Chapter 1. Adding secrets and variables to GitHub Actions for integration with external tools

Procedure

1. Log in to GitHub and navigate to your source repository.
2. Go to the Settings tab.
3. In the left navigation pane, select Secrets and variables, then select Actions.

4. On the Actions secrets and variables page select the Secrets tab.

   1. Select New repository secret.
   2. In the Name field, enter MY_GITHUB_TOKEN.
   3. In the Secret field, enter the token associated with your GitHub account.
   4. Select Add secret.

5. Repeat step 4 to add the required secrets:

   Expand

   Table 1.1. Image registry and GitOps secrets

   Variable	Description
   IMAGE_REGISTRY_PASSWORD	Password for accessing your container image registry.
   GITOPS_AUTH_PASSWORD	The token the system uses to update the GitOps repository for newly built images.

   Show more
   Expand

   Table 1.2. Secrets required for ACS and SBOM tasks

   Variable	Description
   ROX_API_TOKEN	API token for accessing the ROX server.
   COSIGN_SECRET_PASSWORD	Password for Cosign signing key.
   COSIGN_SECRET_KEY	Private key for Cosign.
   TRUSTIFICATION_OIDC_CLIENT_SECRET	Client secret used alongside the client ID to authenticate to the Trustification Bombastic API.

   Show more

6. On the Actions secrets and variables page switch to the Variables tab.

   1. Select New repository variable.
   2. In the Name field, enter IMAGE_REGISTRY_USER.
   3. In the Value field, enter the username for accessing your container image registry.
   4. Select Add variable.

7. Repeat step 6 to add the required variables:

   Expand

   Table 1.3. Image registry variable

   Variable	Description
   IMAGE_REGISTRY_USER	Username for accessing your container image registry.

   Show more
   Expand

   Table 1.4. Variables required for ACS and SBOM tasks

   Variable	Description
   ROX_CENTRAL_ENDPOINT	Endpoint for the ROX Central server.
   COSIGN_PUBLIC_KEY	Public key for Cosign.
   TRUSTIFICATION_BOMBASTIC_API_URL	URL for Trustification Bombastic API used in SBOM generation.
   TRUSTIFICATION_OIDC_ISSUER_URL	OIDC issuer URL used for authentication when interacting with the Trustification Bombastic API.
   TRUSTIFICATION_OIDC_CLIENT_ID	Client ID for authenticating to the Trustification Bombastic API using OIDC.
   TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION	Specifies the CycloneDX SBOM version that is supported and generated by the system.

   Show more

   Optional: Set the Rekor and TUF variables if your CI provider runners do not run on the same cluster as the RHTAP instance.

   Expand

   Table 1.5. Rekor and TUF variables

   Variable	Description
   REKOR_HOST	URL of your Rekor server.
   TUF_MIRROR	URL of your TUF service.

   Show more

8. Rerun the last pipeline run to verify the secrets are applied correctly.

   1. Alternatively, switch to you application’s source repository in GitHub, make a minor change, and commit it to trigger a new pipeline run.

Procedure

1. Create a project with two files in your preferred text editor, such as Visual Studio Code:

   • env_vars.sh
   • ghub-set-vars

2. Update the env_vars.sh file with the following environment variables:

   # env_vars.sh
   
   # GitHub credentials
   export MY_GITHUB_TOKEN="your_github_token_here"
   export MY_GITHUB_USER="your_github_username_here"
   
   export GITOPS_AUTH_PASSWORD="your_OpenShift_GitOps_password_here"
   
   # Image registry variables
   export IMAGE_REGISTRY_USER="your_registry_username_here"
   export IMAGE_REGISTRY_PASSWORD="your_registry_password_here"
   
   // Add credentials for an image repository that you use
   # Quay.io credentials
   export QUAY_IO_CREDS_USR="your_quay_username_here"
   export QUAY_IO_CREDS_PSW="your_quay_password_here"
   
   # or JFrog Artifactory credenditals
   export ARTIFACTORY_IO_CREDS_USR="your_artifactory_username_here"
   export ARTIFACTORY_IO_CREDS_PSW="your_artifactory_password_here"
   
   # or Sonatype Nexus credentials
   export NEXUS_IO_CREDS_USR="your_nexus_username_here"
   export NEXUS_IO_CREDS_PSW="your_nexus_password_here"
   
   // Variables required for ACS tasks
   # ROX variables
   export ROX_CENTRAL_ENDPOINT="your_rox_central_endpoint_here"
   export ROX_API_TOKEN="your_rox_api_token_here"
   
   // Variables required for SBOM tasks.
   # Cosign secrets
   export COSIGN_SECRET_PASSWORD="your_cosign_secret_password_here"
   export COSIGN_SECRET_KEY="your_cosign_secret_key_here"
   export COSIGN_PUBLIC_KEY="your_cosign_public_key_here"
   
