GitHub is more than just a platform for hosting and sharing code. With millions of developers from all over the world collaborating on projects of every type and size, it has become the beating heart of the open source community. Since its foundation in 2008, GitHub has grown to host over 200 million repositories and 100 million users, with a staggering 3.5 billion contributions made in the last year alone. With GitHub Actions, engineers and developers can now automate all kinds of workflows and repetitive engineering tasks – fromContinuous Integration (CI) andContinuous Deployment (CD) toIssueOps, automatic issue triaging, andChatOps. GitHub Actions is much more than just a CI/CD tool – it’s a comprehensive automation platform that can help streamline your entiredevelopment workflow.

This book will show you how to make the most of GitHub Actions in your day-to-day life. It is a practical book – so you willdo as much as possible, and I will explain the theory alongside theindividual recipes.

In this chapter, you will learn the basics of workflows in GitHub: workflow files, the workflow and YAML syntax, events that trigger workflows, expressions, secrets, and environments, and you will write yourfirst workflows.

We’re going to cover the following main topics inthis chapter:

• TheGitHub ecosystem
• Hosting and pricingfor GitHub
• Pricing forGitHub Actions
• GitHub Marketplace
• Using the workflow editor forwriting workflows
• Using secretsand variables
• Creating andusing environments

For this chapter, you will need a free GitHub account and a browser. Just sign up underhttps://github.com/signup if you do not have anaccount yet.

You will find all the recipes and example code in the repositoryathttps://github.com/wulfland/GitHubActionsCookbook.

GitHub is built around the decentralizedgitversion control system (VCS), which has playeda significant role in transforming the way in which software is developed. But GitHub is more than just hosting ofgit repositories – it has evolved into a holistic DevOps platform with capabilities in thefollowing areas:

• Collaborative coding
• Planningand tracking
• Workflowsand CI/CD
• Developer productivity
• Client applications
• Security

From the very beginning, GitHub has prioritized a developer-centric approach, resulting in a platform that places utmost importance on webhooks and APIs. Developers can leverage either the REST or the GraphQL API to manipulate all aspects of the GitHub platform. In addition to that, developers can use GitHub asanidentity provider (IdP) to access their applications. This approach facilitates seamless integration with other tools and platforms, making GitHub what it is today: the place where the worldbuilds software.

Tounderstand the power ofGitHub Actions, one must take into account that you can use it to automate all kinds of tasks in the entire ecosystem – not just code. This includesthe following:

• Planning and tracking: GitHub offers issues and milestones, GitHub Discussions, and GitHub Projects for planning and tracking. It also integrates seamlessly with other popular planning and trackingsolutions suchas Jira, Trello, orAzure Boards.
• Client applications: GitHub provides Visual Studio Code as a code editor that can be accessed directly in the browser (https://github.dev), mobile applications for both iOS and Android platforms, to collaborate from anywhere, a cross-platform desktop application, and has an extensibleCLI available.

  It also integrates with all the common IDEs such as Visual Studio, Visual Studio Code, and Eclipse, andwith popular chat platforms such as Slackand Teams.

• Security: GitHub Advanced Security provides software supply-chain security withDependabot, Secret Scanning, and code scanningwithCodeQL. It also supportsintegrations with tools such as Snyk, Veracode, or Checkmarx, and itcan be integrated into Microsoft’s Defenderfor DevOps.
• Developer productivity: GitHub offers a virtual containerized development environment – GitHub Codespaces – and GitHub Copilot, an AI-poweredassistant that can help you write and understand code. GitHub also offers code search, a command palette, and other features that can further enhancedeveloper productivity.
• Workflows and CI/CD: Beyond GitHub Actions, GitHub supports most CI/CD tools in the market. Furthermore, GitHub provides secure integration with all the major cloud providers forCI/CD workflows usingOpen ID Connect (OIDC). GitHub Packages provides a package registry that supports a wide range of package formats and nativenpm support – but all the other major package registries also integratewith GitHub.

GitHub Actionscan be used to automate tasks and build solutions across the entire GitHubecosystem (seeFigure 1.1):

Figure 1.1 – The GitHub ecosystem and its integrations

In this book, I will provide practical recipes for workflows across all the major areas so that you will be able to automate all kinds of real-worlddevelopment tasks.

