我有 2 个工作流程:CI/CD 和 部署。
部署可以手动触发(使用
workflow_dispatch
)或通过CI/CD(使用workflow_call
)触发。它使用名为“dev”的 environment
,其中包含 2 个秘密:AWS_ACCESS_KEY_ID
和 AWS_SECRET_ACCESS_KEY
。
手动调用时,部署工作流程成功。但是,当从 CI/CD 调用它时,它会失败并显示
错误:无法加载凭据,请检查您的操作输入:无法从任何提供商加载凭据以下是我的工作流程的相关部分:
.github/workflows/ci-cd.yaml
name: CI/CD
on:
pull_request:
branches: [ main ]
jobs:
ci:
name: CI Checks
runs-on: ubuntu-latest
steps:
# ... (run static analysis and tests)
deploy-to-qa:
name: Deploy to staging
needs: [ ci ]
uses: org/repo/.github/workflows/deploy.yaml@main
with:
AWS_REGION: us-east-1
.github/workflows/deploy.yaml
name: Deploy
on:
workflow_call:
inputs:
AWS_REGION: { required: true, type: string }
workflow_dispatch:
inputs:
AWS_REGION:
required: true
default: us-east-1
jobs:
build-and-deploy:
name: Deploy
runs-on: ubuntu-latest
environment: dev
steps:
- name: Checkout code
uses: actions/checkout@v3
###############
# THIS STEP FAILS when run with workflow_call (but succeeds with workflow_dispatch)
###############
- name: Configure aws creds
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ inputs.AWS_REGION }}
错误:
workflow_call
部分将其定义为输入参数,并将它们传递到调用者工作流程中。喜欢:
on:
workflow_call:
inputs:
AWS_REGION: { required: true, type: string }
AWS_ACCESS_KEY_ID: { required: true, type: string }
AWS_SECRET_ACCESS_KEY: { required: true, type: string }
并像这样使用它:
with:
aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ inputs.AWS_REGION }}
这样您可能会失去使用 workflow_dispatch
拨打电话的能力。为了也支持这一点,您可以尝试这种方法:
with:
aws-access-key-id: ${{ inputs.AWS_ACCESS_KEY_ID || secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ inputs.AWS_SECRET_ACCESS_KEY || secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ inputs.AWS_REGION }}
未经测试,可能需要中间步骤来解决此部分
workflow_call需要secrets
单独发送:
可在调用的工作流程中使用的秘密图。示例
on:
workflow_call:
secrets:
access-token:
description: 'A token passed from the caller workflow'
required: false
jobs:
pass-secret-to-action:
runs-on: ubuntu-latest
steps:
# passing the secret to an action
- name: Pass the received secret to an action
uses: ./.github/actions/my-action
with:
token: ${{ secrets.access-token }}
# passing the secret to a nested reusable workflow
pass-secret-to-workflow:
uses: ./.github/workflows/my-workflow
secrets:
token: ${{ secrets.access-token }}
这篇博文,你现在可以继承秘密了:
GitHub Actions 通过使用
secrets: inherit
关键字通过可重用工作流程简化了机密的使用。
以前,当将机密传递给可重用工作流程时,您必须 将每个秘密作为单独的参数传递。现在您只需通过
secrets: inherit
可重复使用的工作流程,秘密将是 从调用工作流继承。
aws-actions/configure-aws-credentials
,您需要明确传递所需的凭据:
# reusable run_tests.yml
name: Run Tests
on:
workflow_call: # allows calling this workflow from another workflow
secrets:
AWS_ACCESS_KEY_ID: { required: true }
AWS_SECRET_ACCESS_KEY: { required: true }
jobs:
tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-west-1
# - ... rest of the steps...
# your caller workflow (main workflow)
jobs:
tests:
uses: ./.github/workflows/run_tests.yml
secrets:
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
build-and-push:
...
我花了几个小时才弄清楚这一点......