1. Environment Variables and Secrets
Welcome back! In this video, we will learn about setting variables and secrets in GitHub Actions.
2. Contexts
In GitHub Actions, "context" refers to predefined environment variables or data that GitHub provides for each workflow run.
These context variables contain information about the repository, workflow, event, and the environment where the workflow is running. They provide a way to dynamically adjust the workflow's behavior and decisions based on the information they contain.
Contexts can be accessed using the expression syntax - strings enclosed inside double curly braces with a leading dollar sign.
Some contexts that we will use are:
github has information about the workflow run.
env - has variables set in a workflow, job, or step.
secrets - has names and values of secrets that are available to a workflow run.
Job - information about the currently running job.
Runner- information about the runner that is running the current job.
3. Variables
Variables and secrets are two ways to manage reusable configuration data in GitHub Actions.
Variables are stored as plain text and used for non-sensitive data, such as compiler flags, usernames, etc.
Variables can be declared in various ways, most commonly at the workflow level, using the `env` keyword in the YAML file.
The scope of a variable is controlled by the level where it is declared.
Once declared, a variable's value can be accessed using the `env` context.
4. Secrets
In contrast to variables, secrets are encrypted in storage and used for sensitive data such as passwords or API keys.
To provide an action with a secret as an input or environment variable, we can use the `secrets` context to access secrets we've created in the repository.
We can also use a secret value in the environment variable using the `env` key or use it as an argument to an action using the `with` key.
GitHub Actions doesn't print any secret in the logs as a safety measure.
5. Setting secrets
To set a repository level secret, navigate to the landing page of the repository.
Under the repository name, click Settings.
In the "Security" section of the sidebar, select Secrets and Variables, then click Actions.
Click the Secrets tab, followed by new repository secret.
6. Setting secrets
In the Name field, type a name for the secret.
In the Secret field, enter the value for the secret.
Click Add secret.
7. GITHUB_TOKEN secret
The GITHUB_TOKEN secret is a built-in secret provided by GitHub Actions. When used in the workflow, it allows the workflow to perform various actions and interact with the GitHub API.
The GITHUB_TOKEN secret has certain permissions, which are automatically set based on the specific event that triggers the workflow. These permissions enable common actions like
- Cloning the repository and fetching code.
- Opening and closing issues and pull requests.
- Commenting on issues and pull requests.
The GITHUB_TOKEN secret is automatically available in every GitHub Actions workflow run, and we can access it using the secret's context.
We can also tune the permissions of the GITHUB_TOKEN to the desired level of restrictions.
8. Example: commenting on a pull request
Let's use GITHUB_TOKEN to write comment on a pull request.
First, we need to elevate permissions to be able to write comments. We use the permissions colon pull-requests key for that.
Next, notice the use of `GITHUB_TOKEN` in the `with` key, this sets the argument to the actions hyphen comment hyphen pull hyphen request as the secret value stored in GITHUB_TOKEN. Recall from the previous video that thollander is the username of the repository where this Action is specified.
When the pull request is created, we see that the github-actions bot writes the Hello world message as a comment.
9. Let's practice!
Let's review your knowledge of environment variables and secrets.