You're reading from GitHub Actions Cookbook A practical guide to automating repetitive tasks and streamlining your development process

Product type Paperback

Published in Apr 2024

Publisher Packt

ISBN-13 9781835468944

Length 250 pages

Edition 1st Edition

Languages

JavaScript

Tools

GitHub

Concepts

DevOps

Author (1):

Michael Kaufmann

View More author details

Table of Contents (10) Chapters

Preface

1. Chapter 1: GitHub Actions Workflows FREE CHAPTER

2. Chapter 2: Authoring and Debugging Workflows

3. Chapter 3: Building GitHub Actions

4. Chapter 4: The Workflow Runtime

5. Chapter 5: Automate Tasks in GitHub with GitHub Actions

6. Chapter 6: Build and Validate Your Code

7. Chapter 7: Release Your Software with GitHub Actions

8. Index

Why subscribe?

9. Other Books You May Enjoy

Creating and using environments

Environments are used to describe a general deployment target such as development, test, staging, or production. You can protect environments with protection rules, and you can provide configuration variables and secrets for specific environments.

Getting ready

We will first create some environments using the web UI and add some protection rules, secrets, and variables. Then, we add them to our existing workflow.

How to do it…

Navigate to Settings | Environments and click on New environment (see Figure 1.25):

Figure 1.25 – Managing environments in a repository

Enter the name Production and click Configure environment (see Figure 1.26):

Figure 1.26 – Creating a new environment

Add yourself as a required reviewer and click Save protection rule (see Figure 1.27):

Figure 1.27 – Configuring deployment protection rules

Under Deployment branches and tags, choose Selected branches and tags, click the plus symbol, and add a name pattern for the main branch (see Figure 1.28):

Figure 1.28 – Configuring deployment branches and tags

Under Environment secrets, click on Add secret and add a new MY_SECRET secret with the value Open Sesame (see Figure 1.29). Repeat this with Add variable and add a WHO_TO_GREET variable with the value Production users:

Figure 1.29 – Adding secrets and variables to environments

Repeat step 1 and create two additional environments, Test and Load-Test. We will use these environments in the next steps to show how to execute jobs in parallel. You don’t have to configure deployment branches or required reviewers. Just add a WHO_TO_GREET variable with the corresponding value. The result should look like Figure 1.30:

Figure 1.30 – Multiple environments in the settings of the repository

Now, go back to the workflow file and edit it. Add a new job beneath first_job called Test that runs on the latest Ubuntu image. We associate this job with the Test environment. To run this job after first_job, we use the needs property and set it to the job we depend on:
```
Test:
  runs-on: ubuntu-latest
  environment: Test
  needs: first_job
```
To see how secrets are overwritten by the environment, we have to use a little hack. As GitHub searches for the value of secrets in the output of the log to mask it, we have to modify the actual text. We can do this, for example, using the sed 's/./& /g' command. This will add a blank between every character of the secret. With this little hack, the steps of the Test job should look like this:
```
steps:
- run: |
    echo "Hello ${{ vars.WHO_TO_GREET }}  from ${{ github.actor }}."
    sec=$(echo ${{ secrets.MY_SECRET }} | sed 's/./& /g')
    echo "My secret is  '$sec'."
```
Next, add a new Load-Test job that is associated with the Load-Test environment and also executes after first_job:
```
Load-Test:
  runs-on: ubuntu-latest
  environment: Load-Test
  needs: first_job
```
Just copy the steps from Test. There is no need to change anything.
The last job is a Production job. In addition to the name, the environment property accepts a URL that later will be displayed in the workflow designer. Set it to any URL you want. To show how after a parallel execution of jobs the workflow can merge again, we will run Production after Test and Load-Test:
```
Production:
  runs-on: ubuntu-latest
  environment:
    name: Production
    url: https://writeabout.net
  needs: [Test, Load-Test]
```
Just copy the steps from the previous jobs.
Commit your changes to the main branch. The workflow will run automatically. Navigate to the new workflow run and inspect the workflow designer, which nicely shows the parallel execution. The workflow will pause before executing Production and will wait for approval (see Figure 1.31):

Figure 1.31 – The workflow will stop before an environment with required reviewers and wait for approval

Click Review deployment, check Production, and add an optional comment. Click Approve and deploy to start executing the Production job (see Figure 1.32):

Figure 1.32 – Approving a protected environment

The workflow will execute completely, and the result should look like Figure 1.33. Note that the URL is displayed in the Production environment. Also, note the history of approvals in the workflow summary:

Figure 1.33 – The final summary of the workflow

Open the individual jobs and inspect the output of the step we added (see Figure 1.34). The secrets and variables are used from the repository and are only overridden if we set them in an environment:

Figure 1.34 – The production secret is only available to the production environment after approval

There’s more…

If you are setting secrets or variables for an environment using the GitHub CLI, then you can specify them using the --env (-e) argument. For organization secrets, you set the visibility (--visibility or -v) to all, private, or selected. For selected, you must specify one or more repos using --repos (-r):

$ gh secret set secret-name --env environment-name
$ gh secret set secret-name --org org -v private
$ gh secret set secret-name --org org -v selected -r repo

Environments have more options than we have used in this recipe. You can also configure a wait timer that will pause the workflow for n minutes (with a maximum of 30 days) before executing the deployment job for that particular environment.

There is also a new feature called custom deployment protection rules that is still in beta. This feature allows the creation of GitHub apps that can pause your deployment and wait for a specific condition. There are already apps from Datadog, Honeycomb, Sentry, New Relic, and ServiceNow (see https://docs.github.com/en/actions/deployment/protecting-deployments/configuring-custom-deployment-protection-rules#using-existing-custom-deployment-protection-rules). We’ll have a closer look at custom deployment rules in Chapter 7, Release Your Software with GitHub Actions.

The true power of environment protection rules lies in the deployment branch or tag rules. This can restrict code that does not apply to branch protection rules from deploying to certain environments. This can include all kinds of checks – Codeowners approvals, code reviewers, deployments to certain other environments, SonarQube quality gates, and many other automated code checks (see https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches for more information).