Reputation:
GitHub Actions how to keep artifacts secret
I have a little vite project for a single page application on GitHub.
The vite app consumes a REST API.
Due to the nature of vite all environment variables are compiled into the output during npm run build.
I want a build process like this:
- Build stage: inject API URL from github secrets in .env file after that
npm run build - Deploy: deploy to my production server
In my understanding I have to upload the artifact from step 1 and download it in step 2, but this means that everyone that can see the artifacts can see the URL of the production server. I think it is possible to delete the artifact after downloading it from step 1, but there are two problems here:
- The artifact exists for a short time and the URL can be leaked
- The artifact maybe exists for a longer time if step 2 fails before deleting
Does anyone know how to achieve this workflow without leaking the production URL?
Maybe I did not find the correct GitHub Actions documentation page.
Upvotes: 1
Views: 825
Answers (1)
Reputation: 1
Sorry for the extremely late response, as you might have already figured this out, but here’s a solution anyway :)
GitHub’s Cache action can also save files, but it does so without uploading it as an artifact, which I think we were both looking for. So here’s an example workflow I put together:
jobs:
save-files:
name: Save files
runs-on: ubuntu-latest
outputs:
current_date: ${{ steps.get_date.outputs.CURRENT_DATE }}
steps:
- name: Get date
id: get_date
run: |
echo "CURRENT_DATE=$(date +'%Y-%m-%d %H:%M:%S')" >> $GITHUB_OUTPUT
- name: Save source
uses: actions/cache/save@v3
with:
path: ./generated
key: dist-files-${{ steps.get_date.outputs.CURRENT_DATE }}
build:
name: Load files
runs-on: ubuntu-latest
needs: [save-files]
steps:
- name: Restore cached source
uses: actions/cache/restore@v3
with:
path: ./generated
key: dist-files-${{ needs.save-files.outputs.current_date }}
The workflow fails if the cache already exists, which is why I used the timestamp of saving to give each workflow run a unique cache name. I hope this helps!
Upvotes: 0
Related Questions
- How to add images to README.md on GitHub?
- How can I update each dependency in package.json to the latest version?
- Download a single folder or directory from a GitHub repository
- How do I update or sync a forked repository on GitHub?
- How to run a github-actions step, even if the previous step fails, while still failing the job
- How can I create an executable/runnable JAR with dependencies using Maven?
- Create a tag in a GitHub repository
- How to determine the URL that a local Git repository was originally cloned from
- How to install an npm package from GitHub directly