I have a GitHub Action that uses azure/docker-login#v1 for building and pushing images to the Azure image registry, and it works.
Now, I want to pass GITHUB_TOKEN using Docker's secret flag, but it only accepts a file, and I don't know how to create a file using this action.
Is it possible?
For example, with docker/build-push-action I can do this bellow
- name: Build docker image
uses: docker/build-push-action#v2
with:
context: .
secrets: |
"github_token=${{ secrets.GITHUB_TOKEN }}"
How can I secure my image using azure/docker-login?
As the readme.md of the azure/docker-login action suggests:
Use this GitHub Action to log in to a private container registry such as Azure Container registry. Once login is done, the next set of actions in the workflow can perform tasks such as building, tagging and pushing containers.
You can setup your workflow so that it logs in using azure/docker-login and builds and pushes the image using docker/build-push-action, like this:
- uses: azure/docker-login#v1
with:
login-server: contoso.azurecr.io
username: ${{ secrets.ACR_USERNAME }}
password: ${{ secrets.ACR_PASSWORD }}
- uses: docker/build-push-action#v2
with:
push: true
context: .
secrets: |
"github_token=${{ secrets.GITHUB_TOKEN }}"
Related
I'm trying to deploy an Azure Functions Linux app using Github Actions. I've used the Deployment Center in the Azure Portal to connect my Github to enable CICD. Now that goes fine, but I want to use Playwright in my Azure Function, so I need to enable scm-do-build-during-deployment: true. I've added this setting to my workflow yaml, but then the deployment doesn't work anymore. I also added some other settings, which I came across when I searched the interwebs. Now this is the yaml I have:
# Docs for the Azure Web Apps Deploy action: https://github.com/azure/functions-action
# More GitHub Actions for Azure: https://github.com/Azure/actions
name: Build and deploy Node.js project to Azure Function App - app-name
on:
push:
branches:
- main
workflow_dispatch:
env:
AZURE_FUNCTIONAPP_PACKAGE_PATH: "." # set this to the path to your web app project, defaults to the repository root
NODE_VERSION: "16.x" # set this to the node version to use (supports 8.x, 10.x, 12.x)
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- name: "Checkout GitHub Action"
uses: actions/checkout#v2
- name: Setup Node ${{ env.NODE_VERSION }} Environment
uses: actions/setup-node#v1
with:
node-version: ${{ env.NODE_VERSION }}
- name: "Resolve Project Dependencies Using Npm"
shell: bash
run: |
pushd './${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}'
npm install
npm run build --if-present
npm run test --if-present
popd
- name: "Run Azure Functions Action"
uses: Azure/functions-action#v1
id: fa
with:
app-name: "app-name"
slot-name: "Production"
package: ${{ env.AZURE_FUNCTIONAPP_PACKAGE_PATH }}
publish-profile: ${{ secrets.AZUREAPPSERVICE_PUBLISHPROFILE_A5413AC6097F4B21B4A709C270747826 }}
scm-do-build-during-deployment: true
enable-oryx-build: true
respect-funcignore: true
I also added the setting to my application settings in Azure, but to no avail. Furthermore, I added this setting: WEBSITE_RUN_FROM_PACKAGE=0 to the app settings.
Is there anything else I should try?
In the YAML the uses tag is not aligned with the name and the other tags
- name: "Run Azure Functions Action"
uses: Azure/functions-action#v1
id: fa
Add PLAYWRIGHT_BROWSERS_PATH in app settings with its value set to zero.
Rest remains the same and I was able to deploy the function.
I want to auto deploy my private repository on my VPS whenever I push changes to my main branch. My yaml file looks like this:
name: push-and-deploy-to-server
on:
push:
branches: [ main ]
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout#v2
- name: ssh and deploy
uses: appleboy/ssh-action#master
with:
host: ${{ secrets.SSH_HOST }}
username: ${{ secrets.SSH_USERNAME }}
key: ${{ secrets.SSH_PRIVATE_KEY }}
port: 22
script: |
git pull origin main
git status
npm install --only=prod
pm2 restart index.js
this is not working, I get the following error:
err: fatal: could not read Username for 'https://github.com': No such device or address
When ssh-ing into my server and cloning the repo myself, it asks for my username and password (access token). When I provide it, it works, but with the yaml file, it doesnt.
How can I clone and deploy a private repo? It's a nodejs project btw.
Considering your setup
private GitHub repository with given action on that repo.