Allthe examples in this book are done onhttps://github.com – theSoftware-as-a-Service (SaaS) offering from GitHub. Signing up for GitHub is free and provides users with unlimited private and public repositories. Nearly all features on GitHub are available free for open source projects (public repositories), but they may require a paid license for private repositories. In public repos, you have unlimited minutes for actions. That’s why it is important to do all the recipes in public repos – if not, you will burn rapidly through your 2,000 minutesper month.

GitHub’spricing model is based on a monthly per-user billing system and consists of three tiers:Free,Team, andEnterprise (seeFigure 1.2):

Figure 1.2 – GitHub pricing tiers

As mentioned earlier, public repos are entirely free – including GitHub Actions, Packages, and security features such as Dependabot and Secret Scanning. Private repos are also free, but only with limited functionality for collaboration. It does not include protected branches, Codeowners, and some advanced pull request features. For private repos, you have 2,000 free minutes in the free tier. To unlock the collaboration features, you’ll need to acquire a Team license for $4 per user per month. The Team plan then also includes 3,000 minutes forGitHub Actions.

TheGitHub Enterprise plan brings all the Enterprise features – such assingle sign-on (SSO) withSecurity Assertion Markup Language (SAML) andSystem for Cross-domain Identity Management (SCIM), Enterprise ManagedUsers, and the IP allow list. It also comes equipped with 50,000 minutes for GitHub Actions – but it also costs $21 per userper month.

In addition to the SaaS offering, GitHub also providesan appliance for self-hosting –GitHub Enterprise Server (GHES). It is available for AWS, GCP, Azure, or on-premises on Hyper-V, OpenStack KVM, or VMware ESXi. GHES is only available with the Enterprise plan. You can also combine GHES withGitHub Enterprise Cloud (GHEC) and share the same license for bothhosting options.

GHES and GitHub Actions

Keep in mind that you cannot use GitHub-hosted runners for your workflow if you run GHES. You will have to provide your own runners for your workflows and ensure that they are secure and clean up their workflow artifacts. Typically, this is done on KuberneteswithActions Runner Controller (ARC –https://github.com/actions/actions-runner-controller). You will learn more about this inChapter 4,TheWorkflow Runtime.

Running your workflows on self-hosted runners is completely free as you bring your own compute. Running workflows in public repositories is also free – even on the powerful runners provided by GitHub. GitHub-hosted runners are available on Linux, Windows, and macOS and in different sizes. If you want to leverage these runners in private repositories, you’ll be charged per minute. The different runnersuse differentminute multipliers (seeTable 1.1). Running a workflow on Linux will reduce 1 of your free minutes per minute – and you will be charged $0.008 if you exceed your free minutes. Windows will burn twice as fast through your free minutes and costs $0.08 per minute after that. And macOS will burn 10 times faster through your minutes and charges $0.016 per minute when you have reached the limit of yourincluded minutes:

Table 1.1 – Pricing per minute for GitHub-hosted runners

That’s the reason why I use Linux for most of the examples in this book and why I always encourage my customers to run as much workload on Linuxas possible.

If you use GHEC or the Team plan and you need machines with more power, then you can leverage larger GitHub-hosted runners. They are charged by minute (seeTable 1.2) and have additional features such as staticIP ranges:

Table 1.2 – Per-minute rate for larger runners

Private networking

In addition to static IP ranges, you can also use Azure private networking to connect GitHub-hosted runners directly to your resources. At the time of writing, this feature is still in beta and might change. See the following link for moreinformation:https://docs.github.com/en/enterprise-cloud@latest/admin/configuration/configuring-private-networking-for-hosted-compute-products/about-networking-for-hosted-compute-products.

GitHub Actions also consumes storage – for example, for logs, workflow artifacts, or caching. If you exceed your included storage, you will be billed $0.008 per GBper day.

Keep in mind that pricing may change, and refer to the GitHub documentation for up-to-dateinformation (https://docs.github.com/en/billing/managing-billing-for-github-actions/about-billing-for-github-actions).

And to learn GitHub Actions and experiment with workflows – just do everything in public repositories and you will not have to pay, either for compute orfor storage.

GitHub offers acommunity-driven marketplace (https://github.com/marketplace) that contains currently more than 20,000 GitHub Actions that you can reuse as building blocks in your workflows (seeFigure 1.3):

Figure 1.3 –GitHub Marketplace contains more than 20,000 reusable actions

If an action is by the authoractions, that means it is a native action by GitHub. You can see the number of people who have starred an action in the overview. This will give you a good indication of the popularity of the action. And you will see the blue badge that indicates that the author of an action was verifiedby GitHub.

