Skip to content

Latest commit

 

History

History
72 lines (53 loc) · 3.47 KB

create-secrets-for-GitHub-workflows.md

File metadata and controls

72 lines (53 loc) · 3.47 KB
Raw

Set up Secrets in GitHub Action workflows

GitHub Secrets are encrypted and allow you to store sensitive information, such as access tokens, in your repository.

You could use GitHub secrets to store your Azure Credentials, Publish profile of your Web app, container registry credentials or any such sensitive details which are required to automate your CI/CD workflows using GitHub Actions.

Creating secrets

  1. On GitHub, navigate to the main page of the repository.
  2. Under your repository name, click on the "Settings" tab.
  3. In the left sidebar, click Secrets.
  4. On the right bar, click on "Add a new secret"
  5. Type a name for your secret in the "Name" input box.
  6. Type the value for your secret.
  7. Click Add secret.

Consume secrets in your workflow

To consume a secret within an action workflow, set the secret as an input or environment variable in your workflow. Review the action's README file to learn about which inputs and environment variables the action expects. For example, most of the Azure actions would need AZURE_CREDENTIALS to be set as a secret. For more information, see "Workflow syntax for GitHub Actions."

steps:
  - name: Sample Azure action
    with: # Set Azure credentials secret as an input
      credentials: ${{ secrets.AZURE_CREDENTIALS }}
    env: # Or as an environment variable
      credentials: ${{ secrets.AZURE_CREDENTIALS }}

Set secret with Azure Credentials

Most of the Azure services use user-level Azure credentials i.e., Azure Service Principal for deployments.

Follow the steps to create the Azure credentials (Service Principal) : * Run the below az cli command

   az ad sp create-for-rbac --name "myApp" --role contributor \
                            --scopes /subscriptions/{subscription-id}/resourceGroups/{resource-group} \
                            --sdk-auth
                            
  # Replace {subscription-id}, {resource-group} with the subscription, resource group details

  # The command should output a JSON object similar to this:

  {
    "clientId": "<GUID>",
    "clientSecret": "<GUID>",
    "subscriptionId": "<GUID>",
    "tenantId": "<GUID>",
    (...)
  }
  • Store the above JSON as the value of a GitHub secret with a name, for example 'AZURE_CREDENTIALS'
  • Now in the workflow file in your branch: .github/workflows/workflow.yml replace the secret in Azure login action with your secret name

Set secret with Web App Publish_Profile

Note: As of October 2020, Linux web apps will need the app setting WEBSITE_WEBDEPLOY_USE_SCM set to true before downloading the publish profile from the Azure portal. This requirement will be removed in the future.

  1. In the Azure portal, Navigate to your web app

  2. In the Overview page of the app, click on "Get publish profile". A publish profile is a kind of deployment credential, useful when you don't own the Azure subscription.

  3. Open the downloaded settings file in VS Code and copy the contents of the file.

  4. Create a new secret in your GitHub repo using the copied contents of the publish profile.