[英]Internal reusable GitHub workflow - using secrets in repository where workflow is
I am building a GitHub reusable workflow to act as a CI/CD pipeline for other repositories to use in our GitHub organization.我正在构建一个 GitHub 可重用工作流,作为 CI/CD 管道,供其他存储库在我们的 GitHub 组织中使用。 Right now, the callee repository would need to pass in service principal credentials that the reusable workflow would use to login to azure, retrieve other secrets, etc. I was wondering if there was any possible way that the secrets that belong to the repository where the reusable workflow lives (say repo A) would be accessible when another workflow (say repo B) calls the reusable workflow, so that they do not need to pass in service principal creds or use the Azure/login action prior to calling the workflow.现在,被调用者存储库需要传递服务主体凭据,可重用工作流将使用这些凭据登录到 azure、检索其他机密等。我想知道是否有任何可能的方法可以让属于存储库的机密当另一个工作流(比如 repo B)调用可重用工作流时,可以访问可重用工作流生命(比如 repo A),因此它们不需要在调用工作流之前传递服务主体凭据或使用 Azure/login 操作。 This would make it much easier so teams wouldn't be required to create a new service principal and configure permissions to our key vault in order to use the reusable workflow.这将使其变得更加容易,因此团队无需创建新的服务主体并配置对我们的密钥保管库的权限即可使用可重用工作流。 Instead, only the one service principal (with creds stored as a secret in repo A) would be used.相反,只会使用一个服务主体(在 repo A 中存储为机密的凭据)。
I know this is possible with organization secrets, but we would want to ensure that that org secret would only be used in the context of the reusable workflow, and not capable of being used by other workflows.我知道这对于组织机密是可能的,但我们希望确保该组织机密只能在可重用工作流的上下文中使用,而不能被其他工作流使用。 Basically, we need a way to have service principal creds consumable by every repository in our GitHub organization that wants to use the reusable workflow, but only in the context of the reusable workflow.基本上,我们需要一种方法让我们的 GitHub 组织中想要使用可重用工作流的每个存储库都可以使用服务主体信用,但只能在可重用工作流的上下文中使用。 I have been looking into using OIDC w/ Azure login, but since that is scoped to only specific repositories, didn't think it would work if we scoped it to repository A when the workflow is technically being ran in repository B.我一直在研究使用带有 Azure 登录的 OIDC,但由于它仅限于特定的存储库,因此当工作流在存储库 B 中运行时,如果我们将其范围限定为存储库 A,我认为它不会起作用。
我使用OpenID Connect和 Azure/login 操作找到了解决此问题的方法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.