You can filter the marketplace by multiple categories, you can search by terms, and you can change the sort order of results toMost installed/starred,Best Match, orRecently added (seeFigure 1.4):

Figure 1.4 – Searching in the marketplace and sorting the results

This way, it is easy toexplore the marketplace and find actions that will help you automate tasks inyour workflows.

If you click one of the results, it will take you to the details page of the marketplace listing (seeFigure 1.5):

Figure 1.5 – Details of a marketplace listing

You can findreleased versions, the number of stars, contributors, and – as all published actions are open source – a link to the source repository and the number of open issues and pull requests. This should give you a good idea of how actively the action is used – and it allows you to dig into the code if you wish todo so.

The results of the marketplace are also displayed in the workflow editor, and we will use them in our recipesfrom it.

GitHub does a good job of guiding people in the workflow designer when writing workflows. That’s why it is best to just start and write your first workflow and familiarize yourself withthe platform.

Getting ready

Before you can create your first workflow, you first have to create a repository on GitHub. Navigate tohttps://github.com/new, authenticate if you are not authenticated yet, and fill in data as inFigure 1.6:

Figure 1.6 – Creating a new repository

Pick your GitHub user as the owner and give the repo a unique name – for example,ActionsCookBook. Make it a public repo so that all workflows and storage are free. Initialize the repo with a README file – this way, we have already files in the repo and something in the workflow towork with.

How to do it…

GitHub Action workflows areYAML files with a.yml or .yaml extension that are located in the.github/workflows folderin a repository. You could create the file manually, but then the workflow editor would only work after the first commit. Therefore, I recommend creating a new workflow fromthe menu.

1. In your new repository, navigate toActions. Since your repository is new and you don’t have any workflows yet, this will redirect you directly to theCreate new workflow page (actions/new). If your repository contains workflows, you will see the workflows here (as later displayed inFigure 1.16), and you would have to click theNew workflow button to get tothat page.

   On this page, you will find a lot of template workflows you could use as a starting point. There are starter workflows fordeployments to most clouds,CI for most languages,security scanning of your code,automation in general, and templates to deploy content to GitHub Pages. You can filter the starter workflows by these categories. These workflows give you a good starting point for most ofyour workflows.

   In this recipe, we will focus on familiarizing ourselves with the editor, and we will create a workflow from scratch by clickingset up a workflow yourself (seeFigure 1.7):

Figure 1.7 – Creating a new workflow in GitHub

2. GitHubwill create a newmain.yml file in.github/workflows on the default branch and display it in the web editor. On the right side of the editor, you have the documentation, and you can search foractions in GitHub Marketplace. In the editor, you can useCtrl +Space (orOption +Space – depending on your keyboard settings) to trigger autocomplete. The editor will capture theTab key and by default use it for a two-space indentation. To navigate to other controls on the page using theTab key, you first have to exit it usingEsc or usingCtrl +Shift +M.

   Modify the filename toMyFirstWorkflow.yml and familiarize yourself with the editor (seeFigure 1.8):

Figure 1.8 – The workflow editor for GitHub Actions

3. In theeditor, clickCtrl +Space (orOption +Space) to see a list of root elements valid in a workflow file (seeFigure 1.9):

Figure 1.9 – The editor shows you all valid options at a certain level in the workflow file

Typically, workflows are started with thename property, which sets the display name of the workflow in the UI. It’s a good practice to add a comment to the top of the file summarizing the intent ofthe workflow.

4. Add a comment to the top of the file and set thename property using autocomplete. Note that the editor has error checking and indicates that you are still missing the required root key,on (seeFigure 1.10):

Figure 1.10 – Error checking in the code editor

5. Next, we are going to configure events that should trigger the workflow. Note that a workflow can have multiple triggers. Depending on where you are in the designer, autocomplete will give you different results. If you are on the same line ason:, you will get a result in the JSON syntax (see theYAML collection types section); that is,on: [push].

   If you add a comma after the first element and clickControl +Space again, then you can pick additional elements from autocomplete (seeFigure 1.11):

Figure 1.11 – Autocomplete works also inside squared brackets

Each trigger is a map and can contain additional arguments. If you put your cursor on the line belowon: and add a two-space indentation, autocomplete will give you the results in the full YAML syntax. It will also give you properties that you can use to configure each trigger (seeFigure 1.12):

Figure 1.12 – Autocomplete also helps with options for triggers

Note that most arguments – for example, branches or paths – are sequences and need a dash for each entry if you are not using theJSON syntax.

We want our test workflow to run on every push to themain branch. We also want to be able to trigger it manually (see theEvents that trigger workflows section). Your workflow code for triggers should looklike this:

on:  push:    branches:      - main  workflow_dispatch:

Wildcards

The* character can be used as a wildcard in paths and** as a recursive wildcard.* is a special character in YAML, so you need to use quotation marks inthat case:

push:

branches:

- 'release/**'

paths:

- 'doc/**'

6. Afterconfiguring the triggers for the workflow, the next step is to add another root element: thejobs. Jobs are a map in YAML – meaning on the next line with two-space indentation, autocomplete will not work as the editor expects you to set a name. Name your jobfirst_job and go to the next line. The name of the job object can only contain alphanumeric values, a dash (-), and an underscore (_). If you want any other characters to be displayed in the workflow, you can use thename property:

   jobs:  first_job:    name: My first job

7. Every job needs a runner that executes it. Runners are identified by labels. You will learn more about runners inChapter 4,The Workflow Runtime. We want our workflow to be executed on the latest version of the Ubuntu runners provided by GitHub, so we use theubuntu-latest label:

   runs-on: ubuntu-latest

8. A job consists of a sequence of steps that are executed one after the other. The most basic step is therun: command, which will execute acommand-line command:

   steps:      - name: Greet the user        run: echo "Hello world"        shell: bash

   The name is optional and sets the output of the step in the log. The shell is also optional and will default tobash on non-Windows platforms, with a fallback tosh. On Windows, the default is PowerShell Core (pwsh), with a fallback tocmd. But you could configure any shell you want with the{0} placeholder for the input of the step (that is,shell:perl {0}).

   To add variable output, we can useexpressions that are written between${{ and}}. In the expression, you can use values from context objects such as the GitHub context. Note that autocomplete also works for these context objects (seeFigure 1.13):

Figure 1.13 – Autocomplete also works for context objects

Pick theactor from the listof values:

- run: echo "Hello world from ${{ github.actor }}."

You will learn more about expressions and context syntax throughout the book. But you can refer to the documentation for expressions (https://docs.github.com/en/actions/learn-github-actions/expressions) and context (https://docs.github.com/en/actions/learn-github-actions/contexts) atany time.

9. YAMLallows you to write multiline scripts without the need to wrestle with quotations and newlines. Just add the pipe operator (|) afterrun: and write your script in the next line with a four-space indentation. YAML will treat this as one block until the next element – even with new and blank linesin it:

   - run: |    echo "Hello world from ${{ github.actor }}."    echo "Current branch is '${{ github.ref }}'."

10. GitHub Actions workflows will not automatically download the code from your repository. If you want to do something with files in your repository, you have to check out the content first. This is done using a GitHub action – a reusable workflow step that can easily be shared formultiple workflows.

    On the right side of the workflow editor is themarketplace. You can directly search there for all kinds of actions. Search forcheckout and locate the action fromactions (these are built-in actions from GitHub). In the listing, you see the owner of the action, the latest version, and the stars of the repository. The listing contains anInstallation section that you can copy into your workflow to use the action (seeFigure 1.14):

Figure 1.14 – Listing of the marketplace in the workflow editor

Note that many parameters are optional. To check out the repo, you only need thefollowing lines:

- name: Checkout  uses: actions/checkout@v4.1.0

Using GitHub Actions

Actions refer to a location on GitHub. The syntax is{path}@{ref}. The path points to a physical location on GitHub and can be{owner}/{repo} if the actions are in the root of a repository or{owner}/{repo}/{path} if the actions are in a subfolder. The reference after@{ref} is anygit reference that points to a commit. It can be atag,branch, or an individualcommitSHA.

11. To display the files in our repository after checking them out, we’ll add anextra step:

    - run: tree

    This will output the files in the repository in atree structure.

12. To run the workflow, just commit the workflow file to themain branch. ClickCommit changes…, leave the commit message and branch, and clickCommit changes in the dialog to finish the operation (seeFigure 1.15):

Figure 1.15 – Committing the workflow file

13. As we have set a push trigger for themain branch, our commit has automatically triggered the workflow. If you navigate now toActions in your repository, you will be able to see your workflow and the latest workflow run (seeFigure 1.16):

Figure 1.16 – The default view in Actions displays the latest workflow runs of all workflows

Note that thename of the workflow run is the commit message. You can also see the commit that triggered the workflow and the actor that pushedthe changes.

