The GitHub Actions plugin enables you to automate workflows for your GitHub-hosted repositories. With this plugin, you can pull secrets from the Akeyless Vault Platform directly into your workflows.

To work with the GitHub Actions plugin:

Create a GitHub Repository

Create a new directory and initialize it as a git repository by running:

git init

Stage all the files in the directory by running:

git add .

Commit all the staged files by running:

git commit -m "Initial Commit"

On GitHub, create a new repository. In this example, it's called Akeyless-vault-example.

Perform an initial commit to the new repository by running:

git remote add origin https://github.com/<your_account>/<your_repository>.git
git branch -M main
git push -u origin main

Set Up Akeyless Authentication Credentials for the Repository

On GitHub, navigate to the main page of the repository, and select Settings > Secrets > New repository secret.
Name the secret VAULT_TOKEN.
Set the secret value in the following format : <access_id>..<access_key>. For example:

Select Add secret.

The GitHub repository is now configured with an access token for the Akeyless Vault Platform.

Set Up a GitHub Self-Hosted Runner

The GitHub self-hosted runner enables you to start a runner instance on an instance that you manage. Your workstation can be used if it is supported.

On GitHub, navigate to the main page of the repository, and select Settings > Actions > Runners > Add runner.
Select the operating system and architecture of your self-hosted runner machine.
Follow the instructions in the Download section to prepare a directory for the GitHub runner and then download the runner.
Follow the instructions in the Configure section to configure the runner to connect to GitHub with a token GitHub generates for the runner.

Define a Workflow for the GitHub Action

In a terminal, within the repository directory, create the directory .github/workflows.
In the new directory, create a workflow file named image-builder.yml with the following content, to define the name of the workflow and the frequency at which it triggers.

name: ImageBuilder
# Run this workflow every time a new commit pushed to your repository.
on: push
jobs:
  build:
    runs-on: self-hosted
    steps:
      - uses: actions/[email protected]
      - name: Import Secrets
        uses: hashicorp/[email protected]
        env:
            ACTIONS_ALLOW_UNSECURE_COMMANDS: 'true'
        with:
          url: https://hvp.akeyless.io
          tlsSkipVerify: true
          token: ${{ secrets.VAULT_TOKEN }}
          secrets: |
            secret/data/ci app_secret | app_secret ;
      - name: Secret from Akeyless
        run: echo "${{ env.app_secret }}"

📘
If you are working with your own Akeyless Gateway, set the value of the url field as your Akeyless Gateway URL on port 8200. For example, https://akeyless-gw:8200.

Note that the token used to authenticate is set to the VAULT_TOKEN secret you defined in the GitHub repository.

The format required by GitHub Actions for secrets is:

secrets: |
  secret/data/ci app_secret | app_secret ;

where secret/data is a required prefix, followed by the secret path. In this example, the secret app_secret in the Akeyless Vault Plaform is stored in the ci folder. Therefore, the secret path is /ci/app_secret.

app_secret is the key name and | app_secret specifies the secret value which will be set into the app_secret variable.

Trigger the GitHub Runner

The workflow is triggered on every push to any branch of the repository.

Add the unstated files to be committed by running:

git add .
git commit -m "adds workflow to repo"
git push origin main

The GitHub self-hosted runner polls GitHub for changes. When a change is detected, the runner begins execution on the workflow. The build result can be seen in GitHub, in the Actions section.