github-secrets/.github/workflows/reusable_workflow.yaml at main · pmalarme/github-secrets · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
name: Reusable workflow

permissions:
  contents: read

on:
  workflow_call:
    inputs:
      github_environment:
        description: 'The GitHub environment'
        required: true
        type: string
    # If 'secrets: inherit' is not used, the reusable workflow needs
    # to explictly define the secrets it needs to access
    # and the caller workflow needs to give the permission to use these secrets
    # or give a value for these secrets at the caller workflow level
    secrets:
      GH_ENV_SECRET_ONLY:
        description: 'Secret defined at GitHub environment level only'
        required: true
      SECRET_AT_REPO_AND_GH_ENV_LEVELS:
        description: 'Secret defined both at GitHub repository and GitHub environment level'
        required: true
      SECRET_OVERRIDE_BY_VALUE:
        description: 'Secret overridden by value at caller workflow level'
        required: true

jobs:
  run-reusable-workflow:
    runs-on: ubuntu-latest
    environment: ${{ inputs.github_environment }}
    steps:
      - name: Add title to Summary
        run: echo "## Reusable workflow without secrets inheritance" >> $GITHUB_STEP_SUMMARY
      # Variables are not isolated in reusable workflows, so by defining 'environment: ',
      # we can access the environment variables in a reusable workflow and therefore
      # reduce the inputs in the reusable workflow
      - name: Access to variables fron GH Env
        run: |
          echo "MY_VARIABLE: ${{ vars.MY_VARIABLE }}"
          echo "MY_VARIABLE: ${{ vars.MY_VARIABLE }}" >> $GITHUB_STEP_SUMMARY
      # 'GH_ENV_SECRET_ONLY' is only defined at GitHub environment level. But to have
      # access to it in the reusable workflow, we need to give the permission at the caller
      # workflow level, you need to lift the isolation of secrets by adding it at the
      # caller level. It does not pass a value but it gives the permission to use the secret
      # in the called workflow.
      - name: Secret defined at GitHub environment level only
        env:
          GH_ENV_SECRET_ONLY: ${{ secrets.GH_ENV_SECRET_ONLY }}
        run: |
          if [ "$GH_ENV_SECRET_ONLY" = "Environment" ];
            then echo "Secret is defined at GitHub environment level only";
            echo "GH_ENV_SECRET_ONLY: Secret is defined at GitHub environment level only" >> $GITHUB_STEP_SUMMARY;
          else
            echo "Secret is not defined at GitHub environment level";
            echo "GH_ENV_SECRET_ONLY: Secret is not defined at GitHub environment level" >> $GITHUB_STEP_SUMMARY;
          fi
      # Here, there is a value at repo level for the secret SECRET_AT_REPO_AND_GH_ENV_LEVELS.
      # As in the caller workflow we give the permission to use the secret
      # SECRET_AT_REPO_AND_GH_ENV_LEVELS, we can access it in the called workflow.
      # As there is a value also in the environment, the value in the environment will be used
      # as it has a higher precedence and because 'environment: ' is defined for this job
      - name: Secrets defined both at GitHub repository and GitHub environment level
        env:
          SECRET_AT_REPO_AND_GH_ENV_LEVELS: ${{ secrets.SECRET_AT_REPO_AND_GH_ENV_LEVELS }}
        run: |
          if [ "$SECRET_AT_REPO_AND_GH_ENV_LEVELS" = "Environment" ];
            then echo "Secret defined at GitHub environment level";
            echo "SECRET_AT_REPO_AND_GH_ENV_LEVELS: Secret defined at GitHub environment level" >> $GITHUB_STEP_SUMMARY;
          else
            if [ "$SECRET_AT_REPO_AND_GH_ENV_LEVELS" = "Repository" ];
              then echo "Secret defined at GitHub repository level";
              echo "SECRET_AT_REPO_AND_GH_ENV_LEVELS: Secret defined at GitHub repository level" >> $GITHUB_STEP_SUMMARY;
            else
              echo "Secret is not defined at GitHub environment level nor at repository level";
              echo "SECRET_AT_REPO_AND_GH_ENV_LEVELS: Secret is not defined at GitHub environment level nor at repository level" >> $GITHUB_STEP_SUMMARY;
            fi
          fi
      # Here the value of the secret SECRET_OVERRIDE_BY_VALUE is hardcoded at the caller workflow level,
      # so it will override the value of the environment secret SECRET_OVERRIDE_BY_VALUE if it is set
      - name: Secret overridden by value at caller workflow level
        env:
          SECRET_OVERRIDE_BY_VALUE: ${{ secrets.SECRET_OVERRIDE_BY_VALUE }}
        run: |
          if [ "$SECRET_OVERRIDE_BY_VALUE" = "CallerWorkflow" ];
            then echo "Secret overridden by value at caller workflow level";
            echo "SECRET_OVERRIDE_BY_VALUE: Secret overridden by value at caller workflow level" >> $GITHUB_STEP_SUMMARY;
          else
            if [ "$SECRET_OVERRIDE_BY_VALUE" = "Environment" ];
              then echo "Secret defined at GitHub environment level";
              echo "SECRET_OVERRIDE_BY_VALUE: Secret defined at GitHub environment level" >> $GITHUB_STEP_SUMMARY;
            else
              echo "Secret is not defined at caller workflow level nor at environment level";
              echo "SECRET_OVERRIDE_BY_VALUE: Secret is not defined at caller workflow level nor at environment level" >> $GITHUB_STEP_SUMMARY;
            fi
          fi
  run-reusable-workflow-without-environment:
    needs: run-reusable-workflow
    runs-on: ubuntu-latest
    steps:
      - name: Add title to Summary
        run: echo "## Reusable workflow without environment" >> $GITHUB_STEP_SUMMARY
      # Here 'environment: ' is not defined so the secrets defined at environment so
      # this job is not running in the context of an environment and will use the
      # the secrets defined at the repo level
      - name: Secrets defined both at GitHub repository and GitHub environment level
        env:
          SECRET_AT_REPO_AND_GH_ENV_LEVELS: ${{ secrets.SECRET_AT_REPO_AND_GH_ENV_LEVELS }}
        run: |
          if [ "$SECRET_AT_REPO_AND_GH_ENV_LEVELS" = "Environment" ];
            then echo "Secret defined at GitHub environment level";
            echo "SECRET_AT_REPO_AND_GH_ENV_LEVELS: Secret defined at GitHub environment level" >> $GITHUB_STEP_SUMMARY;
          else
            if [ "$SECRET_AT_REPO_AND_GH_ENV_LEVELS" = "Repository" ];
              then echo "Secret defined at GitHub repository level";
              echo "SECRET_AT_REPO_AND_GH_ENV_LEVELS: Secret defined at GitHub repository level" >> $GITHUB_STEP_SUMMARY;
            else
              echo "Secret is not defined at GitHub environment level nor at repository level";
              echo "SECRET_AT_REPO_AND_GH_ENV_LEVELS: Secret is not defined at GitHub environment level nor at repository level" >> $GITHUB_STEP_SUMMARY;
            fi
          fi