GitHub Secrets All In One
https://docs.github.com/en/free-pro-team@latest/actions/reference/encrypted-secrets
Secrets are environment variables that are encrypted. Anyone with collaborator access to this repository can use these secrets for Actions.
Secrets are not passed to workflows that are triggered by a pull request from a fork. Learn more.
Encrypted secrets allow you to store sensitive information, such as access tokens, in your repository.
GitHub Secrets
store sensitive information
https://github.com/xgqfrms/GitHub-Actions-All-in-One/settings/secrets/actions
https://github.com/xgqfrms/GitHub-Actions-All-in-One/settings/secrets/actions/new
ACCESS_TOKEN
1234567890
To make a secret available to an action, you must set the secret as an input or environment variable in the workflow file
steps:
- name: access_token action
with: # Set the secret as an input
access_token: ${{ secrets.ACCESS_TOKEN }}
env: # Or as an environment variable
access_token: ${{ secrets.ACCESS_TOKEN }}
steps:
- name: Hello world action
with: # Set the secret as an input
super_secret: ${{ secrets.SuperSecret }}
env: # Or as an environment variable
super_secret: ${{ secrets.SuperSecret }}
Bash, PowerShell, CMD
加密 & 解密
my_secret.json => my_secret.json.gpg
$ gpg --symmetric --cipher-algo AES256 my_secret.json
# 保留密钥信息,作为 GitHub Secrets key 的 value
LARGE_SECRET_PASSPHRASE
1234567890
decrypt_secret.sh
#!/bin/sh
# Decrypt the file
mkdir $HOME/secrets
# --batch to prevent interactive command
# --yes to assume "yes" for questions
gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE"
--output $HOME/secrets/my_secret.json my_secret.json.gpg
my_secret.json.gpg => my_secret.json
chmod +x 授权 bash 为可执行文件
$ chmod +x decrypt_secret.sh
$ git add decrypt_secret.sh
$ git commit -m "Add new decryption script"
$ git push
From your workflow, use a step to call the shell script and decrypt the secret.
https://github.com/actions/checkout
name: Workflows with large secrets
on: push
jobs:
my-job:
name: My Job
runs-on: ubuntu-latest
steps:
# actions/checkout
- uses: actions/checkout@v2
- name: Decrypt large secret
run: ./.github/scripts/decrypt_secret.sh
env:
LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
# This command is just an example to show your secret being printed
# Ensure you remove any print statements of your secrets. GitHub does
# not hide secrets that use this workaround.
- name: Test printing your secret (Remove this step in production)
run: cat $HOME/secrets/my_secret.json
# 仅仅用于演示,才会打印出密钥
{
"access_token": 1234567890,
"role": "root",
"uid": "007",
"version": "v1.1.1"
}
ACCESS_TOKEN
https://github.com/JamesIves/github-pages-deploy-action/blob/releases/v3/action.yml
name: 'Deploy to GitHub Pages'
description: 'This action will handle the deployment process of your project to GitHub Pages.'
author: 'James Ives <iam@jamesiv.es>'
runs:
using: 'node12'
main: 'lib/main.js'
branding:
icon: 'git-commit'
color: 'orange'
inputs:
SSH:
description: 'You can configure the action to deploy using SSH by setting this option to true. More more information on how to add your ssh key pair please refer to the Using a Deploy Key section of this README.'
required: false
ACCESS_TOKEN:
description: 'Depending on the repository permissions you may need to provide the action with a GitHub personal access token instead of the provided GitHub token in order to deploy. This should be stored as a secret.'
required: false
GITHUB_TOKEN:
description: 'In order for GitHub to trigger the rebuild of your page you must provide the action with the repositories provided GitHub token.'
required: false
BRANCH:
description: 'This is the branch you wish to deploy to, for example gh-pages or docs.'
required: true
FOLDER:
description: 'The folder in your repository that you want to deploy. If your build script compiles into a directory named build you would put it here. Folder paths cannot have a leading / or ./. If you wish to deploy the root directory you can place a . here.'
required: true
TARGET_FOLDER:
description: 'If you would like to push the contents of the deployment folder into a specific directory on the deployment branch you can specify it here.'
required: false
BASE_BRANCH:
description: 'The base branch of your repository which you would like to checkout prior to deploying. This defaults to the current commit SHA that triggered the build followed by master if it does not exist. This is useful for making deployments from another branch, and also may be necessary when using a scheduled job.'
required: false
COMMIT_MESSAGE:
description: 'If you need to customize the commit message for an integration you can do so.'
required: false
CLEAN:
description: 'If your project generates hashed files on build you can use this option to automatically delete them from the deployment branch with each deploy. This option can be toggled on by setting it to true.'
required: false
default: 'true'
CLEAN_EXCLUDE:
description: "If you need to use CLEAN but you would like to preserve certain files or folders you can use this option. This should be formatted as an array but stored as a string."
required: false
GIT_CONFIG_NAME:
description: "Allows you to customize the name that is attached to the GitHub config which is used when pushing the deployment commits. If this is not included it will use the name in the GitHub context, followed by the name of the action."
required: false
GIT_CONFIG_EMAIL:
description: "Allows you to customize the email that is attached to the GitHub config which is used when pushing the deployment commits. If this is not included it will use the email in the GitHub context, followed by a generic noreply GitHub email."
required: false
REPOSITORY_NAME:
description: "Allows you to speicfy a different repository path so long as you have permissions to push to it. This should be formatted like so: JamesIves/github-pages-deploy-action"
required: false
WORKSPACE:
description: "This should point to where your project lives on the virtual machine. The GitHub Actions environment will set this for you. It is only neccersary to set this variable if you're using the node module."
required: false
SINGLE_COMMIT:
description: "This option can be used if you'd prefer to have a single commit on the deployment branch instead of maintaining the full history."
required: false
LFS:
description: "Migrates files from Git LFS so they can be comitted to the deployment branch."
required: false
SILENT:
description: "Silences the action output preventing it from displaying git messages."
required: false
PRESERVE:
description: "Preserves and restores any workspace changes prior to deployment."
required: false
outputs:
DEPLOYMENT_STATUS:
description: 'The status of the deployment that indicates if the run failed or passed. Possible outputs include: success|failed|skipped'
Github Actions
multi actions
GitHub Actions 术语
CI
持续集成
CD
持续部署
- workflow
一次持续集成运行的过程;
- job
一个 job 或多个 jobs, 构成一个 workflow;
- step
一个 step 或多个 steps, 构成一个 job;
- action
一个 action 或多个 actions, 构成一个 step, 并且 actions 按序依次执行;
refs
GitHub Actions in Action
https://www.cnblogs.com/xgqfrms/p/12818058.html
©xgqfrms 2012-2020
www.cnblogs.com 发布文章使用:只允许注册用户才可以访问!