GitHub Actions is a powerful CI/CD platform integrated directly into GitHub repositories. It allows you to automate various software development workflows, including building, testing, and deploying your code.
- Workflows: YAML files that define a set of jobs to be executed when triggered by an event.
- Jobs: A set of steps that execute on the same runner.
- Steps: Individual tasks that can run commands or actions.
- Actions: Reusable units of code that can be shared across workflows.
- Events: Specific activities that trigger a workflow run.
name: CI
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Run a script
run: echo Hello, world!This simple workflow runs on push and pull request events, checks out the repository, and runs a simple command.
GitHub secrets are encrypted environment variables used to store sensitive information securely. They are crucial for handling authentication and other confidential data in your workflows.
- Organization Secrets: Available to all repositories in the
eclipse-passorganization. - Repository Secrets: Specific to a single repository.
- Environment Secrets: Tied to a specific environment within a repository.
Due to permission restrictions, PASS project members should use the provided Python script to create repository or environment secrets:
python github_secrets.py -u <username> -t <token> -r <repo> -n <name> -v <value> [-e <environment>]For organization secrets, open a ticket with the Eclipse Help Desk.
Reference secrets in your workflows like this:
${{ secrets.SECRET_NAME }}For reusable workflows, pass secrets explicitly:
jobs:
call-publish-docker:
uses: ./.github/workflows/docker-publish.yml
secrets:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}In the called workflow, declare expected secrets:
on:
workflow_call:
secrets:
AWS_ACCESS_KEY_ID:
required: true
AWS_SECRET_ACCESS_KEY:
required: true- Use reusable workflows for common tasks to maintain DRY principles.
- Leverage GitHub-hosted runners when possible to reduce maintenance overhead.
- Use environment protection rules for sensitive deployments.
- Regularly audit and rotate your secrets.
- Use GitHub Actions marketplace for pre-built actions to speed up development.
To interact with AWS services, including ECR (Elastic Container Registry), you'll need to set up appropriate secrets and use AWS-specific actions in your workflows.
Store your AWS credentials as secrets:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEY
name: Deploy to ECR
on:
push:
branches: [main]
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Login to Amazon ECR
id: login-ecr
uses: aws-actions/amazon-ecr-login@v1
- name: Build, tag, and push image to Amazon ECR
env:
ECR_REGISTRY: ${{ steps.login-ecr.outputs.registry }}
ECR_REPOSITORY: my-ecr-repo
IMAGE_TAG: ${{ github.sha }}
run: |
docker build -t $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG .
docker push $ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAGThis workflow builds a Docker image and pushes it to Amazon ECR.
For more detailed information, refer to the GitHub Actions documentation.