Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use GITHUB_TOKEN in GitHub Actions #9

Merged
merged 2 commits into from
Oct 9, 2024
Merged

Use GITHUB_TOKEN in GitHub Actions #9

merged 2 commits into from
Oct 9, 2024

Commits on Oct 8, 2024

  1. Switch NUGET_KEY to GITHUB_TOKEN 

    Historically we've used `NUGET_KEY` and `LBHPACKAGESTOKEN` for read and write access to our NuGet package repository on GitHub. These are Personal Access Tokens, and historically have not had an expiry date set.

GitHub Actions provides a better way of accessing GitHub package registries (and other resources): `GITHUB_TOKEN`. This is generated and managed by GitHub actions, and provides appropriate access for an Action based on the repository it's in, for example it can write packages that the repository has write/maintain access to, but no others. This is also recommended by the docs:

> If you're using a registry that supports granular permissions, and your workflow is using a personal access token to authenticate to the registry, then we highly recommend you update your workflow to use the GITHUB_TOKEN.
> ~ from https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-with-granular-permissions

This change switches both `LBHPACKAGESTOKEN` and `NUGET_KEY` to `GITHUB_TOKEN` and removes unnecessary references to `LBHPACKAGESTOKEN` where the secret isn't being used. There should be no effect on GitHub Actions, but this change allows us to deprecate and remove `NUGET_KEY` and `LBHPACKAGESTOKEN`.
    @spikeheap
    spikeheap committed Oct 8, 2024
    Configuration menu
    Copy the full SHA
    249c15c View commit details
    Browse the repository at this point in the history

  2. Replace build arguments with docker/compose secrets 

    Docker's documentation [suggests](https://docs.docker.com/reference/dockerfile/#arg) not to use build arguments to pass secrets, so this change updates the `Dockerfile` to use [secret mounts](https://docs.docker.com/build/building/secrets/#secret-mounts), and the recommended way to [manage secrets in docker compose](https://docs.docker.com/compose/how-tos/use-secrets/).
    @spikeheap
    spikeheap committed Oct 8, 2024
    Configuration menu
    Copy the full SHA
    8ab6149 View commit details
    Browse the repository at this point in the history