In this blog we will see how we can use secrets in Github Actions workflows.
To add and use secrets in Github Actions, follow these steps:
- Create a secret: In your Github repository, navigate to the “Settings” tab and select Secrets from the left sidebar. Click on “New Repository Secret” to create a new secret. Give it a name and provide the value if the secret.
- Configure your workflow: In your repository, create or modify a workflow file (e.g./ ‘.github/workflows/workflow.yaml’) to define your Github Actions workflow. Add the necessary steps and jobs to the workflow.
- Reference the secret: To use the secret within your workflow, you need to reference it as an environment variable. To do this, add an ‘env’ key within your job or step definition in the workflow file. Set the value of the environment variable to the secret using the ‘secrets.<secret_name>’ syntax, where ‘<secret_name’ is the name you provided when creating the secret.
Here is an example of referencing a secret within a step:
jobs:
build:
runs-on: self-hosted
steps:
- name: Use the secret
run: echo ${{ secrets. <secret_name> }}
4. Commit and push the workflow file: After making the necessary changes to the workflow file, commit and push it to your Github Repository.
Github Actions will automatically encrypt and securely make the secrets available to your worflow runs. The environment variable referencing the secret will have the value of the secret at runtime. It is important to note that the secrets are masked in the logs and cannot be accessed by unauthorised users or collaborators. Additionally, make sure to follow security best practices and restrict access to your secrets, granting only the necessary permissions to the relevant individuals or services.
The above example will validate that the secret that you have stored in the Github for your repository is correct.
Here is another more practical example where you have to use AWS Credentials to perform some tasks. Create ‘AWS_ACCESS_KEY_ID’ and ‘AWS_SECRET_ACCESS_KEY’ secrets in the repository settings before using them in the workflow. Adjust the commands and steps according to your projects requirements and deployment process.
name: Deploy to Production
on:
push:
branches:
- main
jobs:
deploy:
runs-on: self-hosted
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Deploy to production
env:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
# Install dependencies and build your application
npm ci
npm run build
# Deploy to AWS using AWS CLI
aws s3 sync ./dist s3://my-production-bucket
In this example, we have a workflow named “Deploy to Production” that runs whenever there is a push event to the ‘main’ branch. The workflow performs the following steps:
- It checks out the code from the repository using the ‘actions/checkout’ action
- It sets up the environment variables ‘AWS_ACCESS_KEY_ID’ and ‘AWS_SECRET_ACCESSS_KEY’ using the corresponding secrets from the repository settings.
- It runs a series of commands to install dependencies, build the application, and deploy it to an AWS S3 bucket using the AWS CLI. The environment variables are automatically available for use within the ‘run’ command.
This is how you can store an manage secrets in Github Actions. If you want to use AWS Secret Manager as a centralized storage for all your secrets and extract it in your workflow, checkout the next blog in series.
Hey, readers! Thank you for sticking up till the end. If you have any questions/feedback regarding this blog, I am reachable at vidushi.bansal@nashtechglobal.com. You can find more of my blogs here.
