1.2. 选项 2：使用 CLI 将 secret 和变量添加到 GitHub Actions

流程

1. 在首选文本编辑器中使用两个文件创建项目，如 Visual Studio Code：

   • env_vars.sh
   • ghub-set-vars

2. 使用以下环境变量更新 env_vars.sh 文件：

   # env_vars.sh
   export GITOPS_AUTH_PASSWORD="your_github_token_here"
   
   # Image registry variables
   export IMAGE_REGISTRY_USER="your_registry_username_here"
   export IMAGE_REGISTRY_PASSWORD="your_registry_password_here"
   
   // Add credentials for an image repository that you use
   # Quay.io credentials
   export QUAY_IO_CREDS_USR="your_quay_username_here"
   export QUAY_IO_CREDS_PSW="your_quay_password_here"
   
   # or JFrog Artifactory credenditals
   export ARTIFACTORY_IO_CREDS_USR="your_artifactory_username_here"
   export ARTIFACTORY_IO_CREDS_PSW="your_artifactory_password_here"
   
   # or Sonatype Nexus credentials
   export NEXUS_IO_CREDS_USR="your_nexus_username_here"
   export NEXUS_IO_CREDS_PSW="your_nexus_password_here"
   
   // Variables required for ACS tasks
   # ROX variables
   export ROX_CENTRAL_ENDPOINT="your_rox_central_endpoint_here"
   export ROX_API_TOKEN="your_rox_api_token_here"
   
   // Variables required for SBOM tasks.
   # Cosign secrets
   export COSIGN_SECRET_PASSWORD="your_cosign_secret_password_here"
   export COSIGN_SECRET_KEY="your_cosign_secret_key_here"
   export COSIGN_PUBLIC_KEY="your_cosign_public_key_here"
   
   # Trustification credentials
   export TRUSTIFICATION_BOMBASTIC_API_URL="your__BOMBASTIC_API_URL_here"
   export TRUSTIFICATION_OIDC_ISSUER_URL="your_OIDC_ISSUER_URL_here"
   export TRUSTIFICATION_OIDC_CLIENT_ID="your_OIDC_CLIENT_ID_here"
   export TRUSTIFICATION_OIDC_CLIENT_SECRET="your_OIDC_CLIENT_SECRET_here"
   export TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION="your_SUPPORTED_CYCLONEDX_VERSION_here"
   
   // Set these variables if your CI provider runners do not run
   on the same cluster as the {ProductShortName} instance.
   # Rekor and TUF routes
   export REKOR_HOST="your rekor server url here"
   export TUF_MIRROR="your tuf service url here"

   Copy to Clipboard Toggle word wrap

3. 使用以下信息更新 ghub-set-vars 文件：

   #!/bin/bash
   
   # Helper script used to simplify setting variables and secrets in a GitHub repository
   
   set -euo pipefail
   
   function echo_usage() {
       echo "Usage: $0 OWNER/REPO"
       echo "       $0 https://github.com/OWNER/REPO"
   }
   
   if [ $# -ne 1 ]; then
       echo "Invalid number of arguments"
       echo
       echo_usage
       exit 1
   fi
   
   github_repository=$1
   
   # Naive check that the provided repository in the argument matches
   # the expected format (see usage)
   if ! [[ "$github_repository" =~ ^(https://github.com/)?(.+/.+)$ ]]; then
       echo "Invalid format of the provided argument '${github_repository}'"
       echo
       echo_usage
   fi
   
   # Set repository variable via GitHub CLI
   # The value of the variable will NOT be hidden in the logs
   function set_variable() {
       echo "Setting variable '$1' in $github_repository..."
       gh variable set "$1" --body "$2" --repo "$github_repository"
   }
   
   # Set repository secret via GitHub CLI
   function set_secret() {
       echo "Setting secret '$1' in $github_repository..."
       gh secret set "$1" --body "$2" --repo "$github_repository"
   }
   
   # Set the minimum required variables and secrets
   
   # Depending on which image repository you use, set:
   set_variable IMAGE_REGISTRY quay.io/"$QUAY_IO_CREDS_USR"
   set_variable IMAGE_REGISTRY_USER "$QUAY_IO_CREDS_USR"
   set_secret IMAGE_REGISTRY_PASSWORD "$QUAY_IO_CREDS_PSW"
   # or
   set_variable IMAGE_REGISTRY_USER "$ARTIFACTORY_IO_CREDS_USR"
   set_secret IMAGE_REGISTRY_PASSWORD "$ARTIFACTORY_IO_CREDS_PSW"
   # or
   set_variable IMAGE_REGISTRY_USER "$NEXUS_IO_CREDS_USR"
   set_secret IMAGE_REGISTRY_PASSWORD "$NEXUS_IO_CREDS_PSW"
   
   set_variable ROX_CENTRAL_ENDPOINT "$ROX_CENTRAL_ENDPOINT"
   set_secret ROX_API_TOKEN "$ROX_API_TOKEN"
   
   set_secret GITOPS_AUTH_PASSWORD "$GITOPS_AUTH_PASSWORD"
   
   set_variable QUAY_IO_CREDS_USR "$QUAY_IO_CREDS_USR"
   set_secret QUAY_IO_CREDS_PSW "$QUAY_IO_CREDS_PSW"
   
   set_secret COSIGN_SECRET_PASSWORD "$COSIGN_SECRET_PASSWORD"
   set_secret COSIGN_SECRET_KEY "$COSIGN_SECRET_KEY"
   set_variable COSIGN_PUBLIC_KEY "$COSIGN_PUBLIC_KEY"
   
   set_variable TRUSTIFICATION_BOMBASTIC_API_URL "$TRUSTIFICATION_BOMBASTIC_API_URL"
   set_variable TRUSTIFICATION_OIDC_ISSUER_URL "$TRUSTIFICATION_OIDC_ISSUER_URL"
   set_variable TRUSTIFICATION_OIDC_CLIENT_ID "$TRUSTIFICATION_OIDC_CLIENT_ID"
   set_variable TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION "$TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION"
   set_secret TRUSTIFICATION_OIDC_CLIENT_SECRET "$TRUSTIFICATION_OIDC_CLIENT_SECRET"
   
   # If you need to use the Rekor and TUF variables and you've added them to env_vars.sh,
   # set them here too:
   set_variable REKOR_HOST "$REKOR_HOST"
   set_variable TUF_MIRROR "$TUF_MIRROR"
   
   echo
   echo "All variables and secrets are set."

   Copy to Clipboard Toggle word wrap

4. 将环境变量加载到当前 shell 会话中：

   source env_vars.sh

   Copy to Clipboard Toggle word wrap

5. 使 ghub-set-vars 脚本可执行，并使用您的存储库名称运行它，以设置 GitHub 存储库中的变量。

   chmod +x ghub-set-vars
   
   ./ghub-set-vars your_repository_name

   Copy to Clipboard Toggle word wrap

6. 重新运行最后的管道运行，以验证 secret 是否已正确应用。

   1. 或者，切换到 GitHub 中应用的源存储库，进行次要更改，并提交它以触发新的管道运行。