I would like to automatically start CockroachDB (as a container) with GitHub Actions for automated tests. These tests include testing all ssl modes. That's why I would like to add a user and certificates to CRDB. I searched for environment variables but the there is no documentation for it on the website. At least not for the container.
Currently I only add it insecurely:
test-backend:
runs-on: ubuntu-latest
services:
cockroachdb:
image: cockroachdb/cockroach
ports:
- 26257:26257
CockroachDB is currently not able to be used as a service in Github Actions which is explained in this issue https://github.com/cockroachdb/cockroach/issues/87043.
As an alternative, here is an example of how it can be run in Github Actions: https://github.com/cockroachdb/sequelize-cockroachdb/blob/188f092dda80a2b11aae1381e83b9581f7bdbfc8/.github/workflows/ci.yml#L37 (instead of --insecure pass --certs-dir).
Related
EDIT: My repo resides in github enterprise
I have a very basic github workflow action as below:
All it does is to run a powershell script as mentioned in here.
name: First Github Action
on:
workflow_dispatch:
jobs:
first-job:
name: First Job
runs-on: ubuntu-latest
steps:
- name: Display the path
run: echo ${env:PATH}
shell: pwsh
Unfortunately, it just keeps waiting for the runner to pick up. Below is the message it is being displayed.
Requested labels: ubuntu-latest
Job defined at: {myUserName}/{repoName}/.github/workflows/{myFileName}.yml#refs/heads/main
Waiting for a runner to pick up this job...
EDIT: I created another public repo and ran the action. It is still waiting.
Unfortunately, I cannot share my public repo as it is an enterprise github repo owned by the company I work in.
Assuming you are running this on GitHub Cloud (or github.com):
GitHub Actions is only free for public repositories, otherwise you have to pay for a license
Switching the repo's visibility from from private to public may not cause the workflow that is stuck to be picked up. You will likely need to cancel it and queue a new one.
Make sure your workflows are located in .github/workflows folder.
Assuming you are running this on GitHub Enterprise Cloud (GHEC):
You need to make sure that your admin has Actions enabled
You need to make sure that your admin has Actions allowed for repositories not owned by an organization
Assuming you are running this on GitHub Enterprise Server (GHES):
You need to make sure that your admin has Actions enabled
You need to make sure that your admin has Actions allowed for repositories not owned by an organization
You will not be able to use GitHub hosted runners as you have in your YAML file
You will need to use a self-hosted runner and your GitHub admin can provide you the details of what you need to use.
The workflow you have in your question does in fact work:
https://github.com/tjc-actions-demo/simple-actions
The issue is going to be either permissions related or configuration related. Depending on your environment, you will need to troubleshoot based on my suggestions above.
I am trying to write a GitHub actions script to automatically build a docker image, and then push it into the GitHub Container Registry when new code is checked in to the main branch. This is the code that I'm using to try to log into the container registry:
name: Build and publish Docker image.
on: [push]
jobs:
publish-docker-image:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- name: Login to GitHub Container Registry
uses: docker/login-action#v1
with:
registry: ghcr.io
username: ${{github.actor}}
password: ${{secrets.CONTAINER_REG_ACCESS}}
For more context, the CONTAINER_REG_ACCESS secret is a personal access token, though it was created by a different member of my organization.
This error shows up in GitHub after it runs its automated tests on my pull request.
Run docker/login-action#v1
Logging into ghcr.io...
Error: Error response from daemon: Get "https://ghcr.io/v2/": denied: denied
What is the best practice from logging into the GitHub container registry using a GitHub actions script? Is there a way to log in using an organizations credentials instead of my personal GitHub ID?
I have a number of secrets, stored in Settings/Secrets/Action of my repo.
The various secrets are used by my application but none of them are used in the command.
name: BuildCheck
on:
push:
pull_request:
branches: [main]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v3
- uses: actions/setup-node#v3
with:
node-version: 14
- run: npm ci
- run: npm run build
Do I need to add all the variables under env top level map in the config file above in order for the action to use them?
This seems to break my automated flow of managing secrets with Doppler.
Is there a way to inject all secrets, without explicitly specifying them? (I did look at the docs but failed to find if this is possible)
Coming from Vercel, which does this it feels like a bit of a step back.
There's a bit to unpack here.
Do I need to add all the variables?
The short answer: yes.
However what's good to consider is that secrets often only configure connections between system in the form of secret keys or application access using a license or credentials.
It is not common to add other configuration options inside the secrets.
Under env: top level map in the workflow file?
I would discourage putting secrets in the top level env.
Reason is that env will be exposed to all subsequent jobs. In case someone adds a job that's not trusted with this information (say an external action) it could become a problem.
So what's good practice?
Firstly: Split configuration from secrets:
Using configuration files for configuration options.
Using secrets for secret keys or other credentials.
Secondly: Using security first.
Configure each workflow step with just the information it needs
Explicitly pass secret variables to action parameters
Lastly: store configuration as close to the app as possible, optionally having multiple - each for a different environment.
Comparison with Vercel
Vercel abstracts away the workflow entirely and as a result can only do very specific things. The nature of each system is different and gives you different levels of flexibility.
Firstly: Split configuration from secrets:
Using configuration files for configuration options.
Using secrets for secret keys or other credentials.
There is now another option:
GitHub Actions – Support for configuration variables in workflows (Jan. 2023)
Today, we are adding support for configuration variables in GitHub Actions
Previously, you needed to store this configuration data as encrypted secrets in order to reuse values in workflows.
While extremely secure, this method did not allow for easy storage and retrieval of non-sensitive configuration data such as compiler flags, usernames, server names etc.
Configuration variables allows you to store your non sensitive data as plain text variables that can be reused across your workflows in your repository or organization.
You can define variables at Organization, Repository or Environment level based on your requirement.
Configuration variables can be accessed across the workflow using a new vars context.
The following example shows how configuration variables can be used in a workflow.
jobs:
display-variables:
runs-on: ${{ vars.RUNNER }}
steps:
- name: Use variables
run: |
echo "Repository variable : ${{ vars.REPOSITORY_VAR }}"
echo "Organization variable : ${{ vars.ORGANIZATION_VAR }}"
Note: Variables feature is in public beta
Learn more about configuration variables
I'm fairly new-ish to GitHub Actions and I'm trying to figure out the difference between 2 ways to use the same custom action.
Say we have a basic action node-install-ci that contains the following files: Dockerfile, action.yml, entrypoint.sh. (Where the Dockerfile and action.yml just point to entrypoint.sh as the action entrypoint.)
I've seen a similar action used in 2 different ways in the same code-base:
jobs:
# ...
steps:
- name: Install
# either direct access
run: ./.github/actions/node-install-ci/entrypoint.sh
# or through docker
uses: ./.github/actions/node-install-ci
Obviously using the uses keyword will make GitHub Actions go through the Dockerfile (and run in a container?), whereas the direct access just runs the entrypoint directly in the current environment.
What I'm wondering is whether this difference in usage matters and could lead to unintended consequences for Actions that are more complex than npm ci?
Honestly, I'm surprised that running an install action through docker even works to begin with.
I guess I kind of knew the answer when I posted this; obviously the difference is whether or not your GitHub Action needs Docker or the action.yml file.
If your action is so simple that you really only need to run a single shell script, then I'd say it's fine/equivalent to use - run: ./.github/actions/your_action/entrypoint.sh. But if your action is complex (i.e. needs docker, or some extra features of action.yml) then running the entrypoint directly could skip out on some critical setup or tangential actions that would be achieved using - uses: ./.github/actions/your_action.
Ultimately, it is up to you and your knowledge of the functionality of your custom action to determine whether these 2 different ways to run a GitHub Action will have different results.
I try to transfer my projects CI to GitHub Actions. For integration tests I need to start and access redis container. I am using info from this
article.
So code looks like this
build-artifacts:
name: Build artifacts
runs-on: ubuntu-latest
services:
redis:
image: redis:3.2.12
ports:
- 6379:6379
I can access redis using localhost:6379 but I can't access it using redis:6379. The article does not help. What I am doing wrong?
Thank you in advance.
So I figured out what was the problem.
Docker network works only if you run your job inside container. And I had not.
Here is example https://github.com/actions/example-services/blob/989ef69ed164330bee413f11ce9332d76f943af7/.github/workflows/mongodb-service.yml#L19
And a quote:
runs all of the steps inside the specified container rather than on the VM host.
Because of this the network configuration changes from host based network to a container network.
U need to host an external redis database because containers in GitHub Actions are isolated.
For other hand u can prepare a docker container with all you need for testing and then u can run the tests inside.
Un can take a look here https://github.com/gonsandia/github-action-deploy
Its a custom action where u define the dockerfile and the scripts to runs