[HN Gopher] GitHub Actions by Example
___________________________________________________________________
GitHub Actions by Example
Author : macintoshpie
Score : 211 points
Date : 2022-01-24 17:23 UTC (5 hours ago)
(HTM) web link (www.actionsbyexample.com)
(TXT) w3m dump (www.actionsbyexample.com)
| cstuder wrote:
| Maybe this thread is the right place to ask a usage question: I
| have a multiline GitHub Secret which I would like to print out to
| a `.env` file in a GitHub Action. How can I do that?
|
| My current solution doesn't support spaces within the secret
| content: - name: Write .env run: |
| echo $ENV_FILE | tr ' ' '\n' > .env shell: bash
| env: ENV_FILE: ${{secrets.DOTENV}}
|
| Writing a multiline secret string directly into a file replaces
| all newlines with spaces. The `tr` command converts them back to
| newlines.
| xyzzy_plugh wrote:
| You have to quote your variable expansion.
|
| Also using echo is bad form, instead try cat
| <<<$ENV_FILE >.env
| nagisa wrote:
| `echo "$ENV_FILE"`, maybe? `echo $ENV_FILE` (without quotes)
| will split the environment variable by separators in $IFS and
| pass each chunk as separate argument.
| pqb wrote:
| Nice idea, worth mentioning other features:
|
| - Reusable workflows (note: matrix strategy doesn't work here):
| https://docs.github.com/en/actions/using-workflows/reusing-w...
|
| - Creating an action:
| https://docs.github.com/en/actions/creating-actions/metadata...
|
| - Composite actions: https://docs.github.com/en/actions/creating-
| actions/creating...
|
| - Fact, the "uses" in step can be a relative path in the same
| repository (obviously, you must checkout the code, when it uses a
| relative path): https://docs.github.com/en/actions/using-
| workflows/workflow-...
|
| - Script as an action: https://github.com/actions/github-script
|
| - Using GitHub Packages and artifacts:
| https://docs.github.com/en/actions/publishing-packages/about...
|
| - Using docker-compose-like services that run alongside of the
| container: https://docs.github.com/en/actions/using-
| containerized-servi...
|
| - Using heredoc to share multi-line JSON in an environment
| variable, also using fromJSON/toJSON functions: -
| name: get-version id: get-version run: |-
| echo 'JSON_RESPONSE<<EOF' >> $GITHUB_ENV cat
| package.json >> $GITHUB_ENV echo 'EOF' >> $GITHUB_ENV
| - name: print-version run: echo "${{
| fromJSON(env.JSON_RESPONSE).version }}"
|
| - The matrix/strategy of the dependent workflow can be created
| dynamically, like in the following workflow:
| https://github.com/googleapis/google-cloud-go/blob/83bbc2e7c...
|
| And many, many more :)
| macintoshpie wrote:
| Sick! I've been meaning to add more to this for a while, thanks
| for the suggestions
| keewee7 wrote:
| >Inspired by Go by Example
|
| One of the best tutorials for people coming to Go from other
| languages:
|
| https://gobyexample.com/
| synergy20 wrote:
| I wish the UI has a left sidebar with scroll-able TOC, so I
| don't need jump back to home page to pick a different subject.
| I asked the same to gobyexample.com's author and was told they
| have no intention to change.
| systemvoltage wrote:
| I disagree, I think the simplicity of this page is its
| strength and its beauty. I wish more sites were designed this
| way.
| bilalq wrote:
| I wish more people wrote docs in this fashion. I almost always
| end up skipping official docs in favor of digging around for blog
| posts going over code examples on things.
| samhw wrote:
| It's not unheard of. A few examples come to mind:
|
| - Go By Example: https://gobyexample.com/
|
| - Rust By Example: https://doc.rust-lang.org/rust-by-example/
|
| - V [a weird knockoff of Go] By Example:
| https://v-community.gitbook.io/v-by-example/
|
| There's also 'Learn X in Y Minutes'
| (https://learnxinyminutes.com/), which covers a range of
| different 'X'es. They make it ridiculously easy to get going
| with a new tool/language, IMO. It's a superb paradigm in
| general.
| suyash wrote:
| I loved the simplicity and directness of the UI too. Specially
| like the feature where mouse cursor maps to code blocks, how
| did you create this ? I'd like to use this framework if
| possible for tech blogs.
