Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Configuring GitHub Actions

Red Hat Trusted Application Pipeline 1.4

Learn how to configure GitHub Actions for secure CI/CD workflows.

Red Hat Trusted Application Pipeline Documentation Team

Abstract

This document provides instructions on setting up GitHub Actions to perform essential security tasks, such as vulnerability scanning, image signing, and attestation generation.

Preface
Copy link

If you’re using GitHub Actions for your application, pipeline runs may fail due to missing secrets. Without them, integrations with Quay, JFrog, and Red Hat Advanced Cluster Security (ACS) won’t work, breaking security tasks like vulnerability scanning, image signing, and SBOM generation for compliance.

To prevent this, you need to securely store secrets in GitHub Actions. This guide walks you through the process, ensuring your pipelines run smoothly and securely.

Prerequisites

Before you configure GitHub Actions, ensure you have the following:

  • Admin access to your GitHub repository and CI/CD settings.
  • Container registry credentials for pulling container images from Quay.io, JFrog Artifactory, or Sonatype Nexus.

  • Authentication details for specific GitHub Actions tasks:

    • For ACS security tasks:

      • ROX Central server endpoint
      • ROX API token

    • For SBOM and artifact signing tasks:

      • Cosign signing key password
      • Private key and public key
      • Trustification URL
      • Client ID and secret
      • Supported CycloneDX version
    Note

    The credentials and other details are already Base64-encoded, so you do not need to encode them again. You can find these credentials in your private.env file, which you created during RHTAP installation.

1.1. Adding secrets to GitHub Actions using UI
Copy link

Procedure

  1. Log in to GitHub and navigate to your source repository.
  2. Go to the Settings tab.
  3. In the left navigation pane, select Secrets and variables, then select Actions.

  4. Enter the following details:

    1. Select New repository secret.
    2. In the Name field, enter MY_GITHUB_TOKEN.
    3. In the Secret field, enter the token associated with your GitHub account.

  5. Repeat steps 3-4 to add the required variables:

    Expand
    VariableDescription

    Provide image registry credentials for only one image registry.

    QUAY_IO_CREDS_USR

    Username for accessing Quay.io repository.

    QUAY_IO_CREDS_PSW

    Password for accessing Quay.io repository.

    ARTIFACTORY_IO_CREDS_USR

    Username for accessing JFrog Artifactory repository.

    ARTIFACTORY_IO_CREDS_PSW

    Password for accessing JFrog Artifactory repository.

    NEXUS_IO_CREDS_USR

    Username for accessing Sonatype Nexus repository.

    NEXUS_IO_CREDS_PSW

    Password for accessing Sonatype Nexus repository.

    Set these variables if GitHub Actions runners do not run on the same cluster as the RHTAP instance.

    REKOR_HOST

    URL of your Rekor server.

    TUF_MIRROR

    URL of your TUF service.

    GitOps configuration for GitHub

    GITOPS_AUTH_PASSWORD

    The token the system uses to update the GitOps repository for newly built images.

    GITOPS_AUTH_USERNAME (optional)

    The parameter required for Jenkins to work with GitHub. You also need to uncomment a line with this parameter in a Jenkinsfile: GITOPS_AUTH_USERNAME = credentials('GITOPS_AUTH_USERNAME'). By default, this line is commented out.

    Variable required for ACS tasks.

    ROX_CENTRAL_ENDPOINT

    Endpoint for the ROX Central server.

    ROX_API_TOKEN

    API token for accessing the ROX server.

    Variables required for SBOM tasks.

    COSIGN_SECRET_PASSWORD

    Password for Cosign signing key.

    COSIGN_SECRET_KEY

    Private key for Cosign.

    COSIGN_PUBLIC_KEY

    Public key for Cosign.

    TRUSTIFICATION_BOMBASTIC_API_URL

    URL for Trustification Bombastic API used in SBOM generation.

    TRUSTIFICATION_OIDC_ISSUER_URL

    OIDC issuer URL used for authentication when interacting with the Trustification Bombastic API.

    TRUSTIFICATION_OIDC_CLIENT_ID

    Client ID for authenticating to the Trustification Bombastic API using OIDC.

    TRUSTIFICATION_OIDC_CLIENT_SECRET

    Client secret used alongside the client ID to authenticate to the Trustification Bombastic API.

    TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION

    Specifies the CycloneDX SBOM version that is supported and generated by the system.

  6. Select Add secret.

  7. Rerun the last pipeline run to verify the secrets are applied correctly.

    1. Alternatively, switch to you application’s source repository in GitHub, make a minor change, and commit it to trigger a new pipeline run.

1.2. Adding secrets to GitHub using CLI
Copy link

Procedure

  1. Create a project with two files in your preferred text editor, such as Visual Studio Code:

    • env_vars.sh
    • ghub-set-vars

  2. Update the env_vars.sh file with the following environment variables: 

    # env_vars.sh



# GitHub credentials
export MY_GITHUB_TOKEN="your_github_token_here"
export MY_GITHUB_USER="your_github_username_here"

export GITOPS_AUTH_PASSWORD="your_OpenShift_GitOps_password_here"
export GITOPS_AUTH_USERNAME="your_OpenShift_GitOps_username_here"

// Provide the credentials for the image registry you use.
# Quay.io credentials
export QUAY_IO_CREDS_USR="your_quay_username_here"
export QUAY_IO_CREDS_PSW="your_quay_password_here"

# JFrog Artifactory credenditals
export ARTIFACTORY_IO_CREDS_USR="your_artifactory_username_here"
export ARTIFACTORY_IO_CREDS_PSW="your_artifactory_password_here"

# Sonatype Nexus credentials
export NEXUS_IO_CREDS_USR="your_nexus_username_here"
export NEXUS_IO_CREDS_PSW="your_nexus_password_here"

# Rekor and TUF routes
export REKOR_HOST="your rekor server url here"
export TUF_MIRROR="your tuf service url here"

// Variables required for ACS tasks
# ROX variables
export ROX_CENTRAL_ENDPOINT="your_rox_central_endpoint_here"
export ROX_API_TOKEN="your_rox_api_token_here"



// Set these variables if GitHub Actions runners do not run on the same cluster as the {ProductShortName} instance.
export ROX_CENTRAL_ENDPOINT="your_rox_central_endpoint_here"
export ROX_API_TOKEN="your_rox_api_token_here"

// Variables required for SBOM tasks.
# Cosign secrets
export COSIGN_SECRET_PASSWORD="your_cosign_secret_password_here"
export COSIGN_SECRET_KEY="your_cosign_secret_key_here"
export COSIGN_PUBLIC_KEY="your_cosign_public_key_here"

# Trustification credentials
export TRUSTIFICATION_BOMBASTIC_API_URL="your__BOMBASTIC_API_URL_here"
export TRUSTIFICATION_OIDC_ISSUER_URL="your_OIDC_ISSUER_URL_here"
export TRUSTIFICATION_OIDC_CLIENT_ID="your_OIDC_CLIENT_ID_here"
export TRUSTIFICATION_OIDC_CLIENT_SECRET="your_OIDC_CLIENT_SECRET_here"
export TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION="your_SUPPORTED_CYCLONEDX_VERSION_here"
    Copy to Clipboard Toggle word wrap

  3. Update the ghub-set-vars file with the following information: 

    #!/bin/bash
SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"

if [ $# -ne 1 ]; then
    echo "Missing param, provide gitlab repo name"
    echo "Note: This script uses MY_GITHUB_TOKEN and MY_GITHUB_USER env vars"
    exit
fi

REPO=$1
HEADER="PRIVATE-TOKEN: $MY_GITHUB_TOKEN"
URL=https://github.com/api/v4/projects

# Look up the project ID so we can use it below
PID=$(curl -s -L --header "$HEADER" "$URL/$MY_GITHUB_USER%2F$REPO" | jq ".id")

function setVars() {
    NAME=$1
    VALUE=$2
    MASKED=${3:-true}
    echo "setting $NAME in https://github.com/$MY_GITHUB_USER/$REPO"

    # Delete first because if the secret already exists then its value
    # won't be changed by the POST below
    curl -s --request DELETE --header "$HEADER" "$URL/$PID/variables/$NAME"

    # Set the new key/value
    curl -s --request POST --header "$HEADER" "$URL/$PID/variables" \
        --form "key=$NAME" --form "value=$VALUE" --form "masked=$MASKED" | jq
}

setVars ROX_CENTRAL_ENDPOINT $ROX_CENTRAL_ENDPOINT
setVars ROX_API_TOKEN $ROX_API_TOKEN

setVars GITOPS_AUTH_PASSWORD $MY_GITLAB_TOKEN
setVars GITOPS_AUTH_USERNAME $MY_GITLAB_USER

setVars QUAY_IO_CREDS_USR $QUAY_IO_CREDS_USR
setVars QUAY_IO_CREDS_PSW $QUAY_IO_CREDS_PSW

setVars COSIGN_SECRET_PASSWORD $COSIGN_SECRET_PASSWORD
setVars COSIGN_SECRET_KEY $COSIGN_SECRET_KEY
setVars COSIGN_PUBLIC_KEY $COSIGN_PUBLIC_KEY

setVars TRUSTIFICATION_BOMBASTIC_API_URL "$TRUSTIFICATION_BOMBASTIC_API_URL"
setVars TRUSTIFICATION_OIDC_ISSUER_URL "$TRUSTIFICATION_OIDC_ISSUER_URL"
setVars TRUSTIFICATION_OIDC_CLIENT_ID "$TRUSTIFICATION_OIDC_CLIENT_ID"
setVars TRUSTIFICATION_OIDC_CLIENT_SECRET "$TRUSTIFICATION_OIDC_CLIENT_SECRET"
setVars TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION "$TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION"

setVars ARTIFACTORY_IO_CREDS_USR $ARTIFACTORY_IO_CREDS_USR
setVars ARTIFACTORY_IO_CREDS_PSW $ARTIFACTORY_IO_CREDS_PSW

setVars NEXUS_IO_CREDS_USR $NEXUS_IO_CREDS_USR
setVars NEXUS_IO_CREDS_PSW $NEXUS_IO_CREDS_PSW

setVars REKOR_HOST $REKOR_HOST
setVars TUF_MIRROR $TUF_MIRROR
    Copy to Clipboard Toggle word wrap

  4. (Optional) Modify the ghub-set-vars file to disable variables that are not required. For example, to disable setVars ROX_API_TOKEN $ROX_API_TOKEN, add false next to it. 

    ROX_API_TOKEN $ROX_API_TOKEN false
    Copy to Clipboard Toggle word wrap

  5. Load the environment variables into your current shell session: 

    source env_vars.sh
    Copy to Clipboard Toggle word wrap

  6. Make the ghub-set-vars script executable, and run it with your repository name to set the variables in your GitHub repository. 

    chmod +x ghub-set-vars

./ghub-set-vars your_repository_name
    Copy to Clipboard Toggle word wrap

  7. Rerun the last pipeline run to verify the secrets are applied correctly.

    1. Alternatively, switch to you application’s source repository in GitLab, make a minor change, and commit it to trigger a new pipeline run.





Revised on 2025-02-12 15:08:56 UTC

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat