Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Propagating Secrets form Github Actions into Serverless Functions #159

Open
md-coops opened this issue Oct 31, 2024 · 5 comments
Open

Propagating Secrets form Github Actions into Serverless Functions #159

md-coops opened this issue Oct 31, 2024 · 5 comments

Comments

@md-coops
Copy link

When following the docs in the GH marketplace, I cannot get the secrets or vars to propagating into my DO app.

This is my configuration, it is exactly like the docs.
When I commit this main the deployment runs but the values do not propagate to Digital Ocean.

app.yaml

name: bionysus 
envs:
  - key: TEST_VAIRIABLE_FROM_REPSOITORY
    scope: RUN_AND_BUILD_TIME
    value: ${SOME_VAIRIABLE_FROM_REPSOITORY}
    type: GENERAL
  - key: TEST_SECRET_FROM_GITHUB
    scope: RUN_AND_BUILD_TIME
    value: ${SOME_SECRET_FROM_REPOSITORY}
    type: SECRET
services:
  - environment_slug: node-js
    name: nextjs
    github:
      repo: bionysus/digital_ocean_app_platform
      branch: main
      deploy_on_push: true
    source_dir: nextjs
    routes:
    - path: /
functions:
  - name: serverless-functions
    github:
      repo: bionysus/digital_ocean_app_platform
      branch: main
      deploy_on_push: true
    source_dir: serverless_functions
    routes:
    - path: /functions

workflow/deploy_app.yml

name: Update App

on:
 push:
   branches: [main]

jobs:
 deploy-app:
   runs-on: ubuntu-latest
   steps:
     - name: Checkout repository
       uses: actions/checkout@v4
     - name: Deploy the app
       uses: digitalocean/app_action/deploy@v2
       env:
        SOME_SECRET_FROM_REPOSITORY: ${{ secrets.SOME_SECRET_FROM_REPOSITORY }}
        SOME_VAIRIABLE_FROM_REPSOITORY: ${{ env.SOME_VAIRIABLE_FROM_REPSOITORY }}
       with:
         token: ${{ secrets.DIGITALOCEAN_ACCESS_TOKEN }}
Screenshot 2024-10-31 at 15 48 30

Do you have any idea what I am doing wrong?
@md-coops
Copy link
Author

@eyalch. I can see you made some changes around this functionality recently. Have you got it to work reliably? Perhaps you can see some issue with my configuration.

@markusthoemmes
Copy link
Contributor

You have a typo in that secret ref SOME_VAIRIABLE_FROM_REPSOITORY. Can you ensure that the secret in Github is actually named this way? Things have seem to gone fine for TEST_SECRET_FROM_GITHUB

@md-coops
Copy link
Author

md-coops commented Oct 31, 2024
edited
Loading

Thanks Mark. 100% typos. I also was accessing the variables incorrectly inside Github actions too. env.SOME_VAR is incorrect, vars.SOME_VARS is correct. Long day!

@md-coops
Copy link
Author

md-coops commented Oct 31, 2024
edited
Loading

However I have stumbled across a slightly more interesting issue.

In my app I use some serverless functions, these are referenced in the .do/app.yaml but are configured in serverless_functions/project.yaml.

serverless_functions/project.yaml

packages:
    - name: native-auth
      shared: false
      environment: 
        DB_CA_CERT: "${DB_CA_CERT}"
        DB_PORT: "${DB_PORT}"
        DB_USER: "${DB_USER}"
        DB_HOST: "${DB_HOST}"
        DB_NAME: "${DB_NAME}"
        DB_PASSWORD: "${DB_PASSWORD}"
        SG_API_KEY: "${SG_API_KEY}"
        SG_SENDER_ADDRESS: "${SG_SENDER_ADDRESS}"
        JWT_SECRET: "${JWT_SECRET}"
      functions:
        - name: generate-token
          binary: false
          runtime: nodejs:18
          web: true
        - name: verify-token
          binary: false
          runtime: nodejs:18
          web: true

snapshot of .do/app.yaml.

name: tester
envs:
  - key: DB_CA_CERT
    value: ${DB_CA_CERT_GITHUB}
    scope: RUN_AND_BUILD_TIME
    type: SECRET
  - key: DB_PASSWORD
    value: <currently-hardcoded>
    scope: RUN_AND_BUILD_TIME
    type: SECRET

-----------------------------------------

functions:
- name: serverless-functions
  github:
    repo: bionysus/digital_ocean_app_platform
    branch: main
    deploy_on_push: true
  source_dir: serverless_functions
  routes:
  - path: /functions
  envs:
  - key: JWT_SECRET
    value: <currently-hardcoded>
    scope: RUN_TIME
    type: SECRET

These References work when envs values are 'hardcoded' in .do/app.yaml. But when I replace those hardcoded env values with github secrets and vars I get buildtime errors.

It seems that when building the serverless functions in Digital Ocean, the github injected values are not there! I get the following error.

Screenshot 2024-10-31 at 18 03 51

I wonder if this is something to do with my mono repo style setup. Or weather there is a 'trick' I am missing to make these environment variables available to the serverless functions too.

@markusthoemmes - would you be able to shed some light?

Is it worth me changing the title of this issue?

@md-coops md-coops changed the title Propagating Secrets form Github Actions into Digital Ocean App Propagating Secrets form Github Actions into Serverless Functions Oct 31, 2024
@markusthoemmes
Copy link
Contributor

To the system, there's no difference between "Github injected values" and "hardcoded values" really. The substitution is done in the Github Action and so to App Platform, it's all the same.

As such: Are you correctly connecting the dots by passing the DB_CA_CERT_GITHUB secret into the action as an env var, so that it can replace it in app.yaml?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@markusthoemmes @md-coops