可以调度使用机密的 GitHub 可重用工作流吗?

huangapple go评论67阅读模式
英文:

Can I dispatch a GitHub reusable workflow that uses secrets?

问题

我创建了一个可重用的工作流来运行单元测试。

在主工作流中,我调用这个工作流并将密钥作为参数传递。

有时我还想要在 GitHub 网页界面手动触发这个工作流,所以我添加了 workflow_dispatch

然而,当我这样做时,我收到错误消息:Error: Input required and not supplied: token。我需要做什么才能在手动触发工作流时访问这些密钥?

我感到困惑,因为在我的主工作流(由 workflow_dispatch 触发)中,我不需要做任何特殊操作来访问这些密钥。所以我不明白为什么当通过 workflow_dispatch 触发时,这个工作流不会自动从仓库获取这些密钥:

name: unit-tests

on:
  workflow_dispatch:
  workflow_call:
    secrets:
      PAT_GITHUB:
        required: true
jobs:
  update-checker:
    runs-on: ubuntu-latest
    steps:
      - name: "Check out this repo and submodules."
        uses: actions/checkout@v3
        with:
          submodules: true
          token: ${{ secrets.PAT_GITHUB }}
        timeout-minutes: 3

当我从另一个工作流中调用这个工作流并传递密钥时,它按预期执行。

但是当我从网页界面手动触发这个工作流时(如下面的截图所示),它失败了:

可以调度使用机密的 GitHub 可重用工作流吗?

在同一个工作流中使用 workflow_dispatchworkflow_call 是可能的吗?如果可以,那么在使用 workflow_dispatch 时,我该如何访问这些密钥?

英文:

I created a reusable workflow to run unit tests.

In the main workflow, I call this workflow and pass the secrets as arguments.

I also want to trigger this workflow manually sometimes from the GitHub web UI, so I added workflow_dispatch.

However, when I do that, I get the error: Error: Input required and not supplied: token. What do I need to do to get access to the secrets when triggering my workflow manually?

I'm confused because in my main workflow (which is triggered by workflow_dispatch), I don't need to do anything special to access the secrets. So I don't understand why this workflow doesn't automatically get access to the secrets from the repo when triggered by workflow_dispatch, too:

name: unit-tests

on:
  workflow_dispatch:
  workflow_call:
    secrets:
      PAT_GITHUB:
        required: true
jobs:
  update-checker:
    runs-on: ubuntu-latest
    steps:
      - name: "Check out this repo and submodules."
        uses: actions/checkout@v3
        with:
          submodules: true
          token: ${{ secrets.PAT_GITHUB }}
        timeout-minutes: 3

When I call this workflow from another workflow and pass the secrets, it executes as expected.

But when I dispatch this workflow from the web UI (screenshot below), it fails:

可以调度使用机密的 GitHub 可重用工作流吗?

Is it possible to use workflow_dispatch and workflow_call in the same workflow? If so, how do I access the secrets when using workflow_dispatch?

答案1

得分: 1

你必须从调用者传递你的机密。

jobs:
  call-workflow-unit-tests:
    uses: octo-org/example-repo/.github/workflows/reusable-unit-test-wf.yml@main
    secrets:
      PAT_GITHUB: ${{ secrets.PAT_GITHUB }}

或者你可以使用 secrets: inherit

jobs:
  call-workflow-unit-tests:
    uses: octo-org/example-repo/.github/workflows/reusable-unit-test-wf.yml@main
    secrets: inherit

参见:

英文:

You have to pass your secrets from the caller.

jobs:
  call-workflow-unit-tests:
    uses: octo-org/example-repo/.github/workflows/reusable-unit-test-wf.yml@main
    secrets:
      PAT_GITHUB: ${{ secrets. PAT_GITHUB }}

Or you can use secrets: inherit:

jobs:
  call-workflow-unit-tests:
    uses: octo-org/example-repo/.github/workflows/reusable-unit-test-wf.yml@main
    secrets: inherit

See:

答案2

得分: 0

问题在于我错误地在可重用的工作流中将秘钥重命名了。

所以在主工作流中,我有一个叫做 GITHUB_PAT 的秘钥,但是我的可重用工作流却将它称为 PAT_GITHUB。因为在调用工作流中,我将 GITHUB_PAT 传递给了 PAT_GITHUB,所以这个是有效的,但是派发操作失败了。

所以这里的规则是,如果你想在可重用的工作流中使用也可以被派发的秘钥,你就不能重命名这些秘钥!

英文:

The issue was that I had renamed the secret by mistake in my reusable workflow.

So in the main workflow, I had a secret called GITHUB_PAT, but my reusable workflow called it PAT_GITHUB. Since I passed GITHUB_PAT to PAT_GITHUB in the calling workflow, that worked, but the dispatch failed.

So the rule here is that if you want to use secrets in a reusable workflow that can also be dispatched, you can't rename the secrets!

huangapple
  • 本文由 发表于 2023年3月15日 19:44:06
  • 转载请务必保留本文链接:https://go.coder-hub.com/75744243.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定