英文:
Personal GitHub secrets for each dev who can push to repo
问题
我们的组织在GitHub上有一个仓库,多个开发者可以推送到它。该仓库使用GitHub Actions工作流程,需要一个秘密令牌才能正常工作。然而,我无法在GitHub上为该操作提供组织范围的令牌,因为每个可以推送到该仓库的开发者都有自己的个人令牌。如何让我们的每个开发者在git推送时提供自己的个人令牌给GitHub Actions工作流程?
英文:
In our organization we have a repo on GitHub, multiple devs can push to it. That repo uses a GitHub Actions workflow which needs a secret token to work. However, I cannot provide a organization-wide token on GitHub for that action, since every developer who can push to that repo has their own personal token. How can I allow each of our devs to provide their own personal token to the GitHub Actions workflow on a git push?
答案1
得分: 0
以下是翻译好的部分:
最简单的解决方案是获取并配置一个整个存储库范围的“机器”或“机器人”令牌,并将其配置为存储库密钥,然后在适当的作业步骤中使用它。
或者,您可以让开发人员配置一个预推送挂钩,以便他们可以在本地运行现在在 CI 中运行的工具。这需要为每个存储库和开发人员进行配置和纪律。
最糟糕的解决方案,但似乎是您正在追求的,是将每个开发人员的令牌都配置为存储库密钥,包括他们的名称,例如 TOOL_TOKEN_MATTHIAS
。
然后,在推送时,您获取 github.event.pusher.name
,并使用 format() 查找适当的密钥,类似于这样:
secrets[format('TOOL_TOKEN_{0}', github.event.pusher.name)]
这也需要配置和纪律,并且是脆弱的。
英文:
The most trivial solution would be to obtain and configure a repository-wide "machine" or "bot" token and configure that as a repository secret, using it to pass to the appropriate job step.
Alternatively, you let your developers configure a pre-push hook, so they can run the tool that now runs in CI locally instead. This requires configuration and discipline for each repository and developer.
The worst solution, but the one you seem to be aiming at, would be to configure each developer's token as repository secret, including their name, e.g. TOOL_TOKEN_MATTHIAS
.
Then on push, you obtain the github.event.pusher.name
, and [using format()]](https://stackoverflow.com/questions/61255989/dynamically-retrieve-github-actions-secret), look up the appropriate secret, something like this:
secrets[format('TOOL_TOKEN_{0}', github.event.pusher.name)]
This too will require configuration and discipline, and is fragile.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论