Why reusable workflow step fails from a different repo but succeeds from same repo?

huangapple go评论111阅读模式
英文:

Why reusable workflow step fails from a different repo but succeeds from same repo?

问题

我正在使用GitHub Actions进行CI/CD。我在名为BuildTemplate的仓库中添加了一个可重用的工作流,以便将来的项目可以使用此模板。可重用的工作流包含一个简单的步骤,用于登录到Azure,然后从密钥保管库下载文件。Azure登录的密钥都保存在BuildTemplate仓库的设置-> 密钥和变量-> actions-> 仓库密钥下。

当从不同的仓库调用这个可重用的工作流步骤时,就像这样:

    jobs:
      download_secure_file:
        name: Download Secure File
        uses: MyOrg/MyReusableRepo/.github/workflows/template-download-secure-file.yml@main

该步骤会失败,显示以下错误:

Run Azure/login@v1
Error: Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows

但当这个登录步骤在同一个仓库中的可重用工作流中时,它正常工作:

Run Azure/login@v1
Using OIDC authentication...
Federated token details:
issuer - https://token.actions.githubusercontent.com
subject claim - repo:MyOrg/MyRepo:ref:refs/heads/feature/MyFeature-7596
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Login successful.

为什么当从不同的仓库调用可重用的工作流时登录失败?我查看了GitHub Actions的文档,并没有看到我在这里遗漏了什么,以致可重用的工作流失败。请注意,尽管错误显示"请确保在运行器上安装了az",但不需要安装Azure CLI,因为在相同的运行器机器上,这个步骤可以成功执行而无需安装Azure CLI。

这里的实际问题是什么?

英文:

I am using GitHub Actions for CI/CD. I have a reusable workflow added in a repo named BuildTemplate so that future projects can use this template. The reusable workflow has a simple step to log in to Azure and subsequently download a file from key vault. The secrets for Azure login are all kept under BuildTemplate repo's settings -> secrets and variables -> actions -> repository secrets.

  jobs:
    download_secure_file:
     runs-on: [self-hosted, github-my-selfhosted-runner]
     steps:
      - name: Login to Azure
        uses: Azure/login@v1
        with:
          client-id: ${{ secrets.AZURE_CLIENT_ID }}
          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}

When this reusable workflow step is being called from a different repo, like this:

    jobs:
      download_secure_file:
        name: Download Secure File
        uses: MyOrg/MyReusableRepo/.github/workflows/template-download-secure-file.yml@main

the step fails with the below error:

Run Azure/login@v1
Error: Az CLI Login failed. Please check the credentials and make sure az is installed on the runner. For more information refer https://aka.ms/create-secrets-for-GitHub-workflows

When this login step is in a reusable workflow which is in the same repo, it works:

Run Azure/login@v1
Using OIDC authentication...
Federated token details: 
 issuer - https://token.actions.githubusercontent.com 
 subject claim - repo:MyOrg/MyRepo:ref:refs/heads/feature/MyFeature-7596
/usr/bin/az cloud set -n azurecloud
Done setting cloud: "azurecloud"
Login successful.

Why does the login fail when the reusable workflow is called from a different repo? I went through GitHub Actions documentation and did not see anything that I am missing here such that the reusable workflow fails. Please note even though the error shows "make sure az is installed on the runner", it is not needed as it is the same runner machine where this step succeeds without having the need to install Azure CLI.

What is the actual issue here?

答案1

得分: 1

你快要成功了...你只需要从调用工作流程传递机密,否则机密将为空,因此你的工作未能成功。

jobs:
  download_secure_file:
    name: 下载安全文件
    uses: MyOrg/MyReusableRepo/.github/workflows/template-download-secure-file.yml@main
    secrets: inherit

在指定secrets: inherit时,你可以解决这个问题。

英文:

You're almost there... All you have to do is pass secrets from the calling workflow otherwise secrets are null hence your job is getting failed.

jobs:
  download_secure_file:
    name: Download Secure File
    uses: MyOrg/MyReusableRepo/.github/workflows/template-download-secure-file.yml@main
    secrets: inherit

while specifying secrets: inherit , you can solve the issue.

huangapple
  • 本文由 发表于 2023年7月27日 19:03:58
  • 转载请务必保留本文链接:https://go.coder-hub.com/76779105.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定