节点和 github 秘密。 如何在本地测试

Question

i'm using node and github actions for a simple twitter api script.

twitter credentials are stored in github secrets

other than hard coding the twitter credentials and then changing the code to use secrets before pushing to github how do i test locally?

I need some way to retrieve the credentials locally if running locally and from secrets if running on github.

what is best practice way to do this please?

Answer 1

Essentially, what David is trying to say is that you'll need to store your credentials in two separate places:

1. Inside GitHub Actions Secrets
2. Your local filesystem inside a gitignored.env file

GitHub Actions Secrets

GitHub Actions Secrets uses encryption to store the secret value, and this information is only decrypted while the workflow is running. Note that the secrets are not stored in the codebase. Instead, this is managed entirely via the GitHub web interface, and perhaps the GitHub API. I do want to emphasise again that none of this is stored inside your git repository as that would essentially be considered a security leak.

Now, this works fine when running in GitHub Actions, but the question you have is how do you run locally. This is where the.env file comes into play.

Running Locally with.env and dotenv

Create the following file, and add the same value you used as the secret in GitHub Actions secrets inside the.env file as a key/value pair. Let's assume the secret name is MY_SECRET_CRED and the value is abcdefg:

.env:

MY_SECRET_CRED=abcdefg

Next, add this file to.gitignore. You do not want to commit this, because it would violate your security, and you also don't need it to be committed, since GitHub has stored the credential as a secret. You only need this file locally .

.gitignore:

.env

The purpose of adding the file to gitignore is because you do not want to commit this file. This file is local to your workstation only.

Next, install the dotenv npm module:

$ npm i dotenv

In your main file, be sure to require the dotenv module. This module reads the contents of.env and loads the key value pairs up as environment variables:

require('dotenv').config()

Tying it all together

In your application code, you're probably already using the secret in GitHub Actions as some kind of environment variable. If running in GitHub Actions, you can load the secret as an environment variable with the same name you used in the.env file:

- name: Test application
  env:
    MY_SECRET_CRED: ${{ secrets.MY_SECRET_CRED }}
  run: npm run test

In the above example, the Node.js process can access the secret as the environment variable MY_SECRET_CRED

doSomethingWithSecret(process.env.MY_SECRET_CRED);

But do note that, if you try to print it, GitHub will mask it, since it knows it's a secret that shouldn't be leaked.

When running locally, the environment variable is loaded into the Node.js process via the dotenv module.

Downside to.env files

The downside to.env files is that the secret is stored in plain text in your workstation, and it's difficult to share with other developers. Ideally, we don't want to share secrets through chat systems or email for the same reasons we don't want to commit and push them.

One solution is to use a secret manager or key management store to encrypt secrets locally. Your local application then decrypts them when running the application. This also means you can commit the encrypted data directly to the GitHub repository. One example of this is Google KMS.