Secrets and Environment Variables in your GitHub Action

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

if you have secret values in your CI CD pipelines you want them to be kept secret and also you might need different secrets and variables for Dev staging or production environment specifically for GitHub action that's what we're going to talk about today so stay tuned and enjoy the video starting from your repository head over the settings scroll down a little bit and under secrets and variables then action you will find a panel where you can actually set up secrets and variables so in the first part of this video we're gonna set them up and show the differences and in the second part I'm gonna show you how you can actually use secrets and variables in your GitHub actions the first thing you notice here is that you have environment secrets and repository Secrets as you might expect repository secrets are available for the entire repository while environment secrets well you can create specific environments like broad stage development and you can bind Secrets specifically on that environment the thing is if you have a secret on the repository level and one on an environment level the environment will win over the repository you also have an organization level which is right above which then gets overwritten by repository and by environment and now let's create one real quick just hit repository secret give it a name like API key and our secret value which is this one here you can see that you can only add a secret the first thing you notice is that once you set a secret you can just delete or edit and edit doesn't mean you can read the value because well it's secret you can only override with a new one and actually this is the main difference with variables which as the name suggests they're not secret here you can find already set one anyway you can just click new repository variable the editor is pretty much the same just make sure to respect the rules for example the Gita bundle score prefix is obviously reserved and once you set a repository variable as a difference from the secrets you can actually see the value and edit it at any time but what about environments well you can create specific environment from here which will actually redirect you on the other side of the menu and you can create a new environment let's call it production and here you can configure the environment you you can have many settings on specific environments but for this specific case we'll just set up a new variable give it the same name of the other one but with a different value which would be prod one two three four five we add the variable and we can now check back on our secrets action section that for the production environment we have app ID with this value and at a repository level we have the same variable but with a different value but whether you need to use secrets in your pipelines well depending on the services you might want to use for example you might need the secret API key to send a message in your slack or teams Channel every time a build fails or completes and also if you deploy your website or your service to an external provider again you will probably need some sort of secret or key in order to access the service from the pipeline what about variables well you might have different URLs for the backend and you want them to be configurable at an environment level so that your staging build points to the staging back end and the production build points to the production backend but I think you already got the point so let's go on a proper GitHub action and see how you can actually use those values so I created this one with the workflow dispatch trigger which is the way that you can manually run GitHub actions by the way I made an entire video specifically about running GitHub actions manually and you can find it in my channel and if I run workflow in a couple of seconds just refresh the page this is our action running and as you can see already there are two jobs one for generic purpose and one running only on production let's now have a look at the code with the output on the left so that we can match what happens on depending on the line let's look at our first job that is top secret runs on Ubuntu latest and these are the steps first of all I can read the variable with this syntax over here what this does is that it actually interpolates the value directly in the command so if you try to look at the output you will see that the variable value is already here in the command and is obviously in the execution of the command itself now let's try to use a secret we can use again the same syntax but like we said in the beginning we actually want our secret to be secret so if I try to use a secret I do not want it to be displayed in the console and GitHub action is smart enough to put these three asterisks every time a secret is actually in the output the funny thing is that we'll replace that value in the output so if you set a secret and you call it existing you will see asterisks instead here of the word existing how we can make sure that it actually got the secret right well if you try to set a secret that does not exist and you check the output you will see that no asterisk hit displayed here that's as simple as that nothing got interpolated here so there's nothing to show there next up we can also read something from a global object called GitHub which contains some useful information about the data execution of this action for example if you use github.repository you will see here the name of the repository with owner slash repository name next up we can read an environment variable with the usual syntax here with emv.apad or with dollar sign my RPD but where does this come from well right from there I said that the environment on this execution will have this my APD value which is actually the value we had from the verse as a result if I expand this one you can call the variable like I said with my RPD dollar and the value is here why the value is not there well because here I used app ID which is not the environment variable because it was inside vars and this EMV will actually read this MB here so the correct value here will have been my app ID but one cool thing about setting variables in the environment is that you can actually use them even on scripts coming from the outside for example here I've got this custom script which is a in a separate folder and the script is a simple echo which will again output my RPD but there's no indication here about where there's my RPV come from and where it is well this command runs in the environment setup on top here so if I read M from my external script there it is my RPD is and it grabs the value the last thing I want to show you is that if we specific that the environment is production the environment will take all the variables and secrets coming from the environment we specified earlier if we now go back here and see top secret production we always had that app ID was one two three four five but not that we're in the production environment if we explain this one the value is prod one two three four five and this is exactly what you would expect because in the settings right under actions here we specified that we have a variable on a repository level which has this value but the same variable on the production environment have this different value which is again the one we saw here in the output and that was it you can now simply use your secret in your pipelines thanks for watching and if you're interested in more GitHub action related content well you can continue watching from here there's a playlist with a lot of other videos so don't forget to leave a like subscribe and see you in the playlist

Info

Channel: Dev Leonardo

Views: 14,218

Rating: undefined out of 5

Keywords: development, 2022, tips, tricks, tutorial, howto, opensource, open source, web, javascript, typescript, vscode, Visual Studio Code, github, git, dev, 2023, oss, open source software, env, environment, var, action, actions, pipeline, pipe, cd, ci, cicd, ci/cdd, ci/cd, secret, secrets, api, api key, api_key, keys, key, variable, environemnt, prod, stage, stg, prd, devops, ops, dev ops

Id: dPLPSaFqJmY

Channel Id: undefined

Length: 8min 12sec (492 seconds)

Published: Mon Jul 03 2023