search

actions / starter-workflows

Accelerating new GitHub Actions workflows
https://github.com/features/actions
Other
9.27k stars 5.36k forks source link

How to use environment secret on github action? #785

Closed paulocoutinhox closed 3 years ago

paulocoutinhox commented 3 years ago

Hi,

Im breaking my head understand how the environment secret works and how i can get this value from python.

I follow the docs and make two vars:

image

And i tried with:

- name: Ezored - Dist upload
  env:
    EZORED_AWS_KEY_ID: ${{ secrets.EZORED_AWS_KEY_ID }}
    EZORED_AWS_SECRET_KEY: ${{ secrets.EZORED_AWS_SECRET_KEY }}
  run: python make.py target ${{ matrix.config.target }} dist upload --force

and with:

- name: Ezored - Dist upload
  env:
    EZORED_AWS_KEY_ID: ${{ env.EZORED_AWS_KEY_ID }}
    EZORED_AWS_SECRET_KEY: ${{ env.EZORED_AWS_SECRET_KEY }}
  run: python make.py target ${{ matrix.config.target }} dist upload --force

Both python cannot get the value using os.getenv("EZORED_AWS_KEY_ID").

What i need do?

AverageComet250 commented 3 years ago

Two things:

  1. You should use os.environ() not os.getenv() as the environ command can also get environment variables from .env files.

  2. Instead of putting it in your environmental variables and using the os.environ() command, you can just reference the secret directly. E.g. secret = {{ secret.GIT_TOKEN }}.

madchap commented 3 years ago

If you're using a fork model, it seems that it's not possible.

E.g. The upstream repo has the secrets configured. I push a PR from my fork. It's all empty.

Seems there is a way for private repo and all: https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/

konradpabjan commented 3 years ago

Please direct questions like this to our community forum: https://github.community/c/code-to-cloud/github-actions/41

Issues in this repositories should only be related to our starter workflows 🙇‍♂️

maheshj01 commented 3 years ago

2. secret = {{ secret.GIT_TOKEN }}.

@AverageComet250 You mean we can directly access the token in code? I want to access in a dart programming language will that work?

AverageComet250 commented 3 years ago

@maheshmnj I'm pretty sure you can but you should try it yourself, and this post is dead since no one has used it for 2 months so you have technically necro posted

123MwanjeMike commented 3 years ago

You should enclose the variable in quotes. Instead of this:

EZORED_AWS_KEY_ID: ${{ secrets.EZORED_AWS_KEY_ID }}
EZORED_AWS_SECRET_KEY: ${{ secrets.EZORED_AWS_SECRET_KEY }}

Do this:

EZORED_AWS_KEY_ID: '${{ secrets.EZORED_AWS_KEY_ID }}'
EZORED_AWS_SECRET_KEY: '${{ secrets.EZORED_AWS_SECRET_KEY }}'
maheshj01 commented 3 years ago

You should enclose the variable in quotes. Instead of this:

EZORED_AWS_KEY_ID: ${{ secrets.EZORED_AWS_KEY_ID }}
EZORED_AWS_SECRET_KEY: ${{ secrets.EZORED_AWS_SECRET_KEY }}

Do this:

EZORED_AWS_KEY_ID: '${{ secrets.EZORED_AWS_KEY_ID }}'
EZORED_AWS_SECRET_KEY: '${{ secrets.EZORED_AWS_SECRET_KEY }}'

Thanks, I found the simplest way to do this answered here: https://stackoverflow.com/a/67998780/8253662

ssi-anik commented 3 years ago

@maheshmnj what's the difference between Paulo's yml settings and SO answer?

maheshj01 commented 3 years ago

@ssi-anik, I am not sure about his approach but one thing I understand is you cannot use Github secret outside of the yml file, regarding the SO approach you can read more in detail about it in this medium blog post

implermine commented 3 years ago

I don't know you're still finding solutions for this problem, but you could use environment secrets like this