VPS
What does your current configuration and github secrets setup do?
you push code to your private repo
action runs and using appleboy/ssh-action#master ssh's into your VPS
then executes your commands like git pull origin main in your VPS.
Issue what you have is that your VPS is not authenticated to access your repository.
You have multiple options.
ssh to your VPS as user ${{ secrets.SSH_USERNAME }} and authenticate that user against github using your Github Personal access token which you can generate under your https://github.com/settings/tokens giving it a read repo permissions. Then test that you can clone your repo into VPS if so then your next build will succeed.
Second option generate new ssh key inside VPS for ${{ secrets.SSH_USERNAME }} and add it under your repository settings Deploy keys. When using deploy key, you need to make sure that your repository remote in vps is using git#github.com:<username>/<repository>.git git url not https url.
Third option: use appleboy/scp-action step before appleboy/ssh-action and copy all contents from current directory to your VPS and then run your npm install etc. with appleboy/ssh-action.
You proceed may work if you have git installed on your server. But the scp project can also deploy the code directly to your server.
name: push-and-deploy-to-server
on:
push:
branches: [ main ]
jobs:
build-and-deploy:
runs-on: ubuntu-latest
steps:
- name: checkout repo
uses: actions/checkout#v2
- name: ssh and deploy
uses: appleboy/ssh-action#master
with:
host: ${{ secrets.SSH_HOST }}
username: ${{ secrets.SSH_USERNAME }}
key: ${{ secrets.SSH_PRIVATE_KEY }}
source: "."
target: "the/server/path"
I used an IP address instead of a domain name, cos I felt like my hosting service was screwing with me.
Check out this URL for more details
I've built an Azure Static Web App with one API function which has one dependency. This dependency sits in a private repository on GitHub. On my local dev machine I'm able to build the Functions app by downloading the dependency using SSH authentication. When trying to deploy to Azure using GitHub Actions I get the error Host key verification failed.
My GitHub Actions workflow is similar to the default workflow generated by Azure Static Web App, with the addition of using webfactory/ssh-agent for facilitating the SSH authentication on GitHub to retrieve the private repository Y and a run step with git clone for testing purposes:
# ... Same as on https://learn.microsoft.com/en-us/azure/static-web-apps/github-actions-workflow
jobs:
build_and_deploy_job:
runs-on: ubuntu-latest
name: Build and Deploy Job
steps:
- uses: actions/checkout#v2
with:
submodules: true
persist-credentials: false
- uses: webfactory/ssh-agent#v0.5.1
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE }}
- run: |
git clone ssh://git#github.com/X/Y.git Z
ls -la Z
- name: Build And Deploy
id: builddeploy
uses: Azure/static-web-apps-deploy#v0.0.1-preview
with:
azure_static_web_apps_api_token: ${{ secrets.AZURE_TOKEN }}
repo_token: ${{ secrets.GITHUB_TOKEN }}
action: "upload"
app_location: "/"
api_location: "api"
output_location: "build"
# ... Same as on https://learn.microsoft.com/en-us/azure/static-web-apps/github-actions-workflow
In my private repository Y I've added the public key associated to private key secrets.SSH_PRIVATE as a deploy key.
After running the workflow it shows the git clone command is ran correctly as the ls -la command results in displaying the directories and files in my private repository. However, the build process of my API (yarn install --prefer-offline --production) results in the error Host key verification failed when yarn is fetching the packages. As a result, GitHub Actions cannot download the dependency in my private repository, and cannot build the API. This ends with a failed workflow.
After analyzing Azure/static-web-apps-deploy#v0.0.1-preview I noticed it uses Oryx to start a Docker container for the build process of the Azure Static Web App. This container is unaware of the ssh-agent that was initialized using webfactory/ssh-agent on the host VM. As a result the yarn install triggered in Azure/static-web-apps-deploy#v0.0.1-preview couldn't download the dependency that was in my private repository and failed the installation.
To circumvent this I've refactored my private dependency to use it as a git submodule instead, because submodules can be loaded prior to the build process using actions/checkout. This was achieved by adding only two extra lines to the workflow file that is generated by Azure Static Web Apps. I've highlighted these two lines with a trailing # ADDED in the following snippet of my workflow file:
jobs:
build_and_deploy_job:
runs-on: ubuntu-latest
name: Build and Deploy Job
steps:
- uses: actions/checkout#v2
with:
ssh-known-hosts: "github.com" # ADDED
ssh-key: ${{ secrets.SSH_PRIVATE }} # ADDED
submodules: true
- name: Build And Deploy
id: builddeploy
uses: Azure/static-web-apps-deploy#v0.0.1-preview
...
Is it possible to use the webapps-deploy action to deploy into a specific path of the web app (and not just into wwroot)? For example deploying into a IIS virtual directory under wwwroot/app.
Current yaml GitHub action configuration, can't find a property here for setting a requested path on the web server.
- name: "Run Azure webapp deploy action using publish profile credentials"
uses: azure/webapps-deploy#v2
with:
app-name: MyApp
publish-profile: ${{ secrets.SECRET_PROFILE }}
package: build
Image showing the Virtual Application (wwwroot/app) I'd like to deploy into
With many times testing, I found it's not possible using Git Action. But you can consider using Visual Studio, importing publish profile.
First, set the virtual path in portal.
Downloads the publish profile. You will use the content of publish profile.
Modify the profile. Change msdeploySite's value from Your-Site to Your-Site\folder\subfolder, such as msdeploySite="dorissub\app". Change destinationAppUrl's value from http://xxx.azurewebsites.net to http://xxx.azurewebsites.net/app
Publish from VS.
Check the sub folder. it works.
Here is how I do using Git Action.
Add secret. Go to your GitHub repository settings and add a secret with the content of publish profile as the value, name it as AZURE_WEBAPP_PUBLISH_PROFILE.
Run workflow with this yaml file:
name: .NET Core dorisxxx
on: [push]
env:
AZURE_WEBAPP_NAME: dorisxxx # set this to your application's name
AZURE_WEBAPP_PACKAGE_PATH: '.' # set this to the path to your web app project, defaults to the repository root
DOTNET_VERSION: '3.1.x' # set this to the dot net version to use
jobs:
build:
runs-on: ubuntu-latest
steps:
# Checkout the repo
- uses: actions/checkout#master
# Setup .NET Core SDK
- name: Setup .NET Core
uses: actions/setup-dotnet#v1
with:
dotnet-version: ${{ env.DOTNET_VERSION }}
# Run dotnet build and publish
- name: dotnet build and publish
run: |
dotnet restore
dotnet build --configuration Release
dotnet publish -c Release -o '${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/myapp'
# Deploy to Azure Web apps
- name: 'Run Azure webapp deploy action using publish profile credentials'
uses: azure/webapps-deploy#v2
with:
app-name: ${{ env.AZURE_WEBAPP_NAME }} # Replace with your app name
publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }} # Define secret variable in repository settings as per action documentation
package: '${{ env.AZURE_WEBAPP_PACKAGE_PATH }}/myapp'
But the project still published to wwwroot...
Maybe you should choose another way to deploy.
Having some problems using git clone from within a Github Actions, i get the following no matter what i try:
The code that fails in my main.yml:
jobs:
terraform:
name: 'Terraform with Github Actions!'
runs-on: ubuntu-latest
steps:
- name: 'Login to Azure'
uses: azure/login#v1
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: 'Checkout'
uses: actions/checkout#master
- name: 'Preparing blueprint-environment'
run: |
snip
git clone git#github.com:ourcompany/whateverrepo.git
Error message:
git#github.com: Permission denied (publickey).
Ive seen many posts on adding ssh-keys, but thats locally, not in a ubuntu-release running from Github actions - what am i missing here? I cant generate ssh-keys and add the private key on the fly to the Github repo-settings, how can i fix this?
If you need to checkout two repositories I would recommend using checkout again to a relative path. See the documentation to checkout multiple repos side by side. You may need to use a repo scoped Personal Access Token (PAT)
- name: 'Checkout'
uses: actions/checkout#v2
- name: 'Preparing blueprint-environment'
uses: actions/checkout#v2
with:
token: ${{ secrets.PAT }}
repository: ourcompany/whateverrepo
path: whateverrepo
If it's really necessary, Deploy keys can be used to clone a repository via SSH.
Create a new SSH key pair for your repository. Do not set a passphrase.
Copy the contents of the public key (.pub file) to a new repository deploy key and check the box to "Allow write access."
Add a secret to the repository containing the entire contents of the private key.
As shown in the example below, configure actions/checkout to use the deploy key you have created.
steps:
- uses: actions/checkout#v2
with:
ssh-key: ${{ secrets.SSH_PRIVATE_KEY }}