   # Trustification credentials
   export TRUSTIFICATION_BOMBASTIC_API_URL="your__BOMBASTIC_API_URL_here"
   export TRUSTIFICATION_OIDC_ISSUER_URL="your_OIDC_ISSUER_URL_here"
   export TRUSTIFICATION_OIDC_CLIENT_ID="your_OIDC_CLIENT_ID_here"
   export TRUSTIFICATION_OIDC_CLIENT_SECRET="your_OIDC_CLIENT_SECRET_here"
   export TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION="your_SUPPORTED_CYCLONEDX_VERSION_here"
   
   // Set these variables if your CI provider runners do not run
   on the same cluster as the {ProductShortName} instance.
   # Rekor and TUF routes
   export REKOR_HOST="your rekor server url here"
   export TUF_MIRROR="your tuf service url here"

3. Update the ghub-set-vars file with the following information:

   #!/bin/bash
   
   # Helper script used to simplify setting variables and secrets in a GitHub repository
   
   set -euo pipefail
   
   function echo_usage() {
       echo "Usage: $0 OWNER/REPO"
       echo "       $0 https://github.com/OWNER/REPO"
   }
   
   if [ $# -ne 1 ]; then
       echo "Invalid number of arguments"
       echo
       echo_usage
       exit 1
   fi
   
   github_repository=$1
   
   # Naive check that the provided repository in the argument matches
   # the expected format (see usage)
   if ! [[ "$github_repository" =~ ^(https://github.com/)?(.+/.+)$ ]]; then
       echo "Invalid format of the provided argument '${github_repository}'"
       echo
       echo_usage
   fi
   
   # Set repository variable via GitHub CLI
   # The value of the variable will NOT be hidden in the logs
   function set_variable() {
       echo "Setting variable '$1' in $github_repository..."
       gh variable set "$1" --body "$2" --repo "$github_repository"
   }
   
   # Set repository secret via GitHub CLI
   function set_secret() {
       echo "Setting secret '$1' in $github_repository..."
       gh secret set "$1" --body "$2" --repo "$github_repository"
   }
   
   # Set the minimum required variables and secrets
   
   # Depending on which image repository you use, set:
   set_variable IMAGE_REGISTRY quay.io/"$QUAY_IO_CREDS_USR"
   set_variable IMAGE_REGISTRY_USER "$QUAY_IO_CREDS_USR"
   set_secret IMAGE_REGISTRY_PASSWORD "$QUAY_IO_CREDS_PSW"
   # or
   set_variable IMAGE_REGISTRY_USER "$ARTIFACTORY_IO_CREDS_USR"
   set_secret IMAGE_REGISTRY_PASSWORD "$ARTIFACTORY_IO_CREDS_PSW"
   # or
   set_variable IMAGE_REGISTRY_USER "$NEXUS_IO_CREDS_USR"
   set_secret IMAGE_REGISTRY_PASSWORD "$NEXUS_IO_CREDS_PSW"
   
   set_variable ROX_CENTRAL_ENDPOINT "$ROX_CENTRAL_ENDPOINT"
   set_secret ROX_API_TOKEN "$ROX_API_TOKEN"
   
   set_secret GITOPS_AUTH_PASSWORD "$GITOPS_AUTH_PASSWORD"
   
   set_variable QUAY_IO_CREDS_USR "$QUAY_IO_CREDS_USR"
   set_secret QUAY_IO_CREDS_PSW "$QUAY_IO_CREDS_PSW"
   
   set_secret COSIGN_SECRET_PASSWORD "$COSIGN_SECRET_PASSWORD"
   set_secret COSIGN_SECRET_KEY "$COSIGN_SECRET_KEY"
   set_variable COSIGN_PUBLIC_KEY "$COSIGN_PUBLIC_KEY"
   
   set_variable TRUSTIFICATION_BOMBASTIC_API_URL "$TRUSTIFICATION_BOMBASTIC_API_URL"
   set_variable TRUSTIFICATION_OIDC_ISSUER_URL "$TRUSTIFICATION_OIDC_ISSUER_URL"
   set_variable TRUSTIFICATION_OIDC_CLIENT_ID "$TRUSTIFICATION_OIDC_CLIENT_ID"
   set_variable TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION "$TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION"
   set_secret TRUSTIFICATION_OIDC_CLIENT_SECRET "$TRUSTIFICATION_OIDC_CLIENT_SECRET"
   
   # If you need to use the Rekor and TUF variables and you've added them to env_vars.sh,
   # set them here too:
   set_variable REKOR_HOST "$REKOR_HOST"
   set_variable TUF_MIRROR "$TUF_MIRROR"
   
   echo
   echo "All variables and secrets are set."

4. Load the environment variables into your current shell session:

   source env_vars.sh

5. Make the ghub-set-vars script executable, and run it with your repository name to set the variables in your GitHub repository.

   chmod +x ghub-set-vars
   
   ./ghub-set-vars your_repository_name

6. Rerun the last pipeline run to verify the secrets are applied correctly.

   1. Alternatively, switch to you application’s source repository in GitHub, make a minor change, and commit it to trigger a new pipeline run.