I'm trying to use Github Actions for CI. I've created some secrets in repository on GitHub and encrypt some files in sources with a git-secret tool. In the end, I wrote netx yml-script as action for github
build:
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout#v2
- name: Configure GPG Key
uses: crazy-max/ghaction-import-gpg#v3
with:
gpg-private-key: ${{ secrets.GPG_SIGNING_KEY }}
passphrase: ${{ secrets.SECRET_PWD }}
git-user-signingkey: true
git-commit-gpgsign: true
- name: Reveal secrets
env:
SECRET_PWD: ${{ secrets.SECRET_PWD }}
run: |
sudo apt install git-secret
git secret tell my#email.com
git secret reveal -p $(echo $SECRET_PWD | sed 's/./& /g')
- name: Build images
run: docker-compose build
I suppose this described next pipeline:
Checkout current branch
Install required tools for gpg with a PK (gpg key?) and PWD
Add user with email from PK to white list
Decrypt .secret files
And finally build docker images.
Am I right?
My problem is steps 3-4. I've got an error in logs
> Setting up git-secret (0.2.3-1) ...
> Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
> done. my#email.com added as someone who know(s) the secret.
> cleaning up...
> Error: Process completed with exit code 1.
I've checked my solution on local machine (linux) and it works like a charm.
Well, maybe someone knows where is my mistake in yml-script?
I would guess that the problem is the "git secret tell" line. The "tell" step needs to be done in advance by someone else (you) who already has the authority to reveal the secrets. From the documentation:
Now add this person to your secrets repo by running git secret tell
persons#email.id (this will be the email address associated with the
public key)
The newly added user cannot yet read the encrypted files. Now,
re-encrypt the files using git secret reveal; git secret hide -d, and
then commit and push the newly encrypted files.
It looks like the "git secret reveal" step failed. Did you re-encrypt and push the secret files after calling "git secret tell my#email.com" locally?
In the github action itself, you don't need to run the "tell" step again.
Related
I'm seeing this error as of today, was working yesterday and prior to that as well.
Can't see that anything has changed in the Heroku documentation that might cause this breaking change.
Error:
Switched to a new branch 'deploy'
remote: ! WARNING:
remote: ! Do not authenticate with username and password using git.
remote: ! Run `heroku login` to update your credentials, then retry the git command.
remote: ! See documentation for details: https://devcenter.heroku.com/articles/git#http-git-authentication
fatal: Authentication failed for 'https://git.heroku.com/snapnhd-staging.git/'
main.yml
server-deploy:
needs: server-check
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#master
- uses: actions/setup-ruby#v1
with:
ruby-version: '2.6.x'
- name: Determine Heroku App
id: heroku
uses: ./.github/actions/heroku-app
- name: Deploy
env:
HEROKU_API_KEY: ${{ secrets.HEROKU_API_KEY }}
HEROKU_APP: ${{ steps.heroku.outputs.app }}
run: |
git remote add heroku \
https://heroku:$HEROKU_API_KEY#git.heroku.com/$HEROKU_APP.git
git fetch --unshallow origin
git checkout -b deploy
git push heroku deploy:master -f
As part of their response to this ongoing security investigation, Heroku forced all users to reset their passwords on or around May 4 (quoting from an email that, presumably, all customers should have received):
As part of our efforts to enhance our security and in response to an incident published on status.heroku.com, we wanted to inform you that we will begin resetting user account passwords on May 4, 2022.
This also invalidated API tokens:
NOTE: A password reset will also invalidate your API access tokens. As a result, any automations you’ve built to integrate with the Heroku Platform API that use these tokens may result in 403 forbidden errors. To avoid downtime you will need to re-enable direct authorizations by following the instructions here and update your integrations to use your newly generated token.
The linked article shows several ways to generate a new token, all of which boil down to a POST to
https://api.heroku.com/oauth/authorizations
The exact method depends partly on whether you have multi-factor authentication enabled. If you aren't already using MFA, this would be a good time to enable it.
