GitHub Secrets All In One

GitHub Secrets All In One

https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets

Secrets are environment variables that are encrypted. Anyone with collaborator access to this repository can use these secrets for Actions.

Secrets are not passed to workflows that are triggered by a pull request from a fork. Learn more.

Encrypted secrets allow you to store sensitive information, such as access tokens, in your repository.

GitHub Secrets

store sensitive information

https://github.com/xgqfrms/GitHub-Actions-All-in-One/settings/secrets/actions

https://github.com/xgqfrms/GitHub-Actions-All-in-One/settings/secrets/actions/new

https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets#naming-your-secrets

ACCESS_TOKEN

1234567890

To make a secret available to an action, you must set the secret as an input or environment variable in the workflow file

https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstepsenv

https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#env

steps:
  - name: access_token action
    with: # Set the secret as an input
      access_token: ${{ secrets.ACCESS_TOKEN }}
    env: # Or as an environment variable
      access_token: ${{ secrets.ACCESS_TOKEN }}

https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets#using-encrypted-secrets-in-a-workflow

steps:
  - name: Hello world action
    with: # Set the secret as an input
      super_secret: ${{ secrets.SuperSecret }}
    env: # Or as an environment variable
      super_secret: ${{ secrets.SuperSecret }}

Bash, PowerShell, CMD

加密 & 解密

my_secret.json => my_secret.json.gpg

$ gpg --symmetric --cipher-algo AES256 my_secret.json

# 保留密钥信息，作为 GitHub Secrets key 的 value

LARGE_SECRET_PASSPHRASE

1234567890

decrypt_secret.sh

#!/bin/sh

# Decrypt the file
mkdir $HOME/secrets
# --batch to prevent interactive command
# --yes to assume "yes" for questions
gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" \
--output $HOME/secrets/my_secret.json my_secret.json.gpg

my_secret.json.gpg => my_secret.json

chmod +x 授权 bash 为可执行文件

$ chmod +x decrypt_secret.sh
$ git add decrypt_secret.sh
$ git commit -m "Add new decryption script"
$ git push

From your workflow, use a step to call the shell script and decrypt the secret.

https://github.com/actions/checkout

name: Workflows with large secrets

on: push

jobs:
  my-job:
    name: My Job
    runs-on: ubuntu-latest
    steps:
      # actions/checkout
      - uses: actions/checkout@v2
      - name: Decrypt large secret
        run: ./.github/scripts/decrypt_secret.sh
        env:
          LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
      # This command is just an example to show your secret being printed
      # Ensure you remove any print statements of your secrets. GitHub does
      # not hide secrets that use this workaround.
      - name: Test printing your secret (Remove this step in production)
        run: cat $HOME/secrets/my_secret.json
      # 仅仅用于演示，才会打印出密钥

{
  "access_token": 1234567890,
  "role": "root",
  "uid": "007",
  "version": "v1.1.1"
}

ACCESS_TOKEN

https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token

https://github.com/JamesIves/github-pages-deploy-action/blob/releases/v3/action.yml

name: 'Deploy to GitHub Pages'
description: 'This action will handle the deployment process of your project to GitHub Pages.'
author: 'James Ives <iam@jamesiv.es>'
runs:
  using: 'node12'
  main: 'lib/main.js'
branding:
  icon: 'git-commit'
  color: 'orange'
inputs:
  SSH:
    description: 'You can configure the action to deploy using SSH by setting this option to true. More more information on how to add your ssh key pair please refer to the Using a Deploy Key section of this README.'
    required: false

  ACCESS_TOKEN:
    description: 'Depending on the repository permissions you may need to provide the action with a GitHub personal access token instead of the provided GitHub token in order to deploy. This should be stored as a secret.'
    required: false

  GITHUB_TOKEN:
    description: 'In order for GitHub to trigger the rebuild of your page you must provide the action with the repositories provided GitHub token.'
    required: false

  BRANCH:
    description: 'This is the branch you wish to deploy to, for example gh-pages or docs.'
    required: true

  FOLDER:
    description: 'The folder in your repository that you want to deploy. If your build script compiles into a directory named build you would put it here. Folder paths cannot have a leading / or ./. If you wish to deploy the root directory you can place a . here.'
    required: true

  TARGET_FOLDER:
    description: 'If you would like to push the contents of the deployment folder into a specific directory on the deployment branch you can specify it here.'
    required: false

  BASE_BRANCH:
    description: 'The base branch of your repository which you would like to checkout prior to deploying. This defaults to the current commit SHA that triggered the build followed by master if it does not exist. This is useful for making deployments from another branch, and also may be necessary when using a scheduled job.'
    required: false

  COMMIT_MESSAGE:
    description: 'If you need to customize the commit message for an integration you can do so.'
    required: false

  CLEAN:
    description: 'If your project generates hashed files on build you can use this option to automatically delete them from the deployment branch with each deploy. This option can be toggled on by setting it to true.'
    required: false
    default: 'true'

  CLEAN_EXCLUDE:
    description: "If you need to use CLEAN but you would like to preserve certain files or folders you can use this option. This should be formatted as an array but stored as a string."
    required: false

  GIT_CONFIG_NAME:
    description: "Allows you to customize the name that is attached to the GitHub config which is used when pushing the deployment commits. If this is not included it will use the name in the GitHub context, followed by the name of the action."
    required: false

  GIT_CONFIG_EMAIL:
    description: "Allows you to customize the email that is attached to the GitHub config which is used when pushing the deployment commits. If this is not included it will use the email in the GitHub context, followed by a generic noreply GitHub email."
    required: false

  REPOSITORY_NAME:
    description: "Allows you to speicfy a different repository path so long as you have permissions to push to it. This should be formatted like so: JamesIves/github-pages-deploy-action"
    required: false

  WORKSPACE:
    description: "This should point to where your project lives on the virtual machine. The GitHub Actions environment will set this for you. It is only neccersary to set this variable if you're using the node module."
    required: false

  SINGLE_COMMIT:
    description: "This option can be used if you'd prefer to have a single commit on the deployment branch instead of maintaining the full history."
    required: false

  LFS:
    description: "Migrates files from Git LFS so they can be comitted to the deployment branch."
    required: false

  SILENT:
    description: "Silences the action output preventing it from displaying git messages."
    required: false

  PRESERVE:
    description: "Preserves and restores any workspace changes prior to deployment."
    required: false

outputs:
  DEPLOYMENT_STATUS:
    description: 'The status of the deployment that indicates if the run failed or passed. Possible outputs include: success|failed|skipped'

Github Actions

multi actions

GitHub Actions 术语

CI

持续集成

CD

持续部署

1. workflow

一次持续集成运行的过程;

1. job

一个 job 或多个 jobs, 构成一个 workflow;

1. step

一个 step 或多个 steps, 构成一个 job;

1. action

一个 action 或多个 actions, 构成一个 step, 并且 actions 按序依次执行;

refs

GitHub Actions in Action

https://www.cnblogs.com/xgqfrms/p/12818058.html

---

---

xgqfrms 2012-2020

www.cnblogs.com 发布文章使用：只允许注册用户才可以访问！

---