, for them to be used in GitHub Actions workflows. But that would not be part of any pull request.
Encrypted secrets are generally not part of a source code base.
But you do have repository-based approach, like ckelner/encrypted-secrets.
A better alternative is to include in your PR references to an external Vault (like Hashicorp Vault) entries, in which said secrets are stored.
Github Secrets provides a way for passing credentials to Github actions, but are they safe enough to be trusted with highly sensitive credentials?
I'm not sure that anyone can really answer that for you. I think it depends how sensitive, and what level of risk you can afford to take.
What I would suggest, if you are concerned about the security of your secrets, is not to use third party GitHub actions directly. Always fork the action and use your fork in workflows. This will prevent the possibility of someone modifying an action you are using to capture secrets and send them to some external server under their control.
Secrets are encrypted environment variables that you create in an organization, repository, or repository environment. The secrets that you create are available to use in GitHub Actions workflows. GitHub uses a libsodium sealed box to help ensure that secrets are encrypted before they reach GitHub and remain encrypted until you use them in a workflow.
For more details see https://docs.github.com/en/actions/security-guides/encrypted-secrets
Add an additional layer of protection by adding org-level access policy and enable reviewer to control env secrets.
I have a repo with shell script and want to put single command to run it in readme file, like:
bash <(curl -L <path_to_raw_script_file>)
Raw file urls for GitHub Enterprise look like this: https://raw.github.ibm.com/<user>/<repo>/<branch>/<path_to_file>?token=<token>, where <token> is unique to the file and generated when accesing it via Raw button in repository or with ?raw=true suffix in url.
The problem is, tokens get invalidated after few days/when file is updated and I wouldn't like to update mentioned command each time token becomes invalid. Is there a way to deal with it?
I know there is a way for user to create personal token and use it to login to github from machine he's runnning script from, but I wanted to keep it as simple as possible.
I was thinking of something like auto-generating that raw file url (since user reading the readme file on github surely does have access to the script located in the same repo), but I am not sure if that's possible.
No input, one-liner.
You can get this link by clicking the raw button in the GHE UI, just remove the token query param at the end.
curl -sfSO https://${USER}:${TOKEN}#${GHE_DOMAIN}/raw/${REPO_OWNER}/${REPO_NAME}/${REF}/${FILE}
I believe you'll always need the tokens - however if you'd like to automate the process you can dynamically request tokens associated with a github Oauth app and not associated with any user profile.
https://developer.github.com/enterprise/2.13/apps/building-oauth-apps/authorizing-oauth-apps/
I know there is a way for user to create personal token and use it to login to GitHub from machine he's runnning script from, but I wanted to keep it as simple as possible.
Actually, using GCM (Git Credential Manager); the PAT will be provided when accessing the raw.xxx URL.
But only with GCM v2.0.692 which supports those URLs. See PR 599.
Fix GitHub Enterprise API URL for raw source code links
This is a simple fix of #598 for GitHub Enterprise instances that use a raw. hostname prefix for raw source code links.
I've verified this fix locally by swapping out the GitHub.dll that is used by Visual Studio.
So it now checks for 'raw.' in the hostname and remove it to get the correct GHE API URL.