14. Click on the workflow run to see more details. The workflow summary page contains jobs on the left and a visual representation on the right (seeFigure 1.17). It also contains metadata for the trigger, the status, andthe duration:

Figure 1.17 – The workflow summary page

15. Click on the job to view more details. In the workflow log, you can inspect the individual steps. Note that each line of the workflow file has a clickable number – that is a URL that you could use to identify each line. TheSet up job step is a special step that gives you a lot of background information about the workflow runner and workflow permissions (seeFigure 1.18). Inspect the output of all steps ofyour workflow:

Figure 1.18 – The workflow log for an individual job

16. As a last step, we want to trigger the workflow manually to also see the difference in the workflow run. Go back toActions, select the workflow on the left side (seeFigure 1.19), and runthe workflow:

Figure 1.19 – Triggering a workflow manually through the UI

Inspect the new workflow run andits output.

How it works…

Workflow filesare YAML files located in the.github/workflows folder ina repository.

YAML basics

YAML stands forYAML Ain’t Markup Language and is a data-serialization language optimized to be directly writable and readable by humans. It is a strict superset of JSON but with syntactically relevant newlines and indentation insteadof braces.

You can write comments by prefixing text with ahash (#).

In YAML, you can assign a value to a variable with the following syntax:key: value.

key is the name of the variable. Depending on the data type ofvalue, the type of the variable will be different. Note that keys and values can contain spaces and do not need quotation marks! Only add them if you use some special characters or you want to force certain values to be a string. You can quote keys and values with single or double quotes. Double quotes use the backslash as the escape pattern ("Foo \"bar \" foo"), while single quotes use an additional single quote for this ('foo ''bar'' foo').

YAML collection types

In YAML, there are two different collection types: nested types called maps and lists – also called sequences. Maps use two spacesof indentation:

parent_type:  key1: value1  key2: value2  nested_type:    key1: value1

A sequence is an ordered list of items and has a dash beforeeach line:

sequence:  - item1  - item2  - item3

Since YAML is a superset of JSON, you can also use the JSON syntax to put collections inone line:

key: [item1, item2, item3]key: {key1: value1, key2: value2}

Events that trigger workflows

There are three types of triggers for workflows:webhook triggers,scheduled triggers, andmanual triggers.

Webhook triggers startthe workflow based on an event in GitHub. There are many webhook triggers available. For example, you could run a workflow on anissues event, arepository event, or adiscussions event. Thepush trigger in our example is awebhook trigger.

Scheduled triggers canrun the workflow at multiple scheduled times. The syntax is the same syntax used forcron jobs:

on:  schedule:    # Runs at every 15th minute    - cron:  '*/15 * * * *'    # Runs every hour from 9am to 5pm    - cron:  '0 9-17 * * *'    # Runs every Friday at midnight    - cron:  '0 2 * * FRI'

Manual triggers allowyou to start the workflow manually. Theworkflow_dispatch trigger will allow you to start the workflow using the web UI or GitHub CLI. You can define input parameters for this trigger using theinputs property. Therepository_dispatch trigger can be used to trigger the workflow using the API. This trigger can also be filtered by certain event types and can accept additional JSON payload that can be accessed inthe workflow.

To learn more about triggers, check the documentationathttps://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows.

Jobs

Every job needs a runner that executes it. Runners are identified by labels. In our recipe, we use theubuntu-latest label. This means that our job will be executed on the latest Ubuntu image hosted by GitHub. You will learn more about runners inChapter 4, TheWorkflow Runtime.

Using GitHub Actions

Actions refer to alocation on GitHub. The syntax is{path}@{ref}. The path points to a physical location on GitHub and can be{owner}/{repo} if the actions are in the root of a repository or{owner}/{repo}/{path} if the actions are in a subfolder. The reference after@{ref} is anygit reference that points to a commit. It can be a tag, branch, or an individualcommit SHA:

# Reference a version using a tag- uses: actions/checkout@v4.1.0# Reference the current head of a branch- uses: actions/checkout@main# Reference a specific commit- uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab

For local actions in the same repository, you can omit the reference if you check out ofthe repository.

