Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use GITHUB_TOKEN in GitHub Actions #46

Merged
merged 3 commits into from
Oct 9, 2024
Merged

Conversation

spikeheap
Copy link
Contributor

@spikeheap spikeheap commented Oct 8, 2024

This change removes two environment variables from CI which have been used to carry credentials to publish/read packages to our GitHub Packages NuGet registry:

  • LBHPACKAGESTOKEN
  • NUGET_KEY

LBHPACKAGESTOKEN continues to be used for local development.

What is the problem we're trying to solve?

Historically we've published packages from our local machines, which requires a token to authenticate with the GitHub Packages NuGet Registry. Now we use CI to publish packages there is a GitHub-managed token we can use instead..

If you're using a registry that supports granular permissions, and your workflow is using a personal access token to authenticate to the registry, then we highly recommend you update your workflow to use the GITHUB_TOKEN.
~ from https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-with-granular-permissions

This change removes both LBHPACKAGESTOKEN and NUGET_KEY tokens from the GitHub Actions workflow, replacing them where needed with the managed GITHUB_TOKEN token that's automatically made available to all jobs.

In order to keep the local development/management experience the same, references to LBHPACKAGESTOKEN have been kept as-is in the Docker and Docker Compose setup.

Additional improvement to Docker/Docker Compose secrets

Docker's documentation suggests not to use build arguments to pass secrets, so this PR also updates the Dockerfile to use secret mounts, and the recommended way to manage secrets in docker compose.

How to review this change

This change mirrors a couple we've already reviewed:

Checklist

  • Code pipeline builds correctly

Follow up actions after merging PR

  • Remove this repo from the shared secrets listed above in GitHub Actions

Historically we've used `NUGET_KEY` and `LBHPACKAGESTOKEN` for read and write access to our NuGet package repository on GitHub. These are Personal Access Tokens, and historically have not had an expiry date set.

GitHub Actions provides a better way of accessing GitHub package registries (and other resources): `GITHUB_TOKEN`. This is generated and managed by GitHub actions, and provides appropriate access for an Action based on the repository it's in, for example it can write packages that the repository has write/maintain access to, but no others. This is also recommended by the docs:

> If you're using a registry that supports granular permissions, and your workflow is using a personal access token to authenticate to the registry, then we highly recommend you update your workflow to use the GITHUB_TOKEN.
> ~ from https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-with-granular-permissions

This change switches both `LBHPACKAGESTOKEN` and `NUGET_KEY` to `GITHUB_TOKEN` and removes unnecessary references to `LBHPACKAGESTOKEN` where the secret isn't being used. There should be no effect on GitHub Actions, but this change allows us to deprecate and remove `NUGET_KEY` and `LBHPACKAGESTOKEN`.
As per https://github.blog/changelog/2024-04-10-github-hosted-runner-images-deprecation-notice-docker-compose-v1/,
I saw build failures in github action along the lines of:

    docker-compose: command not found
Docker's documentation [suggests](https://docs.docker.com/reference/dockerfile/#arg) not to use build arguments to pass secrets, so this change updates the `Dockerfile` to use [secret mounts](https://docs.docker.com/build/building/secrets/#secret-mounts), and the recommended way to [manage secrets in docker compose](https://docs.docker.com/compose/how-tos/use-secrets/).
@spikeheap spikeheap requested review from LBHMKeyworth, LBHSPreston and a team as code owners October 8, 2024 14:30
@spikeheap spikeheap merged commit 3a216cd into main Oct 9, 2024
5 checks passed
@spikeheap spikeheap deleted the feature/github_actions_secrets branch October 9, 2024 08:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants