如何从Github工作流程访问环境秘密? [英] How to access environment secrets from a Github workflow?
问题描述
我正在尝试从Github工作流程中将 Python软件包发布到PyPI,但需要进行身份验证因测试PyPI"而失败.我已从命令行成功发布到Test PyPI,所以我的API令牌必须正确.我还检查了秘密值中的前导和尾随空格(例如,在GitHub上).
如最后一次提交所示,我尝试了一些尝试,但均未成功.
我首先尝试将简单的bash命令内联到工作流中,如下所示,但是我无法将我的机密信息放入环境变量中.当我打印这些变量时,日志中什么都没有显示.
-名称:在测试PyPI上发布环境:TWINE_USERNAME:__token__TWINE_PASSWORD:$ {{secrets.PYPI_TEST_TOKEN}}TWINE_REPOSITORY_URL:"https://test.pypi.org/legacy/";运行:回声"$ TWINE_PASSWORD"点安装麻线麻线检查距离/*麻线上载dist/* 我还尝试如下使用专用的GitHub Action,但它也不起作用.我想问题出在我的工作流程中没有秘密.让我感到困惑的是我的工作流程使用另一个令牌/秘密就好了!但是,如果将其放在环境变量中,则不会输出任何内容.我还用其他名称(PYPI_TEST_TOKEN和TEST_PYPI_API_TOKEN)重新创建了我的秘密,但无济于事.
-名称:发布到测试PyPI用途:pypa/gh-action-pypi-publish @ release/v1和:用户:__ token__密码:$ {{secrets.TEST_PYPI_API_TOKEN}}repository_url:https://test.pypi.org/legacy/ 我想我像往常一样想念一些明显的东西.任何帮助都将受到高度赞赏.
我最终明白了.我的错误是我在环境中定义了我的秘密,并且默认情况下,工作流不在任何特定环境中运行.为此,我必须在作业描述中明确命名环境,如下所示:
职位:发布:环境:CI#< ---/!\这是到环境的链接需要:建立运行:ubuntu-latest如果:startsWith(github.ref,'refs/tags/v')脚步:-用途:actions/checkout @ v2#这里还有更多步骤...-名称:发布以测试PyPI环境:TWINE_USERNAME:"__ token__"TWINE_PASSWORD:$ {{secrets.TEST_PYPI_API_TOKEN}}TWINE_REPOSITORY_URL:"https://test.pypi.org/legacy/";运行:回显键:"$ {TWINE_PASSWORD}"麻线检查距离/*麻线上传--verbose --skip-existing dist/* 文档实际上提到了它./p>
感谢那些评论指出我朝着正确方向前进的人.
I am trying to publish a Python package to PyPI, from a Github workflow, but the authentication fails for "Test PyPI". I successfully published to Test PyPI from the command line, so my API token must be correct. I also checked for leading and trailing spaces in the secret value (i.e., on GitHub).
As the last commits show, I tried a few things without success.
I first tried to inline simple bash commands into the workflow as follows, but I have not been able to get my secrets into environment variables. Nothing showed up in the logs when I printed these variables.
- name: Publish on Test PyPI
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ secrets.PYPI_TEST_TOKEN }}
TWINE_REPOSITORY_URL: "https://test.pypi.org/legacy/"
run: |
echo "$TWINE_PASSWORD"
pip install twine
twine check dist/*
twine upload dist/*
I also tried to use a dedicated GitHub Action as follows, but it does not work either. I guess the problem comes from the secrets not being available in my workflow. What puzzled me is that my workflow uses another token/secret just fine! Though, if I put it in an environment variable, nothing is printed out. I also recreated my secrets under different names (PYPI_TEST_TOKEN and TEST_PYPI_API_TOKEN) but to no avail.
- name: Publish to Test PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
user: __token__
password: ${{ secrets.TEST_PYPI_API_TOKEN }}
repository_url: https://test.pypi.org/legacy/
I guess I miss something obvious (as usual). Any help is highly appreciated.
I eventually figured it out. My mistake was that I defined my secrets within an environment and, by default, workflows do not run in any specific environment. For this to happen, I have to explicitly name the environment in the job description as follows:
jobs:
publish:
environment: CI # <--- /!\ Here is the link to the environment
needs: build
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
steps:
- uses: actions/checkout@v2
# Some more steps here ...
- name: Publish to Test PyPI
env:
TWINE_USERNAME: "__token__"
TWINE_PASSWORD: ${{ secrets.TEST_PYPI_API_TOKEN }}
TWINE_REPOSITORY_URL: "https://test.pypi.org/legacy/"
run: |
echo KEY: '${TWINE_PASSWORD}'
twine check dist/*
twine upload --verbose --skip-existing dist/*
The documentation mentions it actually.
Thanks to those who commented for pointing me in the right direction.
这篇关于如何从Github工作流程访问环境秘密?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
