Reputation: 4357
How to Define Github Branch Specific Secret or an Alternative?
For example, travis-ci.com allows the user to define an env variable which is bound to a certain branch. Whereas Github does allow you to define secret env variables, they, however, all have to compete for the same namespace which introduces additional complexity. Does anyone know a workaround?
Upvotes: 2
Views: 4166
Answers (3)
Reputation: 3388
I defined staging and prod environments in GitHub and defined secret for each of them.
GitHub Environments:
staging
FIREBASE_PROJECT_ID=project-staging
prod
FIREBASE_PROJECT_ID=project-production
Then I use the following GitHub workflow script to activate specific environment depending on the branch:
jobs:
build_and_deploy:
runs-on: ubuntu-latest
environment: ${{ github.ref == 'refs/heads/main' && 'prod' || github.ref == 'refs/heads/staging' && 'staging' }}
Finally using the secret.
- name: Deploy Cloud Functions
run: |
npx firebase-tools use ${{ secrets.FIREBASE_PROJECT_ID }}
npx firebase-tools deploy --only functions --json
Upvotes: 1
Reputation: 569
As an alternative, you can create an environment on GitHub. And you can create secrets for that environment. And finally, you can add a deployment branch for that environment. That means you could have a job to deploy to that environment using that secret. Only that job would have access to the secret and you can also set a rule to only allow deploys to that environment using workflows on that branch.
I think, that way you get what you want (or maybe a little bit more restrictive) because only that branch would have access to the secret but you have to define an environment. I suppose in most cases when you introduce a secret that depends on a branch it's because that branch represents an environment.
Upvotes: 1
Reputation: 1328602
I have not seen that particular feature, which means you need to define your variable environment with a naming convention:
branchName_myVariable
In your GitHub Action script, you can then reference said variable by prepending the branch name you would have extracted in a separate step.
Upvotes: 0
Related Questions
- Defining secure environment variables for multiple repositories in a single .travis.yml
- Travis-ci: enviroment variables per branch in .travis.yml
- Travis CI encrypted secret environment variables
- In Travis Public Repository how to add a Secure variable that works on Pull requests too
- Store secrets in Travis, not in github repo
- How can I use an environment variable to specify branches to build in .travis.yml?
- How do I include generic secrets/config file in github repository (for CI purposes) without deploying it to production
- Travis CI - Using repository environment variables in .travis.yml
- Add secret environment variable to Travis CI
- Preserve API key integrity with Travis-CI build-notification hooks in a public repository