Search code examples
githubgithub-actionspipelinecicd

Cannot access secrets in re-usable Github Actions workflow

I know this question has been asked a lot, but none of the answers seem to address my problem...

Re-usable worfklow:

name: template-pipeline

on:
  workflow_call:
    secrets:
      DOCKER_HUB_USERNAME:
        required: true
      DOCKER_HUB_ACCESS_TOKEN:
        required: true

jobs:
  extract-info:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Extract project name and version from pom.xml
        id: extract-info
        run: |
          project_name=$(mvn help:evaluate -Dexpression=project.name -q -DforceStdout)
          version=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)
          echo "Original Project name: $project_name"
          echo "Original Project version: $version"
          # Remove -SNAPSHOT suffix if present
          release_version=${version%-SNAPSHOT}
          echo "Release version: $release_version"
          echo "::set-output name=project_name::$project_name"
          echo "::set-output name=version::$release_version"

    outputs:
      project_name: ${{ steps.extract-info.outputs.project_name }}
      version: ${{ steps.extract-info.outputs.version }}

  build:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
      - name: Set up JDK 17
        uses: actions/setup-java@v3
        with:
          java-version: '17'
          distribution: 'temurin'
          cache: maven
      - name: Build with Maven
        run: mvn -B package --file pom.xml

  test:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
      - name: Set up JDK 17
        uses: actions/setup-java@v3
        with:
          java-version: '17'
          distribution: 'temurin'
          cache: maven
      - name: Build with Maven
        run: mvn verify

  create-github-release:
    runs-on: ubuntu-latest
    needs: [extract-info, build]
    if: github.ref == 'refs/heads/master'

    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Set up Java
        uses: actions/setup-java@v2
        with:
          distribution: 'temurin'
          java-version: '17'

      - name: Create GitHub Release
        id: create_release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          tag_name: v${{ needs.extract-info.outputs.version }}
          release_name: Release ${{ needs.extract-info.outputs.version }}
          draft: false
          prerelease: false
          body: |
            Release notes for version ${{ needs.extract-info.outputs.version }}.

  build-and-push-docker-image:
    runs-on: ubuntu-latest
    needs: [extract-info, build, create-github-release]
    if: github.ref == 'refs/heads/master'
#    environment: Secrets

    steps:
      - name: Checkout code
        uses: actions/checkout@v2

      - name: Set up Java
        uses: actions/setup-java@v2
        with:
          distribution: 'temurin'
          java-version: '17'

      - name: Log in to Docker Hub
        run: |
          echo "${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}" | docker login -u "${{ secrets.DOCKER_HUB_USERNAME }}" --password-stdin

      - name: Build Docker image
        run: |
          docker build -t ${{ secrets.DOCKER_HUB_USERNAME }}/${{ needs.extract-info.outputs.project_name }}:${{ needs.extract-info.outputs.version }} .

      - name: Push Docker image to Docker Hub
        run: |
          docker push ${{ secrets.DOCKER_HUB_USERNAME }}/${{ needs.extract-info.outputs.project_name }}:${{ needs.extract-info.outputs.version }}

      - name: Tag the Docker image with latest
        run: |
          docker tag ${{ secrets.DOCKER_HUB_USERNAME }}/${{ needs.extract-info.outputs.project_name }}:${{ needs.extract-info.outputs.version }} ${{ secrets.DOCKER_HUB_USERNAME }}/${{ needs.extract-info.outputs.project_name }}:latest
          docker push ${{ secrets.DOCKER_HUB_USERNAME }}/${{ needs.extract-info.outputs.project_name }}:latest

The caller:

name: Call a reusable workflow

on:
#  pull_request:
#    branches:
#      - master
  push:
    branches:
      - master

jobs:
  template-pipeline:
    uses: ExplodingSalad/SampleCICD/.github/workflows/github-actions-template.yml@master
    secrets:
      DOCKER_HUB_USERNAME: ${{ secrets.DOCKER_HUB_USERNAME }}
      DOCKER_HUB_ACCESS_TOKEN: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

Output:

Run echo "" | docker login -u "" --password-stdin
  echo "" | docker login -u "" --password-stdin
  shell: /usr/bin/bash -e {0}
  env:
    JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/17.0.11-9/x64
Must provide --username with --password-stdin
Error: Process completed with exit code 1.

I am aware that the log output censors secrets, but with * and not blanks, hence it is not passing the secrets correctly. I have setup the secrets in both the pipeline project as well as the module project where the re-usable workflow is called via environment secrets (the environment is called "Secrets")

Solution

  • it appears as if I have to provide an environment:

    environment: Secrets

    exactly as it is commented out above. This appears to not be included in the Github Actions docs, which is a bit unfortunate...