| macintoshpie wrote:
| Thanks! The page itself is just simple HTML and tables. I
| generated it from YAML files with a custom HTML generator,
| see for example: https://github.com/macintoshpie/ghactionsbye
| xample/blob/df6f...
| nyanpasu64 wrote:
| > Actions reduce workflow steps by providing reusabe[sic] "code"
| for common tasks. To run an action, you include the uses keyword
| pointing to a GitHub repo with the pattern {owner}/{repo}@{ref}
| or {owner}/{repo}/{path}@{ref} if it's in a subdirectory. A ref
| can be a branch, tag, or SHA.
|
| Aside from the typo, I wonder how many packages could be
| backdoored at once, if an action maintainer went rogue, seeing as
| there's no pinning for actions by default, and (according to
| https://github.com/msys2/setup-msys2/blob/main/HACKING.md) moving
| a tag is the default way to push updates to an action.
| (Interestingly get-cmake/run-cmake/run-vcpkg are all operated by
| the same person.)
| macintoshpie wrote:
| Oops thanks for the catch
| fierro wrote:
| the most bizarre thing about GH actions is the I/O mechanic where
| you produce outputs by executing `echo ::set-output
| name=<name>::<value>.`
| donatj wrote:
| Agreed, the whole inline-signaling aspect of that makes me a
| little uncomfortable.
| gfunk911 wrote:
| I might love this. Last time I checked on the Actions docs, they
| seemed to say a lot, while still leaving me confused somehow.
| mrbuzzinfrog wrote:
| It's pretty terrible if you compare it to CircleCI or GitLab
| from 4 years ago. I'm a big fan of GitLab, seems like the only
| company pushing things forward in an _elegant matter_, used it
| heavily in the startup world. Using GitHub again these days. I
| cry every time I need to do GHA stuff. Current setup of Github
| + CircleCI is miles more elegant as it was 6 years ago.
| yjftsjthsd-h wrote:
| I like gitlab, but I'm not sure _elegant_ is the word I 'd
| use for them; they have a severe case of wanting to check all
| the boxes for features, but it can be a little clunky to see
| how the parts work together. My pick for elegance would be
| sourcehut. On the other hand, they all seem to work pretty
| decently and the clunkiness isn't _that_ bad, so I keep using
| it:)
| jpthurman wrote:
| This makes sense - the main reason GitLab took off is
| vertical integration with CI/CD which Github is catching up
| on. Github has the long game in mind and with it's size and
| preponderance of OSS I see it taking over when they innovate
| to a more useable level.
| jonny_eh wrote:
| > they seemed to say a lot, while still leaving me confused
| somehow
|
| Saying a lot and causing confusion usually go hand-in-hand.
| nefitty wrote:
| Actions was my first experience with YAML and it made me want
| to bark at my monitor. No, I'm not a dog.
| phalangion wrote:
| We can't know that https://en.wikipedia.org/wiki/On_the_Int
| ernet,_nobody_knows_...
| natrys wrote:
| While dealing with an unfamiliar project recently, being able to
| run actions locally with act[1] was a great time saver for me:
|
| [1] https://github.com/nektos/act
| terhechte wrote:
| Thanks! I searched for something like this recently and
| couldn't find it! Should be linked in the Actions docs.
| thinkafterbef wrote:
| Incoming shameless plug; if you don't have to handle the
| hosting runners, but still to reap the benefits of having
| proper hardware (close to the metal). Check out BuildJet for
| GitHub actions[1] - 2x the speed for half the price. Easy to
| install and easy to revert.
|
| [1] https://buildjet.com/for-github-actions
| Grimburger wrote:
| staticassertion wrote:
| https://docs.github.com/en/actions/security-guides/security-...
|
| Probably worth checking out this guide. GHA can be a pretty scary
| thing.
| jshier wrote:
| None of that is scary. Pretty much all of that advice applies
| to systems you run internally. I do wish GHA had a solution for
| secure file injection, which solutions like Jenkins already
| have, so we didn't need a janky workaround for JSON blobs.
| ghotli wrote:
| I too love "Go by Example" and refer to it often. Makes me want
| it for all the things.
