Menu
I'm on the CI part of this course, while going through it I cannot figure out how the following part of the main.yml file works:
- name: Log in to GitHub Packages
run: echo ${GITHUB_TOKEN} | docker login -u ${GITHUB_ACTOR} --password-stdin docker.pkg.github.com
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
I have these parameters like GITHUB_ACTOR and GITHUB_TOKEN, that I didn't define as any part of my code, or write into a panel inside GitHub.
Are they automatically filled in by GitHub?
If I change my token, will this code still work?
961
This is documented in "Automatic token authentication"
At the start of each workflow run, GitHub automatically creates a unique
GITHUB_TOKENsecret to use in your workflow.
You can use theGITHUB_TOKENto authenticate in a workflow run.When you enable GitHub Actions, GitHub installs a GitHub App on your repository.
TheGITHUB_TOKENsecret is a GitHub App installation access token. You can use the installation access token to authenticate on behalf of the GitHub App installed on your repository. The token's permissions are limited to the repository that contains your workflow
You have Default environment variables, including:
GITHUB_ACTOR: The name of the person or app that initiated the workflow.
For example,octocat.
+-------------------------------------------------------------------------+
| Updated Workflow |
| |
| +----------------------+ +--------------------------------------+ |
| | main.yml | | GitHub | |
| | | | | |
| | | | +---------+ +--------+ +--------+ | |
| | | | | Secrets | | Tokens | | Actors | | |
| | - name: Log in to | | +---------+ +--------+ +--------+ | |
| | GitHub Packages | | | |
| | run: echo |<----| Automatically provided by GitHub | |
| | ${GITHUB_TOKEN} | | | |
| | | docker login | | | |
| | -u ${GITHUB_ACTOR} | | | |
| | --password-stdin | | | |
| | docker.pkg.github | | | |
| | .com | | | |
| | env: | | | |
| | GITHUB_TOKEN: | | | |
| | ${{ secrets | | | |
| | .GITHUB_TOKEN }} | | | |
| +----------------------+ +--------------------------------------+ |
+-------------------------------------------------------------------------+`
The GITHUB_TOKEN and other secrets are securely stored on GitHub's servers. Specifically, they are encrypted at rest and can only be accessed by GitHub Actions runners during the execution of the workflow. These secrets are decrypted in a secure environment, which is essential for safeguarding sensitive data used within your CI/CD processes.
See "Using secrets in GitHub Actions"
You can define and manage your own secrets in the repository settings under the "Secrets" section. Once set, these secrets are encrypted and cannot be seen or edited, only deleted or replaced.
Here is an example command using the GitHub CLI gh secret set to update a secret, which is then stored encrypted on GitHub's servers:
gh secret set GITHUB_TOKEN -b "new-token-value"
If I change my token, will this code still work?
Yes, the code will continue to work if you change your token, as long as the new token has the necessary permissions.
The GITHUB_TOKEN reference in the main.yml file will automatically fetch the updated token from GitHub secrets.
The line GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} is structured to pull the current value of GITHUB_TOKEN from GitHub secrets each time the workflow runs. So, if you update the token in GitHub secrets, the new value will be used in subsequent workflow runs.
90
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
