GitHub Actions Environment secrets vs Repository secrets All In One
GitHub Actions secrets All In One
Actions secrets
Repository secrets
https://github.com/xgqfrms/xgqfrms/settings/secrets/actions
https://github.com/xgqfrms/xgqfrms/settings/secrets/actions/new
Dependabot secrets
https://github.com/xgqfrms/xgqfrms/settings/secrets/dependabot
https://github.com/xgqfrms/xgqfrms/settings/secrets/dependabot/new
Environment secrets
Secrets stored in an environment are only available to workflow jobs that reference the environment. If the environment requires approval, a job cannot access environment secrets until one of the required reviewers approves it.
存储在环境中的机密仅可用于引用环境的工作流作业。如果环境需要批准,则作业无法访问环境机密,直到所需的审阅者之一批准为止。
https://github.com/xgqfrms/xgqfrms/settings/environments
https://github.com/xgqfrms/xgqfrms/settings/environments/new
https://github.com/xgqfrms/xgqfrms/settings/environments/596054267/edit
Environment protection rules
Required reviewers
Use required reviewers to require a specific person or team to approve workflow jobs that reference the environment.
You can list up to six users or teams as reviewers.
The reviewers must have at least read access to the repository. Only one of the required reviewers needs to approve the job for it to proceed.
Wait timer
Use a wait timer to delay a job for a specific amount of time after the job is initially triggered. The time (in minutes) must be an integer between 0 and 43,200 (30 days).
Deployment branches
Use deployment branches to restrict which branches can deploy to the environment. Below are the options for deployment branches for an environment:
All branches: All branches in the repository can deploy to the environment.
Protected branches: Only branches with branch protection rules enabled can deploy to the environment. If no branch protection rules are defined for any branch in the repository, then all branches can deploy.
Selected branches: Only branches that match your specified name patterns can deploy to the environment.
For example, if you specify releases/* as a deployment branch rule, only branches whose name begins with releases/ can deploy to the environment.
(Wildcard characters will not match /. To match branches that begin with releases/ and contain an additional single slash, use releases/*/*.)
If you add main as a deployment branch rule, a branch named main can also deploy to the environment.
Environment secrets
Secrets stored in an environment are only available to workflow jobs that reference the environment.
If the environment requires approval, a job cannot access environment secrets until one of the required reviewers approves it.
Secrets are encrypted environment variables.
They are accessible only by GitHub Actions in the context of this environment.
demo
- 创建 environment secrets
- 使用 environment secrets
jobs.<job_id>.environment
name: dev Deployment
on:
push:
branches:
- main
jobs:
# job 名称
dev-deployment:
runs-on: ubuntu-latest
# 使用 environment `dev-env`
environment: dev-env
steps:
- name: deploy
# ...deployment-specific steps
# 使用 - name + uses
- name: 使用自定义 github action
uses: xgqfrms/github-fe-oss-project-template@v0.0.1
with:
# 使用 dev-env 下的 secrets token, secrets.DEV_TOKEN_FOR_MAIN
ghToken: ${{ secrets.DEV_TOKEN_FOR_MAIN }}
full demo
# This is a basic workflow to help you get started with Actions
name: dev token for main branch
# 控制 action 何时运行
# 在 push 或 pull 请求时触发工作流程事件,但仅针对 master 分支
on:
push:
branches: [ main ]
pull_request:
branches: [ mian ]
# 一个 workflow 运行由可以串行或并行运行的一个或多个 jobs 组成
jobs:
# 此工作流程仅包含一个名为 "dev-deploymen" 的 job /job 名称: dev-deploymen
dev-deployment:
# job 将运行的 runner 类型(执行的系统环境 Linux/ macOS / Windows)
runs-on: ubuntu-latest
# 使用 environment `dev-env`
environment: dev-env
# 步骤表示将作为 job 一部分执行的一系列 tasks
steps:
# 在 $GITHUB_WORKSPACE下检出你的repository,以便你的 job 可以访问它
# 使用 - uses
- uses: actions/checkout@v2
# 使用 - name + uses
- name: 使用 自定义 github action: github fe oss project template
uses: xgqfrms/github-fe-oss-project-template@v0.0.1
with:
# 使用 dev-env 下的 token, secrets.DEV_TOKEN_FOR_MAIN
ghToken: ${{ secrets.DEV_TOKEN_FOR_MAIN }}
# 使用 runners shell 运行单个命令
- name: Run a one-line script ✅
run: echo 正在执行单个命令!
# 使用 runners shell 运行一组命令
- name: Run a multi-line script ✅
run: |
echo 正在执行多个命令的
echo finished
https://github.com/xgqfrms/xgqfrms/blob/main/.github/workflows/dev-env-tetsing.yml
custom github action
- name: github fe oss project template
uses: xgqfrms/github-fe-oss-project-template@v0.0.1
https://github.com/marketplace/actions/github-fe-oss-project-template
Environments
Environments, environment secrets, and environment protection rules are available in public repositories for all products.
Environments are used to describe a general deployment target like production, staging, or development.
Note: You can only configure environments for public repositories.
If you convert a repository from public to private, any configured protection rules or environment secrets will be ignored, and you will not be able to configure any environments.
If you convert your repository back to public, you will have access to any previously configured protection rules and environment secrets.
REST API
https://docs.github.com/en/rest/deployments/environments
https://docs.github.com/en/rest/actions/secrets
https://docs.github.com/en/rest/deployments/branch-policies
refs
https://docs.github.com/en/actions/reference/encrypted-secrets
©xgqfrms 2012-2020
www.cnblogs.com/xgqfrms 发布文章使用:只允许注册用户才可以访问!
原创文章,版权所有©️xgqfrms, 禁止转载 ️,侵权必究⚠️!