How to use GitHub action secrets in a reusable workflow? - github-actions

I have a number of GitHub actions that interact with Azure using the az command line, so I figured I'd try to write a reusable workflow to log into Azure. I have been following this guide: https://docs.github.com/en/actions/using-workflows/reusing-workflows
When I run my caller workflow, I get this error:
Error: .../log-into-azure/action.yml (Line: 21, Col: 14): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.DEV_APPLICATION_ID
My caller workflow contains this:
- name: Azure login with elevated permissions
uses: ./.github/actions/log-into-azure
with:
secrets: inherit
My reusable workflow looks like this:
name: Log into Azure
description: 'Log into Azure.'
on:
workflow_call:
secrets:
DEV_APPLICATION_ID:
required: true
DEV_SERVICE_PRINCIPAL_SECRET:
required: true
TENANT_ID:
required: true
jobs:
azure-login:
runs-on: [self-hosted, ubuntu-latest]
steps:
- name: Azure login with elevated permissions
shell: pwsh
run: |
az login --service-principal -u "${{ secrets.DEV_APPLICATION_ID }}" -p "${{ secrets.DEV_SERVICE_PRINCIPAL_SECRET }}" --tenant "${{ secrets.TENANT_ID }}"
I have also tried to list the secrets explicitly in the caller workflow (instead of using secrets: inherit) like this:
- name: Azure login with elevated permissions
uses: ./.github/actions/log-into-azure
with:
secrets:
DEV_APPLICATION_ID: ${{ secrets.DEV_APPLICATION_ID }}
DEV_SERVICE_PRINCIPAL_SECRET: ${{ secrets.DEV_SERVICE_PRINCIPAL_SECRET }}
TENANT_ID: ${{ secrets.TENANT_ID }}
... but that gave the following error message:
The workflow is not valid. .github/workflows/deploy.yml (Line: 60, Col: 11): A mapping was not expected
EDIT 1
I have also tried to put secrets on the same indentation level as uses in my caller workflow, like this (lines 63-65):
- name: Azure login with elevated permissions
uses: ./.github/actions/log-into-azure
secrets: inherit
That also fails:
Invalid workflow file: .github/workflows/deploy.yml#L65
The workflow is not valid. .github/workflows/deploy.yml (Line: 65, Col: 7): Unexpected value 'secrets'
Likewise if I do this:
- name: Azure login with elevated permissions
uses: ./.github/actions/log-into-azure
secrets:
DEV_APPLICATION_ID: ${{ secrets.DEV_APPLICATION_ID }}
DEV_SERVICE_PRINCIPAL_SECRET: ${{ secrets.DEV_SERVICE_PRINCIPAL_SECRET }}
TENANT_ID: ${{ secrets.TENANT_ID }}
I get the exact same error message.
EDIT 2
Here is a minimal working example of my whole caller workflow:
name: Deploy to persistent environment
on:
workflow_dispatch:
jobs:
deploy-kms-to-persistent-environment:
name: 'Deploy KMS to ${{ github.event.inputs.deployment_target}} from Git commit: ${{ github.sha }}'
runs-on: [self-hosted, 3shape-ubuntu-latest]
steps:
- name: Azure login with elevated permissions
uses: ./.github/actions/log-into-azure
secrets: inherit

Checking the official documentation, your problem occurs due to the indentation in the workflow calling the reusable workflow.
You are informing secrets that way:
uses: ...
with:
secrets:
And it should be using secrets at the same level as with:
uses: ...
with:
secrets:
Using your example, both options should look like this:
- uses: ./.github/actions/log-into-azure
secrets: inherit
and
- uses: ./.github/actions/log-into-azure
secrets:
DEV_APPLICATION_ID: ${{ secrets.DEV_APPLICATION_ID }}
DEV_SERVICE_PRINCIPAL_SECRET: ${{ secrets.DEV_SERVICE_PRINCIPAL_SECRET }}
TENANT_ID: ${{ secrets.TENANT_ID }}
Note: In both case, with should be use for inputs, and not for secrets.
Example:
uses: ...
with:
input1: value1
secrets:
secret1: ${{ secrets.SECRET1 }}
Moreover, note that you don't specify the runner and steps when calling a reusable workflows. You just specify the reusable workflow path with the uses field (with the ref), as you already configured the runner and the steps IN the reusable workflow.
In your case, it seems you're calling an action in the workflow, not a reusable workflow.
Example (compare to your workflow in the EDIT 2):
name: Deploy to persistent environment
on:
workflow_dispatch:
jobs:
job1:
uses: owner/repo/.github/workflows/log-into-azure.yml#main #you need the ref here
secrets: inherit

