Secrets, Variables, Keys, and Environment Vars
  • 3 Minutes to read
  • Dark
    Light
  • PDF

Secrets, Variables, Keys, and Environment Vars

  • Dark
    Light
  • PDF

Article summary

Secrets, Variables, and Keys demo

This documentation covers the .allspice/workflows/04-Secrets-variables-keys.yml workflow in the AllSpice Actions demo repo, demonstrating the use of secrets, variables, and how they are implemented to enhance security and functionality in continuous integration and deployment processes.

Debug actions commit.

.allspice/workflows/04-Secrets-variables-keys.yml

# Secrets, Variables, and Keys demo
# This workflow demonstrates how to use secrets, variables, and keys in the workflow
# AllSpice Actions documentation: https://learn.allspice.io/docs/actions-cicd
name: Secrets-Variables-Keys-Demo
on: 
  push:
  issues:
    types: [opened, closed, reopened]

jobs:
  py-allspice test:
    runs-on: ubuntu-latest
    steps:
      # Check out repository code
      - name: "[📚->🖥️] Check out repository code"
        uses: actions/checkout@v3

      # Print repository action variable VARIABLE_NAME and value
      - name: Print repository Action variable 🔎
        run: |
          echo "Repository variable VARIABLE_NAME = ${{ vars.VARIABLE_NAME }}"
          echo "Repository variables are stored in ${{ allspice.server_url }}/${{ allspice.repository }}/settings/actions/variables"
      
      - name: Use Secret 🔎 
        # Store the secret in an environment variable YOUR_SECRET
        env:
          ENV_SECRET: ${{ secrets.YOUR_SECRET }}
      
        # Demonstrate how to use secrets in the workflow
        run: |
          echo "Secrets are stored in ${{ allspice.server_url }}/${{ allspice.repository }}"/settings/actions/secrets
          echo "Secrets are only available to the repository admins and the workflow"
          echo "Store API Tokens in secrets and use them in the workflow without exposing them"
          echo "Secrets are not printed to the terminal for security reasons and will be replaced with ***"
          echo "Using secret from /settings/actions/secrets YOUR_SECRET=${{ secrets.YOUR_SECRET }}"
          echo "Using secret from stored envrironmental variable ENV_SECRET=$YOUR_SECRET"         

Actions variables

Variable allow you to configure text-based values that can change independently of the workflow files. Variables are for non-secret values.

To add a variable, visit Repository→Settings→Actions→Variables→Add

In this example, the variable name is VARIABLE_NAME and the value stored for the variable is variable-value

Actions demo settings in variables management.

The workflow file prints the name of the variable and the value stored in the variable using ${{ vars.VARIABLE_NAME }}

Additionally, this workflow will print the location of your repository actions variables.

echo "Repository variable VARIABLE_NAME = ${{ vars.VARIABLE_NAME }}"
echo "Repository variables are stored in ${{ allspice.server_url }}/${{ allspice.workspace}}/${{ allspice.repository }}/settings/actions/variables"

Actions secrets

Secrets are very similar to variables, except once you store a value in the secret, you can’t read it using the web app, or in Actions. You can use the secret in your workflow and code, but the system will obscure any secret values. This allows you to store things like API tokens, passwords, and secure information without exposing it to other users.

Access to secrets is restricted to repository admins.

To add a secret, visit your repostory→Settings→Actions→Secrets→Add secret

Actions demo repository settings. Under actions, secrects is selected. Page is titled secrets management with add secret to the right.

Here is a snippet showing the secret used in two ways. The first method calls the secret directly from ${{ secrets.YOUR_SECRET }}. The second method stores the secret in an environmental variable and is called from the environmental variable.

 name: Use Secret 🔎 
        # Store the secret in an environment variable YOUR_SECRET
        env:
          ENV_SECRET: ${{ secrets.YOUR_SECRET }}
      
        # Demonstrate how to use secrets in the workflow
        run: |
          echo "Secrets are stored in ${{ allspice.server_url }}/${{ allspice.repository }}"/settings/actions/secrets
          echo "Secrets are only available to the repository admins and the workflow"
          echo "Store API Tokens in secrets and use them in the workflow without exposing them"
          echo "Secrets are not printed to the terminal for security reasons and will be replaced with ***"
          echo "Using secret from /settings/actions/secrets YOUR_SECRET=${{ secrets.YOUR_SECRET }}"
          echo "Using secret from stored envrironmental variable ENV_SECRET=$YOUR_SECRET"         

Using Environment Variables

Environment variables can be defined at different levels: workflow-wide, job-specific, or step-specific.

Workflow-Wide Environment Variables:

env:

  Parts_lib: '/your-organization/Component-library.git'

Job-Specific Environment Variables:

jobs:

  Design-Review:

    env:

      REVIEW_ENV: 'Schematic'

Step-Specific Environment Variables:

steps:

  - name: Check PCB design environment

    run: kicad-cli check

    env:
      PCB_DESIGN_DEBUG: 'true'

  - name: Run hardware simulation
    run: ./simulate_hardware.sh
    env:
      SIMULATION_MODE: 'test'

  - name: Build firmware
    run: ./build_firmware.sh
    env:
      FIRMWARE_DEBUG: 'true'

Debugging

Visit our Actions debugging repository, to learn more about debugging secrets and Actions.


Was this article helpful?