[HN Gopher] GitHub Actions by Example ___________________________________________________________________ GitHub Actions by Example Author : macintoshpie Score : 211 points Date : 2022-01-24 17:23 UTC (5 hours ago) (HTM) web link (www.actionsbyexample.com) (TXT) w3m dump (www.actionsbyexample.com) | cstuder wrote: | Maybe this thread is the right place to ask a usage question: I | have a multiline GitHub Secret which I would like to print out to | a `.env` file in a GitHub Action. How can I do that? | | My current solution doesn't support spaces within the secret | content: - name: Write .env run: | | echo $ENV_FILE | tr ' ' '\n' > .env shell: bash | env: ENV_FILE: ${{secrets.DOTENV}} | | Writing a multiline secret string directly into a file replaces | all newlines with spaces. The `tr` command converts them back to | newlines. | xyzzy_plugh wrote: | You have to quote your variable expansion. | | Also using echo is bad form, instead try cat | <<<$ENV_FILE >.env | nagisa wrote: | `echo "$ENV_FILE"`, maybe? `echo $ENV_FILE` (without quotes) | will split the environment variable by separators in $IFS and | pass each chunk as separate argument. | pqb wrote: | Nice idea, worth mentioning other features: | | - Reusable workflows (note: matrix strategy doesn't work here): | https://docs.github.com/en/actions/using-workflows/reusing-w... | | - Creating an action: | https://docs.github.com/en/actions/creating-actions/metadata... | | - Composite actions: https://docs.github.com/en/actions/creating- | actions/creating... | | - Fact, the "uses" in step can be a relative path in the same | repository (obviously, you must checkout the code, when it uses a | relative path): https://docs.github.com/en/actions/using- | workflows/workflow-... | | - Script as an action: https://github.com/actions/github-script | | - Using GitHub Packages and artifacts: | https://docs.github.com/en/actions/publishing-packages/about... | | - Using docker-compose-like services that run alongside of the | container: https://docs.github.com/en/actions/using- | containerized-servi... | | - Using heredoc to share multi-line JSON in an environment | variable, also using fromJSON/toJSON functions: - | name: get-version id: get-version run: |- | echo 'JSON_RESPONSE<<EOF' >> $GITHUB_ENV cat | package.json >> $GITHUB_ENV echo 'EOF' >> $GITHUB_ENV | - name: print-version run: echo "${{ | fromJSON(env.JSON_RESPONSE).version }}" | | - The matrix/strategy of the dependent workflow can be created | dynamically, like in the following workflow: | https://github.com/googleapis/google-cloud-go/blob/83bbc2e7c... | | And many, many more :) | macintoshpie wrote: | Sick! I've been meaning to add more to this for a while, thanks | for the suggestions | keewee7 wrote: | >Inspired by Go by Example | | One of the best tutorials for people coming to Go from other | languages: | | https://gobyexample.com/ | synergy20 wrote: | I wish the UI has a left sidebar with scroll-able TOC, so I | don't need jump back to home page to pick a different subject. | I asked the same to gobyexample.com's author and was told they | have no intention to change. | systemvoltage wrote: | I disagree, I think the simplicity of this page is its | strength and its beauty. I wish more sites were designed this | way. | bilalq wrote: | I wish more people wrote docs in this fashion. I almost always | end up skipping official docs in favor of digging around for blog | posts going over code examples on things. | samhw wrote: | It's not unheard of. A few examples come to mind: | | - Go By Example: https://gobyexample.com/ | | - Rust By Example: https://doc.rust-lang.org/rust-by-example/ | | - V [a weird knockoff of Go] By Example: | https://v-community.gitbook.io/v-by-example/ | | There's also 'Learn X in Y Minutes' | (https://learnxinyminutes.com/), which covers a range of | different 'X'es. They make it ridiculously easy to get going | with a new tool/language, IMO. It's a superb paradigm in | general. | suyash wrote: | I loved the simplicity and directness of the UI too. Specially | like the feature where mouse cursor maps to code blocks, how | did you create this ? I'd like to use this framework if | possible for tech blogs. | macintoshpie wrote: | Thanks! The page itself is just simple HTML and tables. I | generated it from YAML files with a custom HTML generator, | see for example: https://github.com/macintoshpie/ghactionsbye | xample/blob/df6f... | nyanpasu64 wrote: | > Actions reduce workflow steps by providing reusabe[sic] "code" | for common tasks. To run an action, you include the uses keyword | pointing to a GitHub repo with the pattern {owner}/{repo}@{ref} | or {owner}/{repo}/{path}@{ref} if it's in a subdirectory. A ref | can be a branch, tag, or SHA. | | Aside from the typo, I wonder how many packages could be | backdoored at once, if an action maintainer went rogue, seeing as | there's no pinning for actions by default, and (according to | https://github.com/msys2/setup-msys2/blob/main/HACKING.md) moving | a tag is the default way to push updates to an action. | (Interestingly get-cmake/run-cmake/run-vcpkg are all operated by | the same person.) | macintoshpie wrote: | Oops thanks for the catch | fierro wrote: | the most bizarre thing about GH actions is the I/O mechanic where | you produce outputs by executing `echo ::set-output | name=<name>::<value>.