If the action has defined inputs, you can specify them using thewith property:

- uses: ActionsInAction/HelloWorld@v1  with:    WhoToGreet: Mona

Inputs can be optional or required. You can also set environment variables for steps using theenv property:

- uses: ActionsInAction/HelloWorld@v1  env:    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

There’s more…

This is just a very basic workflow that uses an action to check out code and runs some commands on the command line. In the next two recipes, I’ll show you how to use secrets, variables, and protected environments for morecomplex workflows.

You can set variables and secrets in a repository that you can access in workflows. In this recipe, we’ll add both and access them inthe workflow.

Getting ready

In this recipe, we will use the web UI to set variables and secrets. You can also use the GitHub CLI (https://cli.github.com/) for that. If you want to try that, then you have to install it. But it is not necessary for followingthe recipe.

How to do it…

1. In yourrepository, navigate toSettings |Secrets and Variables |Actions. You can see all existing secrets in the repository, and you can toggle the tabs betweenSecrets (settings/secrets/actions) andVariables (settings/variables/actions; seeFigure 1.20):

Figure 1.20 – Configuring secrets and variables for a repository

2. ClickingNew repository secret willopentheNew secret dialog (settings/secrets/actions/new; seeFigure 1.21):

Figure 1.21 – Adding a new secret

AddMY_SECRET as the secret name and a random word such asAbracadabra as the secret, and clickAdd secret. The secret will be masked in the logs! So, don’t use a common word that could occur in other outputs of random jobsor steps.

Naming conventions for secrets and variables

Secret names are not case-sensitive, and they can only contain normal characters ([a-z] and[A-Z]), numbers ([0-9]), and an underscore (_). They must not start withGITHUB_ ora number.

The best practice is to name secrets with uppercase words separated by theunderscore character.

3. Repeatthe processforNew repository variable (settings/variables/actions/new) and create aWHO_TO_GREET variable with thevalueWorld.
4. Open the.github/workflows/MyFirstWorkflow.yml file from the previous recipe and click the edit icon (seeFigure 1.22):

Figure 1.22 – Editing MyFirstWorkflow.yml

Change the wordWorld to the${{ vars.WHO_TO_GREET }} expression and add a new line using the${{ secrets.MY_SECRET }}secret:

- run: |    echo "Hello ${{ vars.WHO_TO_GREET }} from ${{ github.actor }}."    echo "My secret is ${{ secrets.MY_SECRET }}."

5. Committhe changes. The workflow will run automatically. Inspect the output in the workflow log. It should look likeFigure 1.23:

Figure 1.23 – Output of a secret and variable in the log

There’s more…

You can create configuration variables for use across multiple workflows by defining them on one of thefollowing levels:

• Organization level
• Repository level
• Environment level

The three levels work like a hierarchy: you can override a variable or secret on a lower level by providing a new value to the same key.Figure 1.24 illustratesthe hierarchy:

Figure 1.24 – The hierarchy for configuration variables and secrets

Secrets and variables for organizations work the same way as for repositories. You can create a secret or variable underSettings |Secrets and variables |Actions. New organization secrets or variables can have an access policy forthe following:

• All repositories
• Private repositories
• Selected repositories

When choosingSelected repositories, you can grant access toindividual repositories.

In addition to setting these values through the UI, it is also possible to use theGitHub CLI.

You can usegh secret orgh variable to createnew entries:

$ gh secret set secret-name$ gh variable set var-name

You will be prompted for thesecret or variable values, or you can read the value from a file, pipe it to thecommand, or specify it as the body (-bor--body):

$ gh secret set secret-name < secret.txt$ gh variable set var-name --body config-value

Environmentsare used to describe a general deployment target such asdevelopment, test,staging, orproduction. You can protect environments with protection rules, and you can provide configuration variables and secrets forspecific environments.

Getting ready

We will first create some environments using the web UI and add some protection rules, secrets, and variables. Then, we add them to ourexisting workflow.

How to do it…

1. Navigate toSettings |Environments and click onNew environment (seeFigure 1.25):

Figure 1.25 – Managing environments in a repository

Enter the nameProduction and clickConfigure environment (seeFigure 1.26):

Figure 1.26 – Creating a new environment

2. Add yourself as a required reviewer and clickSave protection rule (seeFigure 1.27):

Figure 1.27 – Configuring deployment protection rules

3. UnderDeployment branches and tags, chooseSelected branches and tags, click the plussymbol, and add a name pattern for themain branch (seeFigure 1.28):

