如何从 Github 工作流访问环境机密?

问题描述

我正在尝试从 Github 工作流程向 PyPI 发布 Python 包,但身份验证失败用于测试 PyPI".我从命令行成功发布到 Test PyPI,所以我的 API 令牌必须是正确的.我还检查了秘密值中的前导和尾随空格(即在 GitHub 上).

正如上次提交所显示的,我尝试了一些事情但没有成功.

我首先尝试将简单的 bash 命令内联到工作流中,如下所示,但我无法将我的秘密放入环境变量中.当我打印这些变量时,日志中没有任何显示.

- 名称:在测试 PyPI 上发布环境:TWINE_USERNAME:__token__TWINE_PASSWORD:${{ 秘密.PYPI_TEST_TOKEN }}TWINE_REPOSITORY_URL:https://test.pypi.org/legacy/"运行:|回声$TWINE_PASSWORD"点安装麻线麻线检查距离/*twine 上传 dist/*

我也尝试使用如下专用的 GitHub Action,但它也不起作用.我想问题出在我的工作流程中不可用的秘密.让我感到困惑的是,我的工作流程使用另一个令牌/秘密就好了!但是,如果我将它放在环境变量中,则不会打印任何内容.我还以不同的名称(PYPI_TEST_TOKEN 和 TEST_PYPI_API_TOKEN)重新创建了我的秘密,但无济于事.

- name: Publish to Test PyPI用途:pypa/gh-action-pypi-publish@release/v1和:用户:__token__密码:${{ secrets.TEST_PYPI_API_TOKEN }}存储库网址:https://test.pypi.org/legacy/

我想我错过了一些明显的东西(像往常一样).非常感谢任何帮助.

解决方案

我终于想通了.我的错误是我在一个环境中定义了我的秘密,并且默认情况下,工作流不在任何特定环境中运行.为此,我必须在职位描述中明确命名环境,如下所示:

工作:发布:environment: CI # <---/! 这里是环境的链接需求:构建运行:ubuntu-latest如果:startsWith(github.ref, 'refs/tags/v')脚步:- 使用:actions/checkout@v2# 这里还有一些步骤...- 名称:发布到测试 PyPI环境:TWINE_USERNAME:__token__"TWINE_PASSWORD: ${{ secrets.TEST_PYPI_API_TOKEN }}TWINE_REPOSITORY_URL:https://test.pypi.org/legacy/"运行:|回显键:'${TWINE_PASSWORD}'麻线检查距离/*twine 上传 --verbose --skip-existing dist/*

文档实际上提到了它.p>

感谢那些给我指出正确方向的评论.

I am trying to publish a Python package to PyPI, from a Github workflow, but the authentication fails for "Test PyPI". I successfully published to Test PyPI from the command line, so my API token must be correct. I also checked for leading and trailing spaces in the secret value (i.e., on GitHub).

As the last commits show, I tried a few things without success.

I first tried to inline simple bash commands into the workflow as follows, but I have not been able to get my secrets into environment variables. Nothing showed up in the logs when I printed these variables.

- name: Publish on Test PyPI 
  env:
     TWINE_USERNAME: __token__
     TWINE_PASSWORD: ${{ secrets.PYPI_TEST_TOKEN }}
     TWINE_REPOSITORY_URL: "https://test.pypi.org/legacy/"
  run: |
     echo "$TWINE_PASSWORD"
     pip install twine
     twine check dist/*
     twine upload dist/*

I also tried to use a dedicated GitHub Action as follows, but it does not work either. I guess the problem comes from the secrets not being available in my workflow. What puzzled me is that my workflow uses another token/secret just fine! Though, if I put it in an environment variable, nothing is printed out. I also recreated my secrets under different names (PYPI_TEST_TOKEN and TEST_PYPI_API_TOKEN) but to no avail.

- name: Publish to Test PyPI
  uses: pypa/gh-action-pypi-publish@release/v1
  with:
    user: __token__
    password: ${{ secrets.TEST_PYPI_API_TOKEN }}
    repository_url: https://test.pypi.org/legacy/

I guess I miss something obvious (as usual). Any help is highly appreciated.

解决方案

I eventually figured it out. My mistake was that I defined my secrets within an environment and, by default, workflows do not run in any specific environment. For this to happen, I have to explicitly name the environment in the job description as follows:

jobs:
  publish:
    environment: CI    # <--- /! Here is the link to the environment
    needs: build
    runs-on: ubuntu-latest
    if: startsWith(github.ref, 'refs/tags/v')
    steps:
    - uses: actions/checkout@v2
    # Some more steps here ...
    - name: Publish to Test PyPI
      env:
        TWINE_USERNAME: "__token__"
        TWINE_PASSWORD: ${{ secrets.TEST_PYPI_API_TOKEN }}
        TWINE_REPOSITORY_URL: "https://test.pypi.org/legacy/"
      run: |
        echo KEY: '${TWINE_PASSWORD}'
        twine check dist/*
        twine upload --verbose --skip-existing dist/*

The documentation mentions it actually.

Thanks to those who commented for pointing me in the right direction.

相关文章