` | donatj wrote: | Agreed, the whole inline-signaling aspect of that makes me a | little uncomfortable. | gfunk911 wrote: | I might love this. Last time I checked on the Actions docs, they | seemed to say a lot, while still leaving me confused somehow. | mrbuzzinfrog wrote: | It's pretty terrible if you compare it to CircleCI or GitLab | from 4 years ago. I'm a big fan of GitLab, seems like the only | company pushing things forward in an _elegant matter_, used it | heavily in the startup world. Using GitHub again these days. I | cry every time I need to do GHA stuff. Current setup of Github | + CircleCI is miles more elegant as it was 6 years ago. | yjftsjthsd-h wrote: | I like gitlab, but I'm not sure _elegant_ is the word I 'd | use for them; they have a severe case of wanting to check all | the boxes for features, but it can be a little clunky to see | how the parts work together. My pick for elegance would be | sourcehut. On the other hand, they all seem to work pretty | decently and the clunkiness isn't _that_ bad, so I keep using | it:) | jpthurman wrote: | This makes sense - the main reason GitLab took off is | vertical integration with CI/CD which Github is catching up | on. Github has the long game in mind and with it's size and | preponderance of OSS I see it taking over when they innovate | to a more useable level. | jonny_eh wrote: | > they seemed to say a lot, while still leaving me confused | somehow | | Saying a lot and causing confusion usually go hand-in-hand. | nefitty wrote: | Actions was my first experience with YAML and it made me want | to bark at my monitor. No, I'm not a dog. | phalangion wrote: | We can't know that https://en.wikipedia.org/wiki/On_the_Int | ernet,_nobody_knows_... | natrys wrote: | While dealing with an unfamiliar project recently, being able to | run actions locally with act[1] was a great time saver for me: | | [1] https://github.com/nektos/act | terhechte wrote: | Thanks! I searched for something like this recently and | couldn't find it! Should be linked in the Actions docs. | thinkafterbef wrote: | Incoming shameless plug; if you don't have to handle the | hosting runners, but still to reap the benefits of having | proper hardware (close to the metal). Check out BuildJet for | GitHub actions[1] - 2x the speed for half the price. Easy to | install and easy to revert. | | [1] https://buildjet.com/for-github-actions | Grimburger wrote: | staticassertion wrote: | https://docs.github.com/en/actions/security-guides/security-... | | Probably worth checking out this guide. GHA can be a pretty scary | thing. | jshier wrote: | None of that is scary. Pretty much all of that advice applies | to systems you run internally. I do wish GHA had a solution for | secure file injection, which solutions like Jenkins already | have, so we didn't need a janky workaround for JSON blobs. | ghotli wrote: | I too love "Go by Example" and refer to it often. Makes me want | it for all the things. | | Shot in the dark, anyone know of one for hot-off-the-presses | modern Python (3.10) with typing akin to Golang? All the modern | additions really need a comprehensive overview like Go by Example | somehow manages to do in a very lightweight style | erwincoumans wrote: | Nice and simple explanation. Never looked at the docs, I used the | Github 'workflow' to automatically create an action for CMake and | CTest (C++ code) and just followed the steps without customizing. | It just worked out-of-the-box, the autogenerated yaml file is | here: https://github.com/google-research/tiny-differentiable- | simul... | 0xbadcafebee wrote: | Every CI system in existence is reinventing the exact same wheel: | "I want to run some random task" + event hooks + secrets + logs + | plugins + integrations. It's so ridiculous that more of them keep | being created - and are _losing functionality_. GHA has all these | configs in YAML (there 's a user-friendly config file...) but | doesn't let you run paramaterized builds in their web UI? ..... | _why?_ | | We shouldn't be writing all these jobs in a format that only | works for one CI system. You spend months writing Jenkinsfiles, | and then you move to CircleCI and have to rewrite all of them, | and then move to Drone and have to rewrite all of them, and then | move to CodeBuild/CodePipeline and have to rewrite all of them, | and then move to GitHub Actions and have to rewrite all of them. | Eventually we'll rewrite them all for something else. And why? To | run the same exact tests on a slightly different system. | yebyen wrote: | > doesn't let you run paramaterized builds in their web UI? | | It doesn't? https://github.blog/changelog/2021-11-10-github- | actions-inpu... | | Maybe it didn't 6 months ago, but it seems this is an option | now, and well-documented. | | This is a topic of interest for me, I presented on Jenkins and | GitOps to an audience at KubeCon who I suspect are almost all | interested in moving away from Jenkins, or have been told to be | interested in switching from Jenkins to