如何从 Github 工作流访问环境机密?
问题描述
我正在尝试从 Github 工作流程向 PyPI 发布 Python 包,但身份验证失败用于测试 PyPI".我从命令行成功发布到 Test PyPI,所以我的 API 令牌必须是正确的.我还检查了秘密值中的前导和尾随空格(即在 GitHub 上).
正如上次提交所显示的,我尝试了一些事情但没有成功.
我首先尝试将简单的 bash 命令内联到工作流中,如下所示,但我无法将我的秘密放入环境变量中.当我打印这些变量时,日志中没有任何显示.
- 名称:在测试 PyPI 上发布环境:TWINE_USERNAME:__token__TWINE_PASSWORD:${{ 秘密.PYPI_TEST_TOKEN }}TWINE_REPOSITORY_URL:https://test.pypi.org/legacy/"运行:|回声$TWINE_PASSWORD"点安装麻线麻线检查距离/*twine 上传 dist/*
我也尝试使用如下专用的 GitHub Action,但它也不起作用.我想问题出在我的工作流程中不可用的秘密.让我感到困惑的是,我的工作流程使用另一个令牌/秘密就好了!但是,如果我将它放在环境变量中,则不会打印任何内容.我还以不同的名称(PYPI_TEST_TOKEN 和 TEST_PYPI_API_TOKEN)重新创建了我的秘密,但无济于事.
- name: Publish to Test PyPI用途:pypa/gh-action-pypi-publish@release/v1和:用户:__token__密码:${{ secrets.TEST_PYPI_API_TOKEN }}存储库网址:https://test.pypi.org/legacy/
我想我错过了一些明显的东西(像往常一样).非常感谢任何帮助.
解决方案我终于想通了.我的错误是我在一个环境中定义了我的秘密,并且默认情况下,工作流不在任何特定环境中运行.为此,我必须在职位描述中明确命名环境,如下所示:
工作:发布:environment: CI # <---/! 这里是环境的链接需求:构建运行:ubuntu-latest如果:startsWith(github.ref, 'refs/tags/v')脚步:- 使用:actions/checkout@v2# 这里还有一些步骤...- 名称:发布到测试 PyPI环境:TWINE_USERNAME:__token__"TWINE_PASSWORD: ${{ secrets.TEST_PYPI_API_TOKEN }}TWINE_REPOSITORY_URL:https://test.pypi.org/legacy/"运行:|回显键:'${TWINE_PASSWORD}'麻线检查距离/*twine 上传 --verbose --skip-existing dist/*
文档实际上提到了它.p>
感谢那些给我指出正确方向的评论.
I am trying to publish a Python package to PyPI, from a Github workflow, but the authentication fails for "Test PyPI". I successfully published to Test PyPI from the command line, so my API token must be correct. I also checked for leading and trailing spaces in the secret value (i.e., on GitHub).
As the last commits show, I tried a few things without success.
I first tried to inline simple bash commands into the workflow as follows, but I have not been able to get my secrets into environment variables. Nothing showed up in the logs when I printed these variables.
- name: Publish on Test PyPI
env:
TWINE_USERNAME: __token__
TWINE_PASSWORD: ${{ secrets.PYPI_TEST_TOKEN }}
TWINE_REPOSITORY_URL: "https://test.pypi.org/legacy/"
run: |
echo "$TWINE_PASSWORD"
pip install twine
twine check dist/*
twine upload dist/*
I also tried to use a dedicated GitHub Action as follows, but it does not work either. I guess the problem comes from the secrets not being available in my workflow. What puzzled me is that my workflow uses another token/secret just fine! Though, if I put it in an environment variable, nothing is printed out. I also recreated my secrets under different names (PYPI_TEST_TOKEN and TEST_PYPI_API_TOKEN) but to no avail.
- name: Publish to Test PyPI
uses: pypa/gh-action-pypi-publish@release/v1
with:
user: __token__
password: ${{ secrets.TEST_PYPI_API_TOKEN }}
repository_url: https://test.pypi.org/legacy/
I guess I miss something obvious (as usual). Any help is highly appreciated.
解决方案I eventually figured it out. My mistake was that I defined my secrets within an environment and, by default, workflows do not run in any specific environment. For this to happen, I have to explicitly name the environment in the job description as follows:
jobs:
publish:
environment: CI # <--- /! Here is the link to the environment
needs: build
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
steps:
- uses: actions/checkout@v2
# Some more steps here ...
- name: Publish to Test PyPI
env:
TWINE_USERNAME: "__token__"
TWINE_PASSWORD: ${{ secrets.TEST_PYPI_API_TOKEN }}
TWINE_REPOSITORY_URL: "https://test.pypi.org/legacy/"
run: |
echo KEY: '${TWINE_PASSWORD}'
twine check dist/*
twine upload --verbose --skip-existing dist/*
The documentation mentions it actually.
Thanks to those who commented for pointing me in the right direction.
相关文章