Chapter 2. Configuring GitHub Actions for external integration by using the CLI

Procedure

1. Create a project with two files in your preferred text editor, such as Visual Studio Code:

   • env_vars.sh
   • ghub-set-vars

2. Update the env_vars.sh file with the following environment variables:

   # env_vars.sh
   export GITOPS_AUTH_PASSWORD="your_github_token_here"
   
   # Image registry variables
   export IMAGE_REGISTRY_USER="your_registry_username_here"
   export IMAGE_REGISTRY_PASSWORD="your_registry_password_here"
   
   // Add credentials for an image repository that you use
   # Quay.io credentials
   export QUAY_IO_CREDS_USR="your_quay_username_here"
   export QUAY_IO_CREDS_PSW="your_quay_password_here"
   
   # or JFrog Artifactory credenditals
   export ARTIFACTORY_IO_CREDS_USR="your_artifactory_username_here"
   export ARTIFACTORY_IO_CREDS_PSW="your_artifactory_password_here"
   
   # or Sonatype Nexus credentials
   export NEXUS_IO_CREDS_USR="your_nexus_username_here"
   export NEXUS_IO_CREDS_PSW="your_nexus_password_here"
   
   // Variables required for ACS tasks
   # ROX variables
   export ROX_CENTRAL_ENDPOINT="your_rox_central_endpoint_here"
   export ROX_API_TOKEN="your_rox_api_token_here"
   
   // Variables required for SBOM tasks.
   # Cosign secrets
   export COSIGN_SECRET_PASSWORD="your_cosign_secret_password_here"
   export COSIGN_SECRET_KEY="your_cosign_secret_key_here"
   export COSIGN_PUBLIC_KEY="your_cosign_public_key_here"
   
   # Trustification credentials
   export TRUSTIFICATION_BOMBASTIC_API_URL="your__BOMBASTIC_API_URL_here"
   export TRUSTIFICATION_OIDC_ISSUER_URL="your_OIDC_ISSUER_URL_here"
   export TRUSTIFICATION_OIDC_CLIENT_ID="your_OIDC_CLIENT_ID_here"
   export TRUSTIFICATION_OIDC_CLIENT_SECRET="your_OIDC_CLIENT_SECRET_here"
   export TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION="your_SUPPORTED_CYCLONEDX_VERSION_here"
   
   // Set these variables if your CI provider runners do not run
   on the same cluster as the {ProductShortName} instance.
   # Rekor and TUF routes
   export REKOR_HOST="your rekor server url here"
   export TUF_MIRROR="your tuf service url here"

   Copy to Clipboard Toggle word wrap

3. Update the ghub-set-vars file with the following information:

   #!/bin/bash
   
   # Helper script used to simplify setting variables and secrets in a GitHub repository
   
   set -euo pipefail
   
   function echo_usage() {
       echo "Usage: $0 OWNER/REPO"
       echo "       $0 https://github.com/OWNER/REPO"
   }
   
   if [ $# -ne 1 ]; then
       echo "Invalid number of arguments"
       echo
       echo_usage
       exit 1
   fi
   
   github_repository=$1
   
   # Naive check that the provided repository in the argument matches
   # the expected format (see usage)
   if ! [[ "$github_repository" =~ ^(https://github.com/)?(.+/.+)$ ]]; then
       echo "Invalid format of the provided argument '${github_repository}'"
       echo
       echo_usage
   fi
   
   # Set repository variable via GitHub CLI
   # The value of the variable will NOT be hidden in the logs
   function set_variable() {
       echo "Setting variable '$1' in $github_repository..."
       gh variable set "$1" --body "$2" --repo "$github_repository"
   }
   
   # Set repository secret via GitHub CLI
   function set_secret() {
       echo "Setting secret '$1' in $github_repository..."
       gh secret set "$1" --body "$2" --repo "$github_repository"
   }
   
   # Set the minimum required variables and secrets
   
   # Depending on which image repository you use, set:
   set_variable IMAGE_REGISTRY quay.io/"$QUAY_IO_CREDS_USR"
   set_variable IMAGE_REGISTRY_USER "$QUAY_IO_CREDS_USR"
   set_secret IMAGE_REGISTRY_PASSWORD "$QUAY_IO_CREDS_PSW"
   # or
   set_variable IMAGE_REGISTRY_USER "$ARTIFACTORY_IO_CREDS_USR"
   set_secret IMAGE_REGISTRY_PASSWORD "$ARTIFACTORY_IO_CREDS_PSW"
   # or
   set_variable IMAGE_REGISTRY_USER "$NEXUS_IO_CREDS_USR"
   set_secret IMAGE_REGISTRY_PASSWORD "$NEXUS_IO_CREDS_PSW"
   
   set_variable ROX_CENTRAL_ENDPOINT "$ROX_CENTRAL_ENDPOINT"
   set_secret ROX_API_TOKEN "$ROX_API_TOKEN"
   
   set_secret GITOPS_AUTH_PASSWORD "$GITOPS_AUTH_PASSWORD"
   
   set_variable QUAY_IO_CREDS_USR "$QUAY_IO_CREDS_USR"
   set_secret QUAY_IO_CREDS_PSW "$QUAY_IO_CREDS_PSW"
   
   set_secret COSIGN_SECRET_PASSWORD "$COSIGN_SECRET_PASSWORD"
   set_secret COSIGN_SECRET_KEY "$COSIGN_SECRET_KEY"
   set_variable COSIGN_PUBLIC_KEY "$COSIGN_PUBLIC_KEY"
   
   set_variable TRUSTIFICATION_BOMBASTIC_API_URL "$TRUSTIFICATION_BOMBASTIC_API_URL"
   set_variable TRUSTIFICATION_OIDC_ISSUER_URL "$TRUSTIFICATION_OIDC_ISSUER_URL"
   set_variable TRUSTIFICATION_OIDC_CLIENT_ID "$TRUSTIFICATION_OIDC_CLIENT_ID"
   set_variable TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION "$TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION"
   set_secret TRUSTIFICATION_OIDC_CLIENT_SECRET "$TRUSTIFICATION_OIDC_CLIENT_SECRET"
   
   # If you need to use the Rekor and TUF variables and you've added them to env_vars.sh,
   # set them here too:
   set_variable REKOR_HOST "$REKOR_HOST"
   set_variable TUF_MIRROR "$TUF_MIRROR"
   
   echo
   echo "All variables and secrets are set."

   Copy to Clipboard Toggle word wrap

4. Load the environment variables into your current shell session:

   $ source env_vars.sh

   Copy to Clipboard Toggle word wrap

5. Make the ghub-set-vars script executable, and run it with your repository name to set the variables in your GitHub repository.

   $ chmod +x ghub-set-vars

   Copy to Clipboard Toggle word wrap

   $ ./ghub-set-vars your_repository_name

   Copy to Clipboard Toggle word wrap
6. Rerun the last pipeline run to verify the secrets are applied correctly. Alternatively, switch to you application’s source repository in GitHub, make a minor change, and commit it to trigger a new pipeline run.