Related

GitHub Actions Passing Secret as Input for reusable workflow

I have a reusable workflow for building and pushing a docker image to ECR.
One of the inputs of the workflow is for specifying arguments for the docker build command.
This is the command in the reusable workflow:
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG ${{ inputs.DOCKER_BUILD_ARGS }} .
In some cases, I need DOCKER_BUILD_ARGS to contain secrets, for example:
secrets:
AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
uses: XXXXX/.github/workflows/DockerBuildPushECR.yml#main
with:
ECR_REGISTRY: XXXXXX
ECR_REPOSITORY: XXXXX
DOCKER_BUILD_ARGS: "--build-arg PASSWORD=${{ secrets.PASSWORD }}"
GitHub complains that the workflow is not valid:
"Unrecognized named-value: 'secrets'", because it only expects secrets in the secrets section.
I cannot pass it as a secret because the reusable workflow does not expect this secret, I just want it to be part of the string...
Can't use env because it cannot be used in conjunction with a reusable workflow
How can I make this scenario work?
What I ended up doing is adding 2 optional secrets to the reusable workflow added them as build args in the docker build commnd.
This way, if they are passed - they are secrets, and if they are not - they are simply blank and this does not affect anything.
It solved my scenario.
So, the secrets section looked like this:
secrets:
AWS_ACCESS_KEY:
required: true
AWS_SECRET_ACCESS_KEY:
required: true
USERNAME:
required: false
PASSWORD:
required: false
and the build like this:
- name: Build and tag image
run: docker build -f ${{ inputs.DOCKERFILE }} -t ${{ inputs.ECR_REGISTRY }}/${{ inputs.ECR_REPOSITORY }}:${{ inputs.IMAGE_TAG }} --build-arg USERNAME=${{ secrets.USERNAME }} --build-arg PASSWORD=${{ secrets.PASSWORD }} ${{ inputs.DOCKER_BUILD_ARGS }} ${{ inputs.DOCKER_BUILD_CONTEXT }}
Of course, the Dockerfile needs to have corresponding arguments.
This allowed me to pass up to 2 secrets "dynamically"

Github Composite action cannot find file

I have created an action that runs the following command
- name: Create Release Notes File
env:
COMMITTEXT: "${{ github.event.head_commit.message }}"
run: |
php ./create-release-notes-file.php
The file is in the same folder as the create-release.yml which is .github/workflows
when the action runs it fails with the following error:
Run php ./create-release-notes-file.php
Could not open input file: ./create-release-notes-file.php
Error: Process completed with exit code 1.
I can't find any documentation that tells me to put the files anywhere else. Any suggestions welcomed
Be sure to have cloned the repo before the above step (like with the actions/checkout#v3), as example:
jobs:
create-release-note:
name: Create Release note
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout#v3
with:
fetch-depth: 0
persist-credentials: false
token: ${{ secrets.GH_API_TOKEN }}
- name: Create Release Notes File
env:
COMMITTEXT: "${{ github.event.head_commit.message }}"
run: |
php ./create-release-notes-file.php

