Skip to content
/ labrador-action Public

Github Action to easily and safely load secrets into CI/CD pipelines with Labrador.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

DivergentCodes/labrador-action

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
.github
.github
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
action.yaml
action.yaml
 
 

Repository files navigation

labrador-action (alpha)

Pull values (e.g. secrets and parameters) from remote stores, and automatically load them as environment variables in your Github workflow using labrador. No need to copy values between remote stores and pipelines or synchronize values.

A primary use case is secretless pipelines. By combining this with Github Actions' OpenID Connect support, you can have zero secrets stored in your pipelines, including cloud API keys.

Contents

Quickstart

Make sure that your Github Actions workflow has access to the target value stores, ideally using Github Actions' support for OpenID Connect to cloud providers.

# .github/workflows/my-workflow.yaml

...snip...

      - uses: DivergentCodes/[email protected]
        with:
          # The base path that Labrador will recursively fetch parameters from.
          aws-ssm-parameter: /path/to/this/pipeline/specific/params/*
          # The name of the secret that Labrador will fetch values from.
          aws-sm-secret: name/of/the/secret

...snip...

Features

  • Configuration file: Using an optional .labrador.yaml file, your Github workflow can load all required environment variables with a single line of configuration (example). The file is portable and consistent across other CI providers, environments, and anywhere that Labrador can run. Use an alternate config file for the pipeline with the inputs.config option (example).
  • Wildcard paths: For supported value stores, use a single wildcard resource path to recursively load all child values into the workflow (example).
  • Multi-system fetching: Labrador will pull from multiple remote stores in a single run. This can alleviate infrastructure migrations, multi-team situations, and other "real world quirks."
  • Use standard environment variables: This action will read AWS environment variables for default configuration and authentication.
  • Setting environment variables: Rather than having one step to pull the variables and then requiring another step to load them into environment variables, this action automatically sets them.

Supported Value Stores

  • AWS SSM Parameter Store: this action can pull individual parameters, or recursively pull a wildcard path with all child variables, as individual environment variables.
  • AWS Secrets Manager: this action can pull all key/value pairs in a single secret are loaded as individual environment variables.

Example Usage

Using a Labrador Configuration File

With a .labrador.yaml configuration file in your repository, all environment variables can be loaded into your workflow with a single line. For more details, look at the example Labrador configuration file.

# .github/workflows/my-workflow.yaml

...snip...

      - uses: DivergentCodes/[email protected]

...snip...

Using an Alternate Labrador Configuration File

You can have multiple Labrador configurations for different environments, for instance: local development, QA, CI/CD, and production. To use a specific configuration file with the action, use inputs.config.

# .github/workflows/my-workflow.yaml

...snip...

      - uses: DivergentCodes/[email protected]
        with:
          # Specific Labrador config file for this workflow.
          config: .labrador.ci.yaml

...snip...

Fetch Values From SSM Parameter Store Using Wildcard Paths

One wildcard path can be used to fetch all parameters for a workflow. This can mean less maintenance to update workflows when values change.

# .github/workflows/my-workflow.yaml

...snip...

      - uses: DivergentCodes/[email protected]
        with:
          aws-ssm-parameter: |
            /path/to/global/shared/params/*
            /path/to/this/pipeline/specific/params/*

...snip...

Fetch Values from a Different AWS Region

You might have a situation where all configuration is stored in the us-east-2 region, but your workflow is deploying things to us-west-1. This action will accept an explicit AWS region override.

# .github/workflows/my-workflow.yaml

...snip...

env:
  AWS_REGION: us-west-1

...snip...

      - uses: DivergentCodes/[email protected]
        with:
          aws-region: us-east-2
          aws-sm-secret: name/of/secret/

...snip...

Reference

Here are all the action inputs available through with:

Input Default Required Description
aws-region "" No Explicit AWS region, if different from configured environment variables.
aws-sm-secret "" No One or more AWS Secrets Manager secrets to fetch values from.
aws-ssm-parameter "" No One or more AWS SSM Parameter Store paths to fetch values from. Each can be individual or wildcard.
config "" No Specify an alternative Labrador config file in the repo.
install-only "false" No Only install the Labrador binary in the workflow.
set-env "true" No Set the fetched values as workflow environment variables.

Similar Projects

About

Github Action to easily and safely load secrets into CI/CD pipelines with Labrador.

Resources

Readme

License

MIT license

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages