Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Configuring GitHub Actions

Red Hat Trusted Application Pipeline 1.5

Learn how to configure GitHub Actions for secure CI/CD workflows.

Red Hat Trusted Application Pipeline Documentation Team

Abstract

This document provides instructions on setting up GitHub Actions to perform essential security tasks, such as vulnerability scanning, image signing, and attestation generation.

Preface
Copy link

If you’re using GitHub Actions for your application, pipeline runs may fail due to missing secrets. Without them, integrations with Quay, JFrog, and Red Hat Advanced Cluster Security (ACS) won’t work, breaking security tasks like vulnerability scanning, image signing, and SBOM generation for compliance.

To prevent this, you need to securely store secrets in GitHub Actions. This guide walks you through the process, ensuring your pipelines run smoothly and securely.

Prerequisites

Before you configure GitHub Actions, ensure you have the following:

  • Admin access to your GitHub repository and CI/CD settings.
  • Container registry credentials for pulling container images from Quay.io, JFrog Artifactory, or Sonatype Nexus.

  • Authentication details for specific GitHub Actions tasks:

    • For ACS security tasks:

      • ROX Central server endpoint
      • ROX API token

    • For SBOM and artifact signing tasks:

      • Cosign signing key password, private key and public key
      • Trustification API and issuer URL, client ID, client secret, and supported CycloneDX version
    Note

    The credentials and other details are already Base64-encoded, so you do not need to encode them again. You can find these credentials in your private.env file, which you created during RHTAP installation.

Procedure

  1. Log in to GitHub and navigate to your source repository.
  2. Go to the Settings tab.
  3. In the left navigation pane, select Secrets and variables, then select Actions.

  4. On the Actions secrets and variables page select the Secrets tab.

    1. Select New repository secret.
    2. In the Name field, enter MY_GITHUB_TOKEN.
    3. In the Secret field, enter the token associated with your GitHub account.
    4. Select Add secret.

  5. Repeat step 4 to add the required secrets:

    Expand
    Table 1.1. Image registry and GitOps secrets
    VariableDescription

    IMAGE_REGISTRY_PASSWORD

    Password for accessing your container image registry.

    GITOPS_AUTH_PASSWORD

    The token the system uses to update the GitOps repository for newly built images.

    Expand
    Table 1.2. Secrets required for ACS and SBOM tasks
    VariableDescription

    ROX_API_TOKEN

    API token for accessing the ROX server.

    COSIGN_SECRET_PASSWORD

    Password for Cosign signing key.

    COSIGN_SECRET_KEY

    Private key for Cosign.

    TRUSTIFICATION_OIDC_CLIENT_SECRET

    Client secret used alongside the client ID to authenticate to the Trustification Bombastic API.

  1. On the Actions secrets and variables page switch to the Variables tab.

    1. Select New repository variable.
    2. In the Name field, enter IMAGE_REGISTRY_USER.
    3. In the Value field, enter the username for accessing your container image registry.
    4. Select Add variable.

  2. Repeat step 6 to add the required variables:

    Expand
    Table 1.3. Image registry variable
    VariableDescription

    IMAGE_REGISTRY_USER

    Username for accessing your container image registry.

    Expand
    Table 1.4. Variables required for ACS and SBOM tasks
    VariableDescription

    ROX_CENTRAL_ENDPOINT

    Endpoint for the ROX Central server.

    COSIGN_PUBLIC_KEY

    Public key for Cosign.

    TRUSTIFICATION_BOMBASTIC_API_URL

    URL for Trustification Bombastic API used in SBOM generation.

    TRUSTIFICATION_OIDC_ISSUER_URL

    OIDC issuer URL used for authentication when interacting with the Trustification Bombastic API.

    TRUSTIFICATION_OIDC_CLIENT_ID

    Client ID for authenticating to the Trustification Bombastic API using OIDC.

    TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION

    Specifies the CycloneDX SBOM version that is supported and generated by the system.

    Optional: Set the Rekor and TUF variables if your CI provider runners do not run on the same cluster as the RHTAP instance.

    Expand
    Table 1.5. Rekor and TUF variables
    VariableDescription

    REKOR_HOST

    URL of your Rekor server.

    TUF_MIRROR

    URL of your TUF service.

  1. Rerun the last pipeline run to verify the secrets are applied correctly.

    1. Alternatively, switch to you application’s source repository in GitHub, make a minor change, and commit it to trigger a new pipeline run.

Procedure

  1. Create a project with two files in your preferred text editor, such as Visual Studio Code:

    • env_vars.sh
    • ghub-set-vars

  2. Update the env_vars.sh file with the following environment variables: 

    # env_vars.sh

# GitHub credentials
export MY_GITHUB_TOKEN="your_github_token_here"
export MY_GITHUB_USER="your_github_username_here"

export GITOPS_AUTH_PASSWORD="your_OpenShift_GitOps_password_here"

# Image registry variables
export IMAGE_REGISTRY_USER="your_registry_username_here"
export IMAGE_REGISTRY_PASSWORD="your_registry_password_here"

// Add credentials for an image repository that you use
# Quay.io credentials
export QUAY_IO_CREDS_USR="your_quay_username_here"
export QUAY_IO_CREDS_PSW="your_quay_password_here"

# or JFrog Artifactory credenditals
export ARTIFACTORY_IO_CREDS_USR="your_artifactory_username_here"
export ARTIFACTORY_IO_CREDS_PSW="your_artifactory_password_here"

# or Sonatype Nexus credentials
export NEXUS_IO_CREDS_USR="your_nexus_username_here"
export NEXUS_IO_CREDS_PSW="your_nexus_password_here"

// Variables required for ACS tasks
# ROX variables
export ROX_CENTRAL_ENDPOINT="your_rox_central_endpoint_here"
export ROX_API_TOKEN="your_rox_api_token_here"

// Variables required for SBOM tasks.
# Cosign secrets
export COSIGN_SECRET_PASSWORD="your_cosign_secret_password_here"
export COSIGN_SECRET_KEY="your_cosign_secret_key_here"
export COSIGN_PUBLIC_KEY="your_cosign_public_key_here"

# Trustification credentials
export TRUSTIFICATION_BOMBASTIC_API_URL="your__BOMBASTIC_API_URL_here"
export TRUSTIFICATION_OIDC_ISSUER_URL="your_OIDC_ISSUER_URL_here"
export TRUSTIFICATION_OIDC_CLIENT_ID="your_OIDC_CLIENT_ID_here"
export TRUSTIFICATION_OIDC_CLIENT_SECRET="your_OIDC_CLIENT_SECRET_here"
export TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION="your_SUPPORTED_CYCLONEDX_VERSION_here"

// Set these variables if your CI provider runners do not run
on the same cluster as the {ProductShortName} instance.
# Rekor and TUF routes
export REKOR_HOST="your rekor server url here"
export TUF_MIRROR="your tuf service url here"
    Copy to Clipboard Toggle word wrap

  3. Update the ghub-set-vars file with the following information: 

    #!/bin/bash

# Helper script used to simplify setting variables and secrets in a GitHub repository

set -euo pipefail

function echo_usage() {
    echo "Usage: $0 OWNER/REPO"
    echo "       $0 https://github.com/OWNER/REPO"
}

if [ $# -ne 1 ]; then
    echo "Invalid number of arguments"
    echo
    echo_usage
    exit 1
fi

github_repository=$1

# Naive check that the provided repository in the argument matches
# the expected format (see usage)
if ! [[ "$github_repository" =~ ^(https://github.com/)?(.+/.+)$ ]]; then
    echo "Invalid format of the provided argument '${github_repository}'"
    echo
    echo_usage
fi

# Set repository variable via GitHub CLI
# The value of the variable will NOT be hidden in the logs
function set_variable() {
    echo "Setting variable '$1' in $github_repository..."
    gh variable set "$1" --body "$2" --repo "$github_repository"
}

# Set repository secret via GitHub CLI
function set_secret() {
    echo "Setting secret '$1' in $github_repository..."
    gh secret set "$1" --body "$2" --repo "$github_repository"
}

# Set the minimum required variables and secrets

# Depending on which image repository you use, set:
set_variable IMAGE_REGISTRY quay.io/"$QUAY_IO_CREDS_USR"
set_variable IMAGE_REGISTRY_USER "$QUAY_IO_CREDS_USR"
set_secret IMAGE_REGISTRY_PASSWORD "$QUAY_IO_CREDS_PSW"
# or
set_variable IMAGE_REGISTRY_USER "$ARTIFACTORY_IO_CREDS_USR"
set_secret IMAGE_REGISTRY_PASSWORD "$ARTIFACTORY_IO_CREDS_PSW"
# or
set_variable IMAGE_REGISTRY_USER "$NEXUS_IO_CREDS_USR"
set_secret IMAGE_REGISTRY_PASSWORD "$NEXUS_IO_CREDS_PSW"

set_variable ROX_CENTRAL_ENDPOINT "$ROX_CENTRAL_ENDPOINT"
set_secret ROX_API_TOKEN "$ROX_API_TOKEN"

set_secret GITOPS_AUTH_PASSWORD "$GITOPS_AUTH_PASSWORD"

set_variable QUAY_IO_CREDS_USR "$QUAY_IO_CREDS_USR"
set_secret QUAY_IO_CREDS_PSW "$QUAY_IO_CREDS_PSW"

set_secret COSIGN_SECRET_PASSWORD "$COSIGN_SECRET_PASSWORD"
set_secret COSIGN_SECRET_KEY "$COSIGN_SECRET_KEY"
set_variable COSIGN_PUBLIC_KEY "$COSIGN_PUBLIC_KEY"

set_variable TRUSTIFICATION_BOMBASTIC_API_URL "$TRUSTIFICATION_BOMBASTIC_API_URL"
set_variable TRUSTIFICATION_OIDC_ISSUER_URL "$TRUSTIFICATION_OIDC_ISSUER_URL"
set_variable TRUSTIFICATION_OIDC_CLIENT_ID "$TRUSTIFICATION_OIDC_CLIENT_ID"
set_variable TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION "$TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION"
set_secret TRUSTIFICATION_OIDC_CLIENT_SECRET "$TRUSTIFICATION_OIDC_CLIENT_SECRET"

# If you need to use the Rekor and TUF variables and you've added them to env_vars.sh,
# set them here too:
set_variable REKOR_HOST "$REKOR_HOST"
set_variable TUF_MIRROR "$TUF_MIRROR"

echo
echo "All variables and secrets are set."
    Copy to Clipboard Toggle word wrap

  4. Load the environment variables into your current shell session: 

    source env_vars.sh
    Copy to Clipboard Toggle word wrap

  5. Make the ghub-set-vars script executable, and run it with your repository name to set the variables in your GitHub repository. 

    chmod +x ghub-set-vars

./ghub-set-vars your_repository_name
    Copy to Clipboard Toggle word wrap

  6. Rerun the last pipeline run to verify the secrets are applied correctly.

    1. Alternatively, switch to you application’s source repository in GitHub, make a minor change, and commit it to trigger a new pipeline run.





Revised on 2025-04-30 03:55:48 UTC

Legal Notice
Copy link

Copyright © 2025 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat