1.2. 使用 CLI 将 secret 添加到 GitHub

流程

1. 在首选文本编辑器中使用两个文件创建项目，如 Visual Studio Code：

   • env_vars.sh
   • ghub-set-vars

2. 使用以下环境变量更新 env_vars.sh 文件：

   # env_vars.sh
   
   
   
   # GitHub credentials
   export MY_GITHUB_TOKEN="your_github_token_here"
   export MY_GITHUB_USER="your_github_username_here"
   
   export GITOPS_AUTH_PASSWORD="your_OpenShift_GitOps_password_here"
   export GITOPS_AUTH_USERNAME="your_OpenShift_GitOps_username_here"
   
   // Provide the credentials for the image registry you use.
   # Quay.io credentials
   export QUAY_IO_CREDS_USR="your_quay_username_here"
   export QUAY_IO_CREDS_PSW="your_quay_password_here"
   
   # JFrog Artifactory credenditals
   export ARTIFACTORY_IO_CREDS_USR="your_artifactory_username_here"
   export ARTIFACTORY_IO_CREDS_PSW="your_artifactory_password_here"
   
   # Sonatype Nexus credentials
   export NEXUS_IO_CREDS_USR="your_nexus_username_here"
   export NEXUS_IO_CREDS_PSW="your_nexus_password_here"
   
   # Rekor and TUF routes
   export REKOR_HOST="your rekor server url here"
   export TUF_MIRROR="your tuf service url here"
   
   // Variables required for ACS tasks
   # ROX variables
   export ROX_CENTRAL_ENDPOINT="your_rox_central_endpoint_here"
   export ROX_API_TOKEN="your_rox_api_token_here"
   
   
   
   // Set these variables if GitHub Actions runners do not run on the same cluster as the {ProductShortName} instance.
   export ROX_CENTRAL_ENDPOINT="your_rox_central_endpoint_here"
   export ROX_API_TOKEN="your_rox_api_token_here"
   
   // Variables required for SBOM tasks.
   # Cosign secrets
   export COSIGN_SECRET_PASSWORD="your_cosign_secret_password_here"
   export COSIGN_SECRET_KEY="your_cosign_secret_key_here"
   export COSIGN_PUBLIC_KEY="your_cosign_public_key_here"
   
   # Trustification credentials
   export TRUSTIFICATION_BOMBASTIC_API_URL="your__BOMBASTIC_API_URL_here"
   export TRUSTIFICATION_OIDC_ISSUER_URL="your_OIDC_ISSUER_URL_here"
   export TRUSTIFICATION_OIDC_CLIENT_ID="your_OIDC_CLIENT_ID_here"
   export TRUSTIFICATION_OIDC_CLIENT_SECRET="your_OIDC_CLIENT_SECRET_here"
   export TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION="your_SUPPORTED_CYCLONEDX_VERSION_here"

   Copy to Clipboard Toggle word wrap

3. 使用以下信息更新 ghub-set-vars 文件：

   #!/bin/bash
   SCRIPTDIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" > /dev/null 2>&1 && pwd)"
   
   if [ $# -ne 1 ]; then
       echo "Missing param, provide gitlab repo name"
       echo "Note: This script uses MY_GITHUB_TOKEN and MY_GITHUB_USER env vars"
       exit
   fi
   
   REPO=$1
   HEADER="PRIVATE-TOKEN: $MY_GITHUB_TOKEN"
   URL=https://github.com/api/v4/projects
   
   # Look up the project ID so we can use it below
   PID=$(curl -s -L --header "$HEADER" "$URL/$MY_GITHUB_USER%2F$REPO" | jq ".id")
   
   function setVars() {
       NAME=$1
       VALUE=$2
       MASKED=${3:-true}
       echo "setting $NAME in https://github.com/$MY_GITHUB_USER/$REPO"
   
       # Delete first because if the secret already exists then its value
       # won't be changed by the POST below
       curl -s --request DELETE --header "$HEADER" "$URL/$PID/variables/$NAME"
   
       # Set the new key/value
       curl -s --request POST --header "$HEADER" "$URL/$PID/variables" \
           --form "key=$NAME" --form "value=$VALUE" --form "masked=$MASKED" | jq
   }
   
   setVars ROX_CENTRAL_ENDPOINT $ROX_CENTRAL_ENDPOINT
   setVars ROX_API_TOKEN $ROX_API_TOKEN
   
   setVars GITOPS_AUTH_PASSWORD $MY_GITLAB_TOKEN
   setVars GITOPS_AUTH_USERNAME $MY_GITLAB_USER
   
   setVars QUAY_IO_CREDS_USR $QUAY_IO_CREDS_USR
   setVars QUAY_IO_CREDS_PSW $QUAY_IO_CREDS_PSW
   
   setVars COSIGN_SECRET_PASSWORD $COSIGN_SECRET_PASSWORD
   setVars COSIGN_SECRET_KEY $COSIGN_SECRET_KEY
   setVars COSIGN_PUBLIC_KEY $COSIGN_PUBLIC_KEY
   
   setVars TRUSTIFICATION_BOMBASTIC_API_URL "$TRUSTIFICATION_BOMBASTIC_API_URL"
   setVars TRUSTIFICATION_OIDC_ISSUER_URL "$TRUSTIFICATION_OIDC_ISSUER_URL"
   setVars TRUSTIFICATION_OIDC_CLIENT_ID "$TRUSTIFICATION_OIDC_CLIENT_ID"
   setVars TRUSTIFICATION_OIDC_CLIENT_SECRET "$TRUSTIFICATION_OIDC_CLIENT_SECRET"
   setVars TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION "$TRUSTIFICATION_SUPPORTED_CYCLONEDX_VERSION"
   
   setVars ARTIFACTORY_IO_CREDS_USR $ARTIFACTORY_IO_CREDS_USR
   setVars ARTIFACTORY_IO_CREDS_PSW $ARTIFACTORY_IO_CREDS_PSW
   
   setVars NEXUS_IO_CREDS_USR $NEXUS_IO_CREDS_USR
   setVars NEXUS_IO_CREDS_PSW $NEXUS_IO_CREDS_PSW
   
   setVars REKOR_HOST $REKOR_HOST
   setVars TUF_MIRROR $TUF_MIRROR

   Copy to Clipboard Toggle word wrap

4. （可选）修改 ghub-set-vars 文件，以禁用不需要的变量。例如，要禁用 setVars ROX_API_TOKEN $ROX_API_TOKEN，请在其中添加 false。

   ROX_API_TOKEN $ROX_API_TOKEN false

   Copy to Clipboard Toggle word wrap

5. 将环境变量加载到当前 shell 会话中：

   source env_vars.sh

   Copy to Clipboard Toggle word wrap

6. 使 ghub-set-vars 脚本可执行，并使用您的存储库名称运行它，以设置 GitHub 存储库中的变量。

   chmod +x ghub-set-vars
   
   ./ghub-set-vars your_repository_name

   Copy to Clipboard Toggle word wrap

7. 重新运行最后的管道运行，以验证 secret 是否已正确应用。

   1. 或者，切换到 GitLab 中应用的源存储库，进行次要更改，并提交它以触发新的管道运行。