我使用 GitHub REST API 创建了 GitHub secret ,如以下文档中所示:https://docs.github.com/en/rest/actions/secrets
我用来加密然后创建我的GitHub环境 secret 列表的代码如下:
from github import Github
import requests
access_token = base["TOKEN"]
user = gitLogin["user"]
api_url = f"https://api.github.com/users/"+user+"/repos"
response = requests.get(api_url, auth=(user, access_token))
print(response)
dev_secrets_names = [...]
dev_secrets_list = [...]
dev_encrypted_secrets_list = []
def encrypt(public_key: str, secret_value: str) -> str:
"""Encrypt a Unicode string using the public key."""
public_key = public.PublicKey(public_key.encode("utf-8"), encoding.Base64Encoder())
sealed_box = public.SealedBox(public_key)
encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
return b64encode(encrypted).decode("utf-8")
for i in range(len(dev_secrets_list)):
encrypted_secret = encrypt(public_key, dev_secrets_list[i])
dev_encrypted_secrets_list.append(encrypted_secret)
for i in range(len(dev_secrets_list)):
url = f"https://api.github.com/repositories/"+"${{ steps.repos.outputs.repos_id }}"+"/environments/"+environnments["dev"]+"/secrets/"+dev_secrets_names[i]
print(url)
body = {"encrypted_value": f"{dev_encrypted_secrets_list[i]}", "key_id": "${{ steps.keys.outputs.key_id }}"}
response = requests.put(url, json=body, auth=(user, access_token))
代码执行正确,当我去检查 GitHub 中是否已正确创建 secret 时。只是,当我尝试检索任务中的 secret 时,它们不会被读取为空。 以下代码是我尝试使用 secret 的地方:
on:
workflow_call:
inputs:
Organization:
required: true
type: string
Repository:
required: true
type: string
devEnv:
required: true
type: string
uatEnv:
required: true
type: string
prodEnv:
required: true
type: string
devBranch:
required: true
type: string
uatBranch:
required: true
type: string
prodBranch:
required: true
type: string
releaseBranch:
required: true
type: string
rootFolder:
required: true
type: string
secrets:
DEV_SF_ACCOUNT:
required: true
DEV_SF_USERNAME:
required: true
DEV_SNOWFLAKE_PASSWORD:
required: true
DEV_SF_ROLE:
required: true
DEV_SF_WAREHOUSE:
required: true
deploy-snowflake-changes-dev:
name: deploy schamas changes to dev
needs: ShitTest
if: needs.ShitTest.outputs.output == 'true'
environment:
name: ${{inputs.devEnv}}
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Use Python 3.8.x
uses: actions/<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="3f4c5a4b4a4f124f464b5750517f490d110d110e" rel="noreferrer noopener nofollow">[email protected]</a>
with:
python-version: 3.8.x
- name: Run schemachange
shell: pwsh
run: |
python --version
echo "Step 1: Installing schemachange"
pip install schemachange
echo "Step 3: Running schemachange"
schemachange deploy -f ./${{inputs.rootFolder}} -a ${{secrets.DEV_SF_ACCOUNT}} -u ${{secrets.DEV_SF_USERNAME}} -r ${{secrets.DEV_SF_ROLE}} -w ${{secrets.DEV_SF_WAREHOUSE}} -d DEV_${{secrets.SF_DATABASE}} -c DEV_${{secrets.SF_DATABASE}}.${{secrets.SF_SCHEMA}}.${{secrets.SF_HISTORY_TABLE}} --vars $varsString --create-change-history-table -v
env:
SNOWFLAKE_PASSWORD: ${{ secrets.DEV_SNOWFLAKE_PASSWORD }}
我自愿删除了部分代码以保持简单。
您能帮助理解为什么 secret 返回为空吗?
注意:当我手动更新 secret 时,一切正常。
以下代码是我称之为上一个工作流程的代码:
jobs:
snowflake-devops:
uses: ./.github/workflows/snowflake-devops.yml
with:
Organization: $($parametersFileContent.organization)
Repository: $($parametersFileContent.repository)
devEnv: $($parametersFileContent.environnments.dev)
uatEnv: $($parametersFileContent.environnments.uat)
prodEnv: $($parametersFileContent.environnments.prod)
devBranch: ${{ env.dev }}
uatBranch: ${{ env.uat }}
prodBranch: ${{ env.prod }}
releaseBranch: ${{ env.release }}
rootFolder: $($parametersFileContent.rootFolder)
secrets:
TOKEN: $TOKEN
SF_DATABASE: $SF_DATABASE
SF_SCHEMA: $SF_SCHEMA
SF_HISTORY_TABLE: $SF_HISTORY_TABLE
DEV_SF_ACCOUNT: $DEV_SF_ACCOUNT
DEV_SF_USERNAME: $DEV_SF_USERNAME
DEV_SF_ROLE: $DEV_SF_ROLE
DEV_SF_WAREHOUSE: $DEV_SF_WAREHOUSE
DEV_SNOWFLAKE_PASSWORD: $DEV_SNOWFLAKE_PASSWORD
最佳答案
您要将哪个公钥值传递给您的加密函数?我刚刚经历过这个场景,当尝试在工作流程中使用 secret 时, secret 被输出为空白字符串。
我的问题是,我假设你的问题也是,我得到了 repository public key ,而不是环境公钥。
尝试使用Get an Environment Public Key端点并再次保存您的 secret 。这样做后我能够检索该值。
关于python - 使用 API REST 创建的 GitHub secret 但返回空,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/74741306/