Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use GITHUB_TOKEN in GitHub Actions #46

Merged
merged 3 commits into from
Oct 9, 2024
Merged

Use GITHUB_TOKEN in GitHub Actions #46

merged 3 commits into from
Oct 9, 2024

Conversation

spikeheap
Copy link
Contributor

@spikeheap spikeheap commented Oct 8, 2024
edited
Loading

This change removes two environment variables from CI which have been used to carry credentials to publish/read packages to our GitHub Packages NuGet registry:

  • LBHPACKAGESTOKEN
  • NUGET_KEY

LBHPACKAGESTOKEN continues to be used for local development.

What is the problem we're trying to solve?

Historically we've published packages from our local machines, which requires a token to authenticate with the GitHub Packages NuGet Registry. Now we use CI to publish packages there is a GitHub-managed token we can use instead..

If you're using a registry that supports granular permissions, and your workflow is using a personal access token to authenticate to the registry, then we highly recommend you update your workflow to use the GITHUB_TOKEN.
~ from https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-with-granular-permissions

This change removes both LBHPACKAGESTOKEN and NUGET_KEY tokens from the GitHub Actions workflow, replacing them where needed with the managed GITHUB_TOKEN token that's automatically made available to all jobs.

In order to keep the local development/management experience the same, references to LBHPACKAGESTOKEN have been kept as-is in the Docker and Docker Compose setup.

Additional improvement to Docker/Docker Compose secrets

Docker's documentation suggests not to use build arguments to pass secrets, so this PR also updates the Dockerfile to use secret mounts, and the recommended way to manage secrets in docker compose.

How to review this change

This change mirrors a couple we've already reviewed:

Checklist

  • Code pipeline builds correctly

Follow up actions after merging PR

  • Remove this repo from the shared secrets listed above in GitHub Actions

@spikeheap
Switch NUGET_KEY to GITHUB_TOKEN
17b0a50 
Historically we've used `NUGET_KEY` and `LBHPACKAGESTOKEN` for read and write access to our NuGet package repository on GitHub. These are Personal Access Tokens, and historically have not had an expiry date set.

GitHub Actions provides a better way of accessing GitHub package registries (and other resources): `GITHUB_TOKEN`. This is generated and managed by GitHub actions, and provides appropriate access for an Action based on the repository it's in, for example it can write packages that the repository has write/maintain access to, but no others. This is also recommended by the docs:

> If you're using a registry that supports granular permissions, and your workflow is using a personal access token to authenticate to the registry, then we highly recommend you update your workflow to use the GITHUB_TOKEN.
> ~ from https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-with-granular-permissions

This change switches both `LBHPACKAGESTOKEN` and `NUGET_KEY` to `GITHUB_TOKEN` and removes unnecessary references to `LBHPACKAGESTOKEN` where the secret isn't being used. There should be no effect on GitHub Actions, but this change allows us to deprecate and remove `NUGET_KEY` and `LBHPACKAGESTOKEN`.
@spikeheap
Update docker compose syntax to v2+
fcc213e 
As per https://github.blog/changelog/2024-04-10-github-hosted-runner-images-deprecation-notice-docker-compose-v1/,
I saw build failures in github action along the lines of:

    docker-compose: command not found
@spikeheap
Replace build arguments with docker/compose secrets
1e1fa44 
Docker's documentation [suggests](https://docs.docker.com/reference/dockerfile/#arg) not to use build arguments to pass secrets, so this change updates the `Dockerfile` to use [secret mounts](https://docs.docker.com/build/building/secrets/#secret-mounts), and the recommended way to [manage secrets in docker compose](https://docs.docker.com/compose/how-tos/use-secrets/).
@spikeheap spikeheap merged commit 3a216cd into main Oct 9, 2024
5 checks passed
@spikeheap spikeheap deleted the feature/github_actions_secrets branch October 9, 2024 08:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Duslerke Duslerke Duslerke approved these changes

@LBHMKeyworth LBHMKeyworth Awaiting requested review from LBHMKeyworth LBHMKeyworth is a code owner

@LBHSPreston LBHSPreston Awaiting requested review from LBHSPreston LBHSPreston is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@spikeheap @Duslerke