something else, and I | tried to get the idea across that they probably don't really | need to switch the workflow tool even if it's ancient, ... | | But maybe should consider subbing out some of the important | fiddly bits underneath it (like, I assume the vast majority of | Jenkins users are building images with Docker, and if they're | running on Kubernetes, they're many of them wondering what they | will do, or how long they really have before they have to start | worrying about the deprecation of dockershim and how their | lives are going to change when their clusters won't be running | Docker under the hood anymore?) | | I was actually arguing for a tool like Porter.sh to come in and | make the boundaries of "what's in a build" super neat and tidy, | organized, but also limited so the next time they feel | compelled to switch workflow tooling, it will be a non-issue | and can be over and finished inside of a single day's work. The | problem isn't that your workflow tool is too old, it's that | you've jammed too much arbitrary complexity inside of it, | probably because the right abstraction was not made available | to you at the time. "Switching off of Jenkins" just means | building a second system and it comes with all the baggage of | "second system syndrome" to do so. | | Sure it's difficult switching from Jenkins, when you've built | this gigantic pipeline with 18 branches and 12 of them run in | parallel, half of them are configured with different options | passed to the docker build tool, half of them must use buildx, | and the third half of them are unmaintained so we don't go in | there... so put some guard rails up around the hard parts! And | get somebody in there to take care of those cobwebs. | 0xbadcafebee wrote: | I'm glad it's an option now! That was crazy that it took 3 | years for this feature to show up, though. | | I think we need a few more "12 Factor App"-style guidelines | for modern systems. 12 Factor goes a long way to abstract | away the tendency for implementation lock-in. But we can | probably create a few more guidelines specific to CI so it's | portable. Use OAuth, use the same authorization layer as your | VCS, tie secrets and artifacts to the VCS repo, make every | plugin a Docker container. (I'm stealing these concepts from | Drone because it has the best cloud-native design I've ever | seen) | | The final unsolved bit is how to manage a DAG of jobs and | hooks around every event in a portable way. We probably need | a universal CI spec and API, but maybe that's too specific. | | Also: holy crap, I don't think I've seen Porter.sh before, I | love the idea! Definitely going to look into that | qbasic_forever wrote: | It's why I like tekton, it's a CI system for kubernetes so | you're letting kubernetes solve all those problems. I have far | more faith that k8s will be alive and kicking and not breaking | core things like secrets, logs, container execution, etc. in | painful ways in the future than anything else. | | In general though I try to put all the CI work into a simple | shell or similar script and then just configure whatever CI | system is in use to call it in the appropriate environment (in | a container, bespoke VM, etc.). I agree putting all kinds of | complexity in a unique CI system is just asking for trouble | down the road as it's now basically a hard dependency for your | code to be shippable. | asciiii wrote: | I really like the format and layout of this. | Kreotiko wrote: | Word of advice, if you are thinking of running self hosted | runners and use Actions for your organisation, do yourself a | favour and check them out in a year or two and use something like | Argo Workflows or Tekton instead. | | GHA isn't a product thought for GH private organisations, you | will find that every much needed feature for this use is very low | in GH roadmap. | longcommonname wrote: | Could you provide more details? | Kreotiko wrote: | Sure, the main things for me are: | | It doesn't matter how smart you are with reusable workflows | you will never get to a truly DRY setup that scales for | dozens of repositories. | | Another major pain is that we still haven't private actions. | It was due end of 2021 (maybe it is out now but I checked a | couple of days ago). | | Setting up runners to look after a pool of repositories needs | elevated permissions. | | GH offers a way to enforce a list of enabled actions but this | does not work with private binary registries hosting pre | built Docker actions. The only thing that could prevent you | to pull software at runtime from the internet, which means, | if you want to have a decent security posture all you are | left with is referencing actions using the full git sha | version. | | Many common use case require hacks, which is fun for a | weekend project but isn't great for a large scale operation. | An example is simply running a workflow dynamically targeting | the folders containing changes. At the moment you have to | create a job, generate a build matrix on the fly and pass it | in input as the matrix to the actual job. ___________________________________________________________________ (page generated 2022-01-24 23:02 UTC)