Skip to content

Commit

Permalink
Merge remote-tracking branch 'origin/main'
Browse files Browse the repository at this point in the history
  • Loading branch information
@evl-8
evl-8 committed Jan 22, 2025
2 parents 94aadd4 + 9cc3b7e commit f40c231
Showing 1 changed file with 39 additions and 3 deletions.
42 changes: 39 additions & 3 deletions research/SecretsSlide.md
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,44 @@
# Understanding GitHub Secrets in CI/CD Workflows

When working with GitHub actions a point where using API or authentication credentials comes up. You can't put them in the workflow files since that is a security risk. Therefore this is where Github secrets comes in help. Below are points which cover the essentials that a developers needs to know for using them.
## Overview of GitHub Secrets

> “Secrets and variables allow you to manage reusable configuration data. Secrets are encrypted and are used for sensitive data. (…) Variables are shown as plain text and are used for non-sensitive data.”
> (GitHub Using Secrets, n.d.)
1. **Encryption**: Secrets are stored in an encrypted format, safeguarding sensitive data.
1. **Encryption**: Secrets are stored in an encrypted format and if they are forgotten they need to be replaced.
2. **Plain Text Variables**: Non-sensitive variables appear in plaintext and can be viewed by anyone with the necessary repository access.
3. **Permissions**: Anyone with collaborator access can utilize these secrets and variables in GitHub Actions. However, they are not passed to workflows triggered by pull requests originating from forks.


### Creating Secrets
To create secrets or to store variables the user's account must be be either the owner of the repository or the the user must have admin access.(Using secrets in a workflow, n.d.) There are three types of secrets-Repository, Environment and Organization secrets. For this workshop only repository secrets and environment secrets will be covered since they are the most commonly used and you as a developer will likely only have the need to use them. Organization secrets are niche, used in large scale organizations for multiple repositories.
#### Creating Secrets for a Repository in GitHub
To create secrets or variables on GitHub for a personal account repository, you must be the repository owner.(Repository secrets, n.d.)
The steps are as follows:

1. Navigate to the main page of the desired repository on GitHub.
2. Access the "Settings" tab located under the repository name. If the "Settings" tab is not directly visible, it can be accessed via the dropdown menu.
3. In the "Security" section of the sidebar, select "Secrets and variables," and then click "Actions."
4. Switch to the "Secrets" tab and click the "New repository secret" button.
5. Enter a descriptive name for the secret in the "Name" field.
6. Input the sensitive value in the "Secret" field.
7. Conclude by clicking "Add secret" (Repository secrets, n.d.).

Repository secrets interact seamlessly with environment secrets and organization-level secrets. If the repository is configured to access parent organization secrets or contains environment secrets, those secrets are also listed on the same management page. This simplifies managing secrets across different scopes within GitHub (Repository secrets, n.d.).

#### Creating Secrets for an Environment in GitHub
To create secrets or variables for an environment in a personal account repository, you must be the repository owner.(Environment secrets, n.d.)
The steps are:
1. Navigate to the main page of the repository on GitHub.
2. Access the "Settings" tab under the repository name. If the "Settings" tab is not directly visible, select it from the dropdown menu.
3. In the left sidebar, click on the "Environments" section.
4. Select the desired environment to which the secret will be added.
5. Under the "Environment secrets" section, click the "Add secret" button.
6. Enter a descriptive name for the secret in the "Name" field.
7. Input the sensitive value for the secret in the appropriate field.
8. Finalize the process by clicking "Add secret". (Environment secrets, n.d.)


### Example Snippet

Below is an example of referencing secrets within a GitHub Actions workflow.(Using secrets in a workflow, n.d.)
Expand All @@ -22,4 +52,10 @@ env:
GitHub. (n.d.). Using secrets. Retrieved January 16, 2025, from https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository
GitHub. (n.d.). Using secrets in a workflow. Retrieved January 16, 2025, from https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow
GitHub. (n.d.). Using secrets in a workflow. Retrieved January 16, 2025, from https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow
GitHub. (n.d). Repository secrets https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository
GitHub. (n.d). Environment secrets https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-an-environment

0 comments on commit f40c231

Please sign in to comment.