英文:
Use repository secret on reusable workflow input
问题
我正在尝试在可重用工作流程的一个输入中使用GitHub仓库的秘密:
name: 构建 dbt 镜像
on:
push:
paths:
- "dbt/**"
workflow_dispatch:
jobs:
push-image-dev:
name: dbt dev
uses: ./.github/workflows/my-reusable-workflow.yml
with:
project_id: ${{ vars.PROJECT_ID_DEV }}
workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER_DEV }}
service_account: ${{ vars.SERVICE_ACCOUNT_DEV }}
environment: dev
artifact_registry_repository: docker-images
artifact_registry_domain: europe-west4-docker.pkg.dev
image_context: dbt
image_name: dbt-instance
version_file_path: dbt/version.txt
build_args: |
DBT_ENV_SECRET_GIT_CREDENTIAL=${{ secrets.MACHINE_USER_PAT }}
然而,我遇到了以下错误:
工作流程无效。.github/workflows/ci.dbt-build.yml (行: 23, 列: 19):无法识别的命名-值:'secrets'。位于表达式的位置 1 内:secrets.MACHINE_USER_PAT
我需要在构建 Docker 镜像时传递这个秘密,以便在构建 Docker 镜像时在 Dockerfile 中进行替换。
有没有办法在不必修改我的可重用工作流程以满足这个特定用例的情况下,将 var-name=secret-value 组合传递给 build-args 输入?
英文:
I'm trying to use a GitHub repository secret in one of the inputs of my reusable workflow:
name: Build dbt image
on:
push:
paths:
- "dbt/**"
workflow_dispatch:
jobs:
push-image-dev:
name: dbt dev
uses: ./.github/workflows/my-reusable-workflow.yml
with:
project_id: ${{ vars.PROJECT_ID_DEV }}
workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER_DEV }}
service_account: ${{ vars.SERVICE_ACCOUNT_DEV }}
environment: dev
artifact_registry_repository: docker-images
artifact_registry_domain: europe-west4-docker.pkg.dev
image_context: dbt
image_name: dbt-instance
version_file_path: dbt/version.txt
build_args: |
DBT_ENV_SECRET_GIT_CREDENTIAL=${{ secrets.MACHINE_USER_PAT }}
However, I'm getting this error:
The workflow is not valid. .github/workflows/ci.dbt-build.yml (Line: 23, Col: 19): Unrecognized named-value: 'secrets'. Located at position 1 within expression: secrets.MACHINE_USER_PAT
I need to pass this secret at build time so that it gets substituted in the Dockerfile while building the docker image.
Any idea how can I pass the var-name=secret-value combination in the build-args input without having to modify my reusable workflow to meet this particular usecase?
答案1
得分: 0
首先,您需要通过转到存储库设置 -> 机密和变量 -> 操作 -> 新存储库机密来添加机密。然后添加任何机密,如 MACHINE_USER_PAT。
接下来,您需要在工作流中定义这些机密,如下所示:
name: 构建 dbt 映像
on:
push:
paths:
- "dbt/**"
workflow_dispatch:
secrets:
MACHINE_USER_PAT:
required: true
Example_secret1:
required: true
Example_secret2:
required: true
jobs:
....
然后,在工作流中使用 ${{ secrets.MACHINE_USER_PAT }} 引用它们。
获取更多信息,请参阅文档链接 - https://docs.github.com/en/actions/security-guides/encrypted-secrets
英文:
First you will have to add the secrets by going to repository settings -> secrets and variables -> actions -> New repository secret. Then add whatever secret such as MACHINE_USER_PAT
Then you will need to define the secrets in the workflow like this:
name: Build dbt image
on:
push:
paths:
- "dbt/**"
workflow_dispatch:
secrets:
MACHINE_USER_PAT:
required: true
Example_secret1:
required: true
Example_secret2:
required: true
jobs:
....
Then you can reference them in your workflow using ${{ secrets.MACHINE_USER_PAT }}
For more information here is a link to the documentation - https://docs.github.com/en/actions/security-guides/encrypted-secrets
答案2
得分: 0
仓库机密只能在可重用工作流的 secrets 子句中访问。我不得不重写我的工作流,以使 build_args 成为一个机密而不是一个输入。然后,我可以像下面这样使用仓库机密:
name: 构建 dbt 镜像
on:
push:
paths:
- "dbt/**"
workflow_dispatch:
jobs:
push-image-dev:
name: dbt 开发
uses: ./.github/workflows/my-reusable-workflow.yml
with:
project_id: ${{ vars.PROJECT_ID_DEV }}
workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER_DEV }}
service_account: ${{ vars.SERVICE_ACCOUNT_DEV }}
environment: dev
artifact_registry_repository: docker-images
artifact_registry_domain: europe-west4-docker.pkg.dev
image_context: dbt
image_name: dbt-instance
version_file_path: dbt/version.txt
secrets:
build_args: |
DBT_ENV_SECRET_GIT_CREDENTIAL=${{ secrets.MACHINE_USER_PAT }}
请注意,我已将引号标记(")更改为双引号("),以适应 YAML 格式。
英文:
Repository secrets are only accessible on the secrets clause of reusable workflows. I had to rewrite my workflow so that build_args were a secret instead of an input. Then, I could use the repository secret as I was trying:
name: Build dbt image
on:
push:
paths:
- "dbt/**"
workflow_dispatch:
jobs:
push-image-dev:
name: dbt dev
uses: ./.github/workflows/my-reusable-workflow.yml
with:
project_id: ${{ vars.PROJECT_ID_DEV }}
workload_identity_provider: ${{ vars.WORKLOAD_IDENTITY_PROVIDER_DEV }}
service_account: ${{ vars.SERVICE_ACCOUNT_DEV }}
environment: dev
artifact_registry_repository: docker-images
artifact_registry_domain: europe-west4-docker.pkg.dev
image_context: dbt
image_name: dbt-instance
version_file_path: dbt/version.txt
secrets:
build_args: |
DBT_ENV_SECRET_GIT_CREDENTIAL=${{ secrets.MACHINE_USER_PAT }}
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论