How to build, run and call docker container in Github Action

I need to build docker image form the source code of the current repository, run a container, then execute some API calls. How to do that with the github action?
name: Docs Generator
on:
pull_request:
types: [opened]
jobs:
pr-labeler:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout#v2
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
- name: Get the version
id: vars
run: echo ::set-output name=tag::$(echo ${GITHUB_REF:10})
- name: Build the tagged Docker image
run: docker build . --file Dockerfile --tag service:${{steps.vars.outputs.tag}}
- name: Run docker image
docker run -v ${{ inputs.path }}:/src service:${{steps.vars.outputs.tag}}
- name: Call API
run: |
curl +x http://localhost:8080/test
.....
For this purpose, you could use a combination of https://github.com/marketplace/actions/build-and-push-docker-images and https://github.com/addnab/docker-run-action
The first would build and publish a container, and the second would take this container and run your commands there.
The example is below. I don't use this setup myself but I have tested it. Replace username/container with your username and container.
name: Docker Image CI
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
compile:
name: Build and run the container
runs-on: ubuntu-latest
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action#v1
- name: Set up Docker Buildx
uses: docker/setup-buildx-action#v1
- name: Login to DockerHub
uses: docker/login-action#v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push
uses: docker/build-push-action#v2
with:
push: true
tags: username/container
- name: Check out the repo
uses: actions/checkout#v2
- name: Run the build process with Docker
uses: addnab/docker-run-action#v3
with:
image: username/container:latest
options: -v ${{ github.workspace }}:/data
run: |
echo "Hello World"
Note that building a container is quite a long task and might deplete your Github Action limits quickly. You might consider building/publishing a container separately, or add better caching here (i.e. to rebuild it only on Dockerfile change)
Note that you need to set up DOCKERHUB_USERNAME and DOCKERHUB_TOKEN secrets.
Instead of echo "Hello World", use the commands you want to run. The repo data will be in the /data directory, for this setup.

How to deploy GitHub Action for my KMM project

Currently, I got some problems when I try to write the YAML file for deploying the GitHub action for KMM project. I don't know how to write the correct script (gradlew command) about testing the code of the shared module. Here's a part of my YAML file:
test_job:
name: Test
runs-on: ubuntu-latest
continue-on-error: true
steps:
- name: Checkout
uses: actions/checkout#v2
- name: Set up JDK 11
uses: actions/setup-java#v2
with:
java-version: '11'
distribution: 'adopt'
- name: Validate Gradle wrapper
uses: gradle/wrapper-validation-action#e6e38bacfdf1a337459f332974bb2327a31aaf4b
- name: Restore Cache
uses: actions/cache#v2
with:
path: |
~/.gradle/caches
~/.gradle/wrapper
key: ${{ runner.os }}-gradle-${{ hashFiles('**/*.gradle*') }}
restore-keys: |
${{ runner.os }}-gradle-
- name: Make gradle executable
run: chmod +x ./gradlew
- name: Run Debug Tests
run: ./gradlew testDebugUnitTest --continue
- name: Upload Test Reports
if: ${{ always() }}
uses: actions/upload-artifact#v2
with:
name: test-reports
path: '**/build/reports/tests/'
You can use:
./gradlew check to run tests for all your targets
./gradlew <targetName>Test to run it for a specific target
Note that probably you'd want to specify the shared module as well, for ex: ./gradlew :shared:check
For more information you could check out: https://kotlinlang.org/docs/mpp-run-tests.html#run-tests-for-one-or-more-targets

How to trigger gh-pages branch changes via another action

I got this action which publishes to gh-pages successfully :
name: Deployment
on:
push:
branches:
- master
jobs:
deploy:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [12.x]
steps:
- uses: actions/checkout#v1
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node#v1
with:
node-version: ${{ matrix.node-version }}
- name: Install Packages
run: npm install
- name: Build page
run: npm run build
- name: Deploy to gh-pages
uses: peaceiris/actions-gh-pages#v3
with:
deploy_key: ${{ secrets.ACTIONS_DEPLOY_KEY }}
publish_dir: ./build
I added second action
name: S3Publish
on:
push:
branches:
- gh-pages
... but it never triggers
We can also put .github directory including your second workflow to the gh-pages branch.
- name: Deploy
uses: peaceiris/actions-gh-pages#v3
with:
deploy_key: ${{ secrets.ACTIONS_DEPLOY_KEY }} # Recommended
personal_token: ${{ secrets.PERSONAL_TOKEN }} # An alternative
# github_token: ${{ secrets.GITHUB_TOKEN }} # Dot not use this token for this case.
exclude_assets: ''
Set exclude_assets to empty for including the .github directory to deployment assets.
For more details, see the latest README: How to trigger gh-pages branch changes via another action - Stack Overflow