Generate a new token and update your GitHub Actions configuration to use it.
Here, I'm trying to add go command when I deploy my app in GitHub Action.
The prompt in github action shows
err: bash: line 15: go: command not found .
*note : I already installed go and the go command works through my ssh connection
I'm expecting the go command works when I deploy it through Github Action using appleboy/ssh-action, how to do that?
edit:
here's my github action script:
- name: Deploy App and Deploy
uses: appleboy/ssh-action#v0.1.2
with:
host: ${{secrets.SSH_HOST}} # IP address of the server you wish to ssh into
key: ${{secrets.SSH_KEY}} # Private or public key of the server
username: ${{ secrets.SSH_USERNAME }} # User of the server you want to ssh into
script: |
export NVM_DIR=~/.nvm
source ~/.nvm/nvm.sh
export GO_DIR=/usr/local/go
source /usr/local/go/bin/go
cd /root
cd go
cd deploying
echo "Cloning Git Repo to /root/deploying"
git clone https://aldhanekaa:${{secrets.GITHUB_TOKEN}}#github.com/aldhanekaa/Golang-audio-chat.git
echo "Building Golang source"
cd Golang-audio-chat
go build
well for example, for adding npm command on appleboy/ssh-action, we just need to add
export NVM_DIR=~/.nvm
source ~/.nvm/nvm.sh
but how about go?
As user VonC said, I can try by points the binary file of go command, but since /usr/local/go/bin/go is not short as go, I decided to add the go binary to $PATH.
So the solution comes up as;
adding PATH="/usr/local/go/bin/:$PATH" at the first execution of the github action appleboy/ssh-action script.
- name: Deploy App and Deploy
uses: appleboy/ssh-action#v0.1.2
with:
host: ${{secrets.SSH_HOST}} # IP address of the server you wish to ssh into
key: ${{secrets.SSH_KEY}} # Private or public key of the server
username: ${{ secrets.SSH_USERNAME }} # User of the server you want to ssh into
script: |
export NVM_DIR=~/.nvm
source ~/.nvm/nvm.sh
PATH="/usr/local/go/bin/:$PATH"
Check first your PATH:
echo $PATH
If /usr/local/go/bin/ is not part of it, try:
/usr/local/go/bin/go build
I have a workflow in GitHub that will execute a shell script, and inside this script I need to use gsutil
In my workflow yml-file I have the following steps:
name: Dummy Script
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
environment: alfa
env:
_PROJECT_ID: my-project
steps:
- uses: actions/checkout#v2
- name: Set up Cloud SDK for ${{env._PROJECT_ID}}
uses: google-github-actions/setup-gcloud#master
with:
project_id: ${{env._PROJECT_ID}}
service_account_key: ${{ secrets.SA_ALFA }}
export_default_credentials: true
- run: gcloud projects list
- name: Run script.sh
run: |
path="${GITHUB_WORKSPACE}/script.sh"
chmod +x $path
sudo $path
shell: bash
And the script looks like:
#!/bin/bash
apt-get update -y
gcloud projects list
The 2nd step in yml (run: gcloud projects list) works as expected, listing the projects SA_USER have access to.
But when running the script in step 3, I get the following output:
WARNING: Could not open the configuration file: [/root/.config/gcloud/configurations/config_default].
ERROR: (gcloud.projects.list) You do not currently have an active account selected.
Please run:
$ gcloud auth login
to obtain new credentials.
If you have already logged in with a different account:
$ gcloud config set account ACCOUNT
to select an already authenticated account to use.
Error: Process completed with exit code 1.
So my question is:
How can I run a shell script file and pass on the authentication I have for my service account so I can run gcloud commands from a script file?
Due to reasons, it's a requirement that the script file should be able to run locally on developers computers, and from GitHub.
The problem seemed to be that the environment variables were not inherited when running with sudo. There are many ways to work around this, but I was able to confirm that it would run with sudo -E. Of course, if you don't need to run with sudo, you should remove it, but I guess it's necessary.
(The reproduction code was easy for me to reproduce it. Thanks)
I've set up a repository in the Maven Central Repository via Sonatype, and now I'm trying to create a GitHub action that will automatically publish an updated version when I create a new release on GitHub.
I know how to create the trigger using the on: clause and run the gradlew publish task, but I don't know how to supply GitHub with the GPG encryption key needed for it.
How do I do it?
My progress so far is here.
Your issue seems similar to this one
Summarizing:
GitHub Actions is basically a container that runs commands, you can define your key as a secret on your project and then importing it in your Github Action workflow
Here are the steps that could be used on a project to publish the generated artifacts to Sonatype's repository:
On a terminal window, you can search for the key ID by e-mail: gpg --list-secret-keys user#example.com
Export your key as Base64: gpg --export-secret-keys YOUR_ID_HERE | base64 > private.key
In your Github project, create a new Secret named GPG_SECRET_KEY (for example) and paste the Base64 content of your key (here is a reference how to do it)
In your workflow .yml file, include a step to import the key from your just defined secret like the example below:
- name: Configure GPG Key
run: |
mkdir -p ~/.gnupg/
printf "$GPG_SIGNING_KEY" | base64 --decode > ~/.gnupg/private.key
gpg --import ~/.gnupg/private.key
env:
GPG_SECRET_KEY: ${{ secrets.GPG_SECRET_KEY }}
Note: Your GPG Key can't be protected by a password.
This might be a silly question, but here I am after two days of head banging 😔
I'm currently working on a GitHub Actions job, that would at some point git push to a protected branch (master, actually). However, once it gets to this step, the job fails with a "You're not authorized to push" error message:
error code GH006
In my situation, the first time it happened, it meant that the worker (CLI, bash) is not authorized at all. So I went to log it in a dedicated GitHub account, — and this is where I'm stuck for a couple of days now.
So, how do I login to GitHub account via CLI?
The things I've tried:
Pushing to master manually
This works without errors, since the authorization is OK, — but it is obviously not automated, which is what I'm after.
A couple of details:
I was using Windows 10, whereas the job is set up to run on "ubuntu-18.04";
I've removed all GitHub-related logins from Windows Credential Manager before performing git push, and set them up again via GitHub Login dialog window.
Manually pushing under unauthorized credentials fails, as expected.
git remote set-url origin "https://$username:$token#github.com/my/repo"
This didn't seem to give any effect. I've tried both setting URL of the existing remote and removing-than-adding remotes with different URLs, — both approaches seem to work (not work) the same.
None of the configurations below worked:
steps:
- run: git remote set-url origin "https://$username:$token#github.com/my/repo"
- run: git push origin master
steps:
- run: git remote remove origin
- run: git remote add origin "https://$username:$token#github.com/my/repo"
- run: git fetch origin --all # with and without this step
- run: git push origin master
curl -u "$username:$token" https://api.github.com/user
This is suggested in the docs, and it does succeed, but the login does not persist until git push — even if the pushing happens in the same step. I suspect, there might be a cookie-related solution, but I'm not sure how do they work in a non-browser environment. Also, I believe that this API is designed for different purposes.
Both of these configurations failed:
steps:
# separate processes
- run: curl -u "$username:$token" https://api.github.com/user
- run: git push origin master
steps:
# same process
- run: |
curl -u "$username:$token" https://api.github.com/user
git push origin master
actions/checkout#v2 will now configure and persist authentication when setting the token input. You shouldn't need to configure the origin URL manually.
- uses: actions/checkout#v2
with:
token: ${{ secrets.PAT }}
- name: Create a change
run: echo "test" > test.txt
- name: Commit change
run: |
git config --global user.name 'Your Name'
git config --global user.email 'your-username#users.noreply.github.com'
git add -A
git commit -m "Add test file"
git push
According to this comment on the GitHub forums, the PAT must be created from an admin/org owner account. A collaborator with write access is not enough to push to protected branches.