Figure 1.28 – Configuring deployment branches and tags

4. UnderEnvironment secrets, clickonAdd secret and add a newMY_SECRET secret with the valueOpen Sesame (seeFigure 1.29). Repeat this withAdd variable and add aWHO_TO_GREET variable with the valueProduction users:

Figure 1.29 – Adding secrets and variables to environments

5. Repeatstep 1 andcreate two additional environments,Test andLoad-Test. We will use these environments in the next steps to show how to execute jobs in parallel. You don’t have to configure deployment branches or required reviewers. Just add aWHO_TO_GREET variable with the corresponding value. The result should look likeFigure 1.30:

Figure 1.30 – Multiple environments in the settings of the repository

6. Now, go back to theworkflow file and edit it. Add a new job beneathfirst_job calledTest that runs on the latest Ubuntu image. We associate this job with theTest environment. To run this job afterfirst_job, we use theneeds property and set it to the job wedepend on:

   Test:  runs-on: ubuntu-latest  environment: Test  needs: first_job

   To see how secrets are overwritten by the environment, we have to use a little hack. As GitHub searches for the value of secrets in the output of the log to mask it, we have to modify the actual text. We can do this, for example, using thesed 's/./& /g' command. This will add a blank between every character of the secret. With this little hack, the steps of theTest job should looklike this:

   steps:- run: |    echo "Hello ${{ vars.WHO_TO_GREET }} from ${{ github.actor }}."    sec=$(echo ${{ secrets.MY_SECRET }} | sed 's/./& /g')    echo "My secret is '$sec'."

7. Next, add a newLoad-Test job that is associated with theLoad-Test environment and also executesafterfirst_job:

   Load-Test:  runs-on: ubuntu-latest  environment: Load-Test  needs: first_job

   Just copy the steps fromTest. There is no need tochange anything.

8. The lastjob is aProduction job. In addition to the name, theenvironment property accepts a URL that later will be displayed in the workflow designer. Set it to any URL you want. To show how after a parallel execution of jobs the workflow can merge again, we will runProduction afterTestandLoad-Test:

   Production:  runs-on: ubuntu-latest  environment:    name:Production    url: https://writeabout.net  needs: [Test, Load-Test]

   Just copy the steps from theprevious jobs.

9. Commit your changes to themain branch. The workflow will run automatically. Navigate to the new workflow run and inspect the workflow designer, which nicely shows the parallel execution. The workflow will pause before executingProduction and will wait for approval (seeFigure 1.31):

Figure 1.31 – The workflow will stop before an environment with required reviewers and wait for approval

10. ClickReview deployment, checkProduction, and add an optional comment. ClickApprove and deploy to start executing theProduction job (seeFigure 1.32):

Figure 1.32 – Approving a protected environment

The workflow will execute completely, and the result should look likeFigure 1.33. Note that the URL is displayed in theProduction environment. Also, note the history of approvals in theworkflow summary:

Figure 1.33 – The final summary of the workflow

Open the individual jobs and inspect the output of the step we added (seeFigure 1.34). The secrets and variables are used from the repository and are only overridden if we set them inan environment:

Figure 1.34 – The production secret is only available to the production environment after approval

There’s more…

If you are setting secrets or variables for an environment using the GitHub CLI, then you can specify them using the--env (-e) argument. For organization secrets, you set the visibility (--visibility or-v) toall,private, orselected. Forselected, you must specify one or more repos using--repos (-r):

$ gh secret set secret-name--env environment-name$ gh secret set secret-name--org org-v private$ gh secret set secret-name --org org-v selected -r repo

Environments have more options than we have used in this recipe. You can also configure a wait timer that will pause the workflow forn minutes (with a maximum of 30 days) before executing the deployment job for thatparticular environment.

There is also a new feature calledcustom deployment protection rules that is still in beta. This feature allows the creation of GitHub apps that can pause your deployment and wait for a specific condition. There are already apps from Datadog, Honeycomb, Sentry, New Relic, and ServiceNow (seehttps://docs.github.com/en/actions/deployment/protecting-deployments/configuring-custom-deployment-protection-rules#using-existing-custom-deployment-protection-rules). We’ll have a closer look at custom deployment rules inChapter 7,Release Your Software withGitHub Actions.

The true power of environment protection rules lies in thedeployment branch or tag rules. This canrestrict code that does not apply to branch protection rules from deploying to certain environments. This can include all kinds of checks – Codeowners approvals, code reviewers, deployments to certain other environments, SonarQube quality gates, and many other automated code checks (seehttps://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches formore information).