I know about organization-wide secrets for GitHub Actions, but I'm looking for a way to define organization-wide non-secret variables, such as default environment variables or something similar.
Sometimes you simply don't want all your shared config to be secret. An example is for AWS credentials, where it may be beneficial to see the AWS_ACCESS_KEY_ID in plain text, but keep the AWS_SECRET_ACCESS_KEY as a secret.
It seems silly to have to put the same AWS_ACCESS_KEY_ID variable as an env variable in every single repo, while the secret half of that pair works perfectly to configure once for the entire organization... Is there such a way?
Perhaps a workaround could be to create a reused workflow action such as set-env that sets the shared environment variables and then include that in each and every job such as uses: my-org/github-actions/.github/workflows/set-env.yml#main, but it's not the cleanest solution I think.
Too bad there's simply not an option next to GitHub action secrets to allow them to be ... well, not so secret.
Related
Can the existing env variable definition be used to define another env variable?
EXAMPLE (snippet of GH Workflow):
TOP_DOMAIN: com
FQDN: example.${{ env.TOP_DOMAIN }}
What is the preferred way to do this? I know there is a way to do that using GH env files GITHUB_ENV, but more interested if there is some cleaner way without creating a new run step in a workflow.
In a common CI pattern the following env vars are required by docker compose
COMPOSE_FILE=docker-compose.yml:docker-compose.ci.yml
IMAGE_NAME=ghcr.io/aaa/bbb/ccc:pull_request_identifier
In this supposed setup the docker-compose.ci.yml would define:
services:
someservice:
image: ${IMAGE_NAME}
So COMPOSE_FILE and IMAGE_NAME are required for all interactions with docker compose.
If we want to separate out some parts of our workflow for reuse, this becomes very tedious and copy-paste-y:
Every top-level workflow must define COMPOSE_FILE and IMAGE_NAME, which is duplicative.
Every time we create a custom action that will be called by more than one step, we have to pass both variables every time. And, tediously, we need to run a step to re-echo them out into the $GITHUB_ENV for that step.
A nice little hidden gotcha here is that if you try to use a reusable workflow instead of a custom action, you can't actually pass env vars to it at all, as it's being run in the wrong phase and env vars aren't available.
Is there a way to set COMPOSE_FILE (etc) globally across the workflow and all reusable workflows / custom actions within it?
Is it possible to have environment variables on organization level for GitHub Actions? So something like organization secrets but just with environment variables.
Since we have a lot of repositories in our organization I would like to keep the runner version in a global environment variable and so when we decide to update the runner version we can simply change it in the environment settings instead of every workflow file.
EDIT
Variables are now supported on organization level. Here the docs
https://docs.github.com/en/actions/learn-github-actions/variables
You can put the value into the GitHub organization secret. Check the following link to get further details:
https://docs.github.com/en/codespaces/managing-codespaces-for-your-organization/managing-encrypted-secrets-for-your-repository-and-organization-for-codespaces#adding-secrets-for-an-organization
Is there any way that a step in a workflow job can specify sub-steps to pass to a custom action?
steps:
- uses: ...
with:
steps:
- ...
- ...
- ...
For example, a uses: actions/cache#v2 will attempt to download a snapshot immediately (in the current step), and also inserts a post step to upload a fresh snapshot after all other steps in the parent job. This works well for build processes that (through multiple stages) intelligently recognise which objects need to be recreated and which do not. But it is not suited for workflows that need to set up a clean environment (or generate test data) that may then be manipulated by the tests. I'd like to make a different cache action, that is explicitly passed instructions for how to regenerate the cache from scratch, and which uploads the state before returning to the following step of the parent action.
Is there any way this could be achieved? (Composite actions? Advanced yaml syntax? Template expressions? Low-level actions toolkits/features? Implementing an interpreter to re-parse the input parameter?)
Github action workflows automatically redact text in output logs which matches any secrets stored in the relevant action secrets. This works fine for simple cases.
However, I use AWS SSM for storing secrets (for a variety of reasons) - and there are cases where I want to populate the environment for a given step with values from SSM. Unfortunately, actions automatically log the entire environment for every step. Since these secrets aren't official action secrets, GH is unaware that they're sensitive and happily logs them (less happily for me). GH also logs arguments sent to any action step - and many actions require sensitive variables and tokens as arguments.
Is there a way to do this or are GitHub actions essentially unusable if you aren't using their secrets solution?
Yes, you can Mask a value in log
Here is a simple example, where you mask the value in an environment variable, but it can be done with any value:
MY_NAME="Mona The Octocat"
echo "::add-mask::$MY_NAME"
This will tell GitHub whenever you see this value in the output, mask it with ***
If you are implementing an action yourself and use JavaScript in the toolkit/core there is a function to mask logs.
core.setSecret('myPassword');