堆栈内存溢出
  简体   繁体   English

内部可重用的 GitHub 工作流程 - 在工作流程所在的存储库中使用机密

[英]Internal reusable GitHub workflow - using secrets in repository where workflow is

 原文  2022-07-19 16:46:51       github/ github-actions/ azure-secrets

问题描述

I am building a GitHub reusable workflow to act as a CI/CD pipeline for other repositories to use in our GitHub organization.我正在构建一个 GitHub 可重用工作流,作为 CI/CD 管道,供其他存储库在我们的 GitHub 组织中使用。 Right now, the callee repository would need to pass in service principal credentials that the reusable workflow would use to login to azure, retrieve other secrets, etc. I was wondering if there was any possible way that the secrets that belong to the repository where the reusable workflow lives (say repo A) would be accessible when another workflow (say repo B) calls the reusable workflow, so that they do not need to pass in service principal creds or use the Azure/login action prior to calling the workflow.现在,被调用者存储库需要传递服务主体凭据,可重用工作流将使用这些凭据登录到 azure、检索其他机密等。我想知道是否有任何可能的方法可以让属于存储库的机密当另一个工作流(比如 repo B)调用可重用工作流时,可以访问可重用工作流生命(比如 repo A),因此它们不需要在调用工作流之前传递服务主体凭据或使用 Azure/login 操作。 This would make it much easier so teams wouldn't be required to create a new service principal and configure permissions to our key vault in order to use the reusable workflow.这将使其变得更加容易,因此团队无需创建新的服务主体并配置对我们的密钥保管库的权限即可使用可重用工作流。 Instead, only the one service principal (with creds stored as a secret in repo A) would be used.相反,只会使用一个服务主体(在 repo A 中存储为机密的凭据)。

I know this is possible with organization secrets, but we would want to ensure that that org secret would only be used in the context of the reusable workflow, and not capable of being used by other workflows.我知道这对于组织机密是可能的,但我们希望确保该组织机密只能在可重用工作流的上下文中使用,而不能被其他工作流使用。 Basically, we need a way to have service principal creds consumable by every repository in our GitHub organization that wants to use the reusable workflow, but only in the context of the reusable workflow.基本上,我们需要一种方法让我们的 GitHub 组织中想要使用可重用工作流的每个存储库都可以使用服务主体信用,但只能在可重用工作流的上下文中使用。 I have been looking into using OIDC w/ Azure login, but since that is scoped to only specific repositories, didn't think it would work if we scoped it to repository A when the workflow is technically being ran in repository B.我一直在研究使用带有 Azure 登录的 OIDC,但由于它仅限于特定的存储库,因此当工作流在存储库 B 中运行时,如果我们将其范围限定为存储库 A,我认为它不会起作用。

1 个解决方案

解决方案1
 0  2022-07-20 17:17:18

我使用OpenID Connect和 Azure/login 操作找到了解决此问题的方法。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 秘密不会从 github 动作秘密传递到 github 动作中的可重用工作流 - Secrets doesnt pass from github action secrets to reusable workflow in github actions GitHub cpanel 存储库的工作流程 - GitHub workflow for cpanel repository 在触发可重用工作流时使用 `GITHUB_REF` - Using `GITHUB_REF` when triggering a reusable workflow 如何使用 github 操作从 Github 中的存储库 A 的工作流作业触发存储库 B(下游作业)中的工作流作业 - How to trigger a workflow job in repository B(downstream job) from workflow job of repository A in Github using github actions 如何在 GitHub CI 工作流中使用 dependabot secrets - How to use dependabot secrets in GitHub CI workflow 在 Github 工作流中的作业之间传递秘密作为 output - Passing secrets as output between jobs in a Github workflow 关键字机密在 github 操作工作流中不起作用 - Keyword secrets is not working in github actions workflow 如何将机密连接到 GitHub 上的工作流操作中? - How to concatenate secrets into workflow action on GitHub? 获取Github存储库更新的工作流程 - Workflow for getting Github repository updates Github 中的发布操作未调用可重用工作流 - Reusable workflow not being invoked on release action in Github
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM