GitHub Actions Environment secrets vs Repository secrets All In One

GitHub Actions secrets All In One

Actions secrets

Repository secrets

https://github.com/xgqfrms/xgqfrms/settings/secrets/actions

https://github.com/xgqfrms/xgqfrms/settings/secrets/actions/new

Dependabot secrets

https://github.com/xgqfrms/xgqfrms/settings/secrets/dependabot

https://github.com/xgqfrms/xgqfrms/settings/secrets/dependabot/new

Environment secrets

Secrets stored in an environment are only available to workflow jobs that reference the environment. If the environment requires approval, a job cannot access environment secrets until one of the required reviewers approves it.

存储在环境中的机密仅可用于引用环境的工作流作业。如果环境需要批准，则作业无法访问环境机密，直到所需的审阅者之一批准为止。

https://github.com/xgqfrms/xgqfrms/settings/environments

https://github.com/xgqfrms/xgqfrms/settings/environments/new

https://github.com/xgqfrms/xgqfrms/settings/environments/596054267/edit

Environment protection rules

Required reviewers

Use required reviewers to require a specific person or team to approve workflow jobs that reference the environment.
You can list up to six users or teams as reviewers.
The reviewers must have at least read access to the repository. Only one of the required reviewers needs to approve the job for it to proceed.

Wait timer

Use a wait timer to delay a job for a specific amount of time after the job is initially triggered. The time (in minutes) must be an integer between 0 and 43,200 (30 days).

Deployment branches

Use deployment branches to restrict which branches can deploy to the environment. Below are the options for deployment branches for an environment:

All branches: All branches in the repository can deploy to the environment.

Protected branches: Only branches with branch protection rules enabled can deploy to the environment. If no branch protection rules are defined for any branch in the repository, then all branches can deploy.

Selected branches: Only branches that match your specified name patterns can deploy to the environment.

For example, if you specify releases/* as a deployment branch rule, only branches whose name begins with releases/ can deploy to the environment.
(Wildcard characters will not match /. To match branches that begin with releases/ and contain an additional single slash, use releases/*/*.)
If you add main as a deployment branch rule, a branch named main can also deploy to the environment.

Environment secrets

Secrets stored in an environment are only available to workflow jobs that reference the environment.
If the environment requires approval, a job cannot access environment secrets until one of the required reviewers approves it.

Secrets are encrypted environment variables.
They are accessible only by GitHub Actions in the context of this environment.

demo

创建 environment secrets

https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#creating-an-environment

使用 environment secrets

https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#using-an-environment

jobs.<job_id>.environment

name: dev Deployment

on:
  push:
    branches:
      - main

jobs:
  # job 名称 
  dev-deployment:
    runs-on: ubuntu-latest
    # 使用 environment `dev-env`
    environment: dev-env
    steps:
      - name: deploy
        # ...deployment-specific steps
      # 使用 - name + uses
      - name: 使用自定义 github action
        uses: xgqfrms/github-fe-oss-project-template@v0.0.1
        with:
          # 使用 dev-env 下的 secrets token， secrets.DEV_TOKEN_FOR_MAIN
          ghToken: ${{ secrets.DEV_TOKEN_FOR_MAIN }}

full demo

# This is a basic workflow to help you get started with Actions

name: 🚀 dev token for main branch 👻

# 控制 action 何时运行
# 在 push 或 pull 请求时触发工作流程事件，但仅针对  master 分支
on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ mian ]

# 一个 workflow 运行由可以串行或并行运行的一个或多个 jobs 组成
jobs:
  # 此工作流程仅包含一个名为 "dev-deploymen" 的 job /job 名称: dev-deploymen
  dev-deployment:
    # job 将运行的 runner 类型(执行的系统环境 Linux/ macOS / Windows)
    runs-on: ubuntu-latest
    # 使用 environment `dev-env`
    environment: dev-env
    
    # 步骤表示将作为 job 一部分执行的一系列 tasks
    steps:
      # 在 $GITHUB_WORKSPACE下检出你的repository，以便你的 job 可以访问它
      # 使用 - uses 
      - uses: actions/checkout@v2
      # 使用 - name + uses
      - name: 使用 自定义 github action: github fe oss project template
        uses: xgqfrms/github-fe-oss-project-template@v0.0.1
        with:
          # 使用 dev-env 下的 token， secrets.DEV_TOKEN_FOR_MAIN
          ghToken: ${{ secrets.DEV_TOKEN_FOR_MAIN }}

      # 使用 runners shell 运行单个命令
      - name: Run a one-line script ✅ 👨🏻‍💻
        run: echo 正在执行单个命令!

      # 使用 runners shell 运行一组命令
      - name: Run a multi-line script ✅ 👨🏻‍💻
        run: |
          echo 正在执行多个命令的
          echo finished 🎉

https://github.com/xgqfrms/xgqfrms/blob/main/.github/workflows/dev-env-tetsing.yml

custom github action

- name: github fe oss project template
  uses: xgqfrms/github-fe-oss-project-template@v0.0.1

https://github.com/marketplace/actions/github-fe-oss-project-template

Environments

Environments, environment secrets, and environment protection rules are available in public repositories for all products.

Environments are used to describe a general deployment target like production, staging, or development.

Note: You can only configure environments for public repositories.
If you convert a repository from public to private, any configured protection rules or environment secrets will be ignored, and you will not be able to configure any environments.
If you convert your repository back to public, you will have access to any previously configured protection rules and environment secrets.