Suppose that, we may define Environment secrets like this

image

and we could use like this

image

i'm sorry for showing some unfinished test code but you may get some sure insight for just upside code that using

environment: AWS_S3_CODEDEPLOY_KEY

or you may just refer these:

https://docs.github.com/en/actions/reference/environments#referencing-an-environment https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idenvironment

as you could see above references, you may allocate environments for each jobs.

theblueskies commented 3 years ago

Maybe try this:

- name: Ezored - Dist upload
  env:
    EZORED_AWS_KEY_ID: ${{ env.EZORED_AWS_KEY_ID }}
    EZORED_AWS_SECRET_KEY: ${{ env.EZORED_AWS_SECRET_KEY }}
  run: EZORED_AWS_KEY_ID=$EZORED_AWS_KEY_ID EZORED_AWS_SECRET_KEY=$EZORED_AWS_SECRET_KEY python make.py target ${{ matrix.config.target }} dist upload --force

By including them as runtime options, it might just work you to get the secrets through os.getenv or os.environ

paulocoutinhox commented 3 years ago

Hi, thanks.

In my case, it is already working.

But thanks anyway.

AllanOricil commented 3 years ago

I still dont get it. @paulo-coutinho could you help me to understand with an example.

paulocoutinhox commented 3 years ago

Hi @AllanOricil,

You can see here: https://github.com/ezored/ezored/blob/main/.github/workflows/macos.yml#L72-L76

AllanOricil commented 3 years ago

@paulo-coutinho thanks man. I was able to make a simple workflow to work with environment secrets. But now I'm facing another problem after mixing "Reusable Workflows" with "environment secrets" , which I can't fix :/

https://github.com/actions/runner/issues/1490

olivatooo commented 2 years ago

image

Yeah... I agree with this stackoverflow guy

ConnorSiXiong commented 2 years ago

https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/

Thanks, this works for me!

boukeversteegh commented 2 years ago

According to

Note: You can only configure environments for public repositories. If you convert a repository from public to private, any configured protection rules or environment secrets will be ignored, and you will not be able to configure any environments. If you convert your repository back to public, you will have access to any previously configured protection rules and environment secrets.

Organizations with GitHub Team and users with GitHub Pro can configure environments for private repositories. For more information, see "GitHub's products."

ABOBAKAR-IT commented 2 years ago

name: Deployment on: push: branches: [ master ]

jobs: my-job: runs-on: ubuntu-latest environment: dev_portfolio steps:

ABOBAKAR-IT commented 2 years ago

set environment: dev_portfolio script run successfully

julienben commented 1 year ago

@ABOBAKAR-IT I'm not sure how this is a solution. If someone is trying to have the environment automatically detected based on the branch, you wouldn't want to hardcode the environment name in the workflow file. Am I wrong?

GrazingScientist commented 1 year ago

If someone comes here, because in their Python project tox is not running with environmental variables, this SO thred may help.

arvindpdmn commented 1 year ago

Solution is to give the environment name (eg. production) for the job and access the secrets as ${{ secrets.SOMENAME }}:

jobs:
  deployment:
    runs-on: ubuntu-latest
    environment: production
    steps:
      - name: deploy
        # ...deployment-specific steps

See https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#using-an-environment

AndrewGumenyuk commented 1 year ago

Hello @arvindpdmn, It's not the best solution. What if have multiple environments? Special for that added Environments tab with secrets per env

senghuotlay commented 1 year ago

it still doesn't fix it

montao commented 7 months ago

If Hello World is not one failsafe step, it probably should be changed so Hello World can work painlessly

zakkg3 commented 7 months ago

image

Yeah... I agree with this stackoverflow guy

UI design mistake by github

chienhsiang-hung commented 1 month ago

Hello @arvindpdmn, It's not the best solution. What if have multiple environments? Special for that added Environments tab with secrets per env

still the same till today