How to use SecretHub with GitHub Actions
This guide shows you how to securely load secrets into GitHub Actions and sync them automatically using the SecretHub env-export action. To demonstrate the use of this action, the guide will walk you through loading credentials for a Docker registry and publish a docker image from your GitHub workflow.
Before you begin
Before you start, make sure you have completed the following steps:
- Set up SecretHub on your workstation.
Step 1: Write your secrets
If you haven’t done so already, store your secrets on SecretHub. You can use the following commands to get everything set up:
-
secrethub repo init
to create a repository -
secrethub mkdir
to create a directory -
secrethub write
to write some secrets
In the examples we’ll be using two secrets which store your docker credentials: company/app/docker/username
and company/app/docker/password
, but the same principle applies to all secrets.
Step 2: Create a SecretHub service account
SecretHub uses service accounts to grant non-human parties, such as GitHub Actions access to secrets.
Create a service account that has read access to your Docker credentials by running:
secrethub service init company/app --permission docker:read
This command will create a service account for the company/app
repository and grants it read permission on the docker
directory.
It outputs the credential of the service account, which you’ll need in the next step.
Step 3: Pass the credential to the GitHub action
To allow your GitHub Action to access the previously created credential, store it in a GitHub Secret.
- On GitHub, navigate to the main page of your repository.
- Under your repository name, click Settings.
- In the left sidebar, click Secrets.
- Click New secret.
- Type
SECRETHUB_CREDENTIAL
in the Name input box and set the secret value to the credential from the previous step. - Click Add Secret
Step 4: Write your GitHub Action
Finally, you can write your GitHub Action for publishing a Docker container:
on: push
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build Docker image
run: docker build -t company/app:${GITHUB_SHA:0:7} .
- uses: secrethub/actions/env-export@v0.2.1
env:
SECRETHUB_CREDENTIAL: ${{ secrets.SECRETHUB_CREDENTIAL }}
DOCKER_USERNAME: secrethub://company/app/docker/username
DOCKER_PASSWORD: secrethub://company/app/docker/password
- name: Publish Docker image
run: |
echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
docker push company/app:${GITHUB_SHA:0:7}
The SECRETHUB_CREDENTIAL
environment variable is set to the secret value configured in the previous step.
The secrethub/actions/env-export
action uses this credential to authenticate to the SecretHub API and fetch any required secrets.
Note that the DOCKER_USERNAME
and DOCKER_PASSWORD
environment variables are set to secret references (secrethub://
) that point to the secrets written in Step 1.
The GitHub Action replaces these references with their corresponding secret values, which are later used to authenticate to the Docker registry.
See also
- For more details about the SecretHub GitHub action, check it out in the marketplace.
- For more details about SecretHub services check out the documentation.
- For more details about using environment files with SecretHub, check out the documentation.
Happy coding!