|
| Shot in the dark, anyone know of one for hot-off-the-presses
| modern Python (3.10) with typing akin to Golang? All the modern
| additions really need a comprehensive overview like Go by Example
| somehow manages to do in a very lightweight style
| erwincoumans wrote:
| Nice and simple explanation. Never looked at the docs, I used the
| Github 'workflow' to automatically create an action for CMake and
| CTest (C++ code) and just followed the steps without customizing.
| It just worked out-of-the-box, the autogenerated yaml file is
| here: https://github.com/google-research/tiny-differentiable-
| simul...
| 0xbadcafebee wrote:
| Every CI system in existence is reinventing the exact same wheel:
| "I want to run some random task" + event hooks + secrets + logs +
| plugins + integrations. It's so ridiculous that more of them keep
| being created - and are _losing functionality_. GHA has all these
| configs in YAML (there 's a user-friendly config file...) but
| doesn't let you run paramaterized builds in their web UI? .....
| _why?_
|
| We shouldn't be writing all these jobs in a format that only
| works for one CI system. You spend months writing Jenkinsfiles,
| and then you move to CircleCI and have to rewrite all of them,
| and then move to Drone and have to rewrite all of them, and then
| move to CodeBuild/CodePipeline and have to rewrite all of them,
| and then move to GitHub Actions and have to rewrite all of them.
| Eventually we'll rewrite them all for something else. And why? To
| run the same exact tests on a slightly different system.
| yebyen wrote:
| > doesn't let you run paramaterized builds in their web UI?
|
| It doesn't? https://github.blog/changelog/2021-11-10-github-
| actions-inpu...
|
| Maybe it didn't 6 months ago, but it seems this is an option
| now, and well-documented.
|
| This is a topic of interest for me, I presented on Jenkins and
| GitOps to an audience at KubeCon who I suspect are almost all
| interested in moving away from Jenkins, or have been told to be
| interested in switching from Jenkins to something else, and I
| tried to get the idea across that they probably don't really
| need to switch the workflow tool even if it's ancient, ...
|
| But maybe should consider subbing out some of the important
| fiddly bits underneath it (like, I assume the vast majority of
| Jenkins users are building images with Docker, and if they're
| running on Kubernetes, they're many of them wondering what they
| will do, or how long they really have before they have to start
| worrying about the deprecation of dockershim and how their
| lives are going to change when their clusters won't be running
| Docker under the hood anymore?)
|
| I was actually arguing for a tool like Porter.sh to come in and
| make the boundaries of "what's in a build" super neat and tidy,
| organized, but also limited so the next time they feel
| compelled to switch workflow tooling, it will be a non-issue
| and can be over and finished inside of a single day's work. The
| problem isn't that your workflow tool is too old, it's that
| you've jammed too much arbitrary complexity inside of it,
| probably because the right abstraction was not made available
| to you at the time. "Switching off of Jenkins" just means
| building a second system and it comes with all the baggage of
| "second system syndrome" to do so.
|
| Sure it's difficult switching from Jenkins, when you've built
| this gigantic pipeline with 18 branches and 12 of them run in
| parallel, half of them are configured with different options
| passed to the docker build tool, half of them must use buildx,
| and the third half of them are unmaintained so we don't go in
| there... so put some guard rails up around the hard parts! And
| get somebody in there to take care of those cobwebs.
| 0xbadcafebee wrote:
| I'm glad it's an option now! That was crazy that it took 3
| years for this feature to show up, though.
|
| I think we need a few more "12 Factor App"-style guidelines
| for modern systems. 12 Factor goes a long way to abstract
| away the tendency for implementation lock-in. But we can
| probably create a few more guidelines specific to CI so it's
| portable. Use OAuth, use the same authorization layer as your
| VCS, tie secrets and artifacts to the VCS repo, make every
| plugin a Docker container. (I'm stealing these concepts from
| Drone because it has the best cloud-native design I've ever
| seen)
|
| The final unsolved bit is how to manage a DAG of jobs and
| hooks around every event in a portable way. We probably need
| a universal CI spec and API, but maybe that's too specific.
|
| Also: holy crap, I don't think I've seen Porter.sh before, I
| love the idea! Definitely going to look into that
| qbasic_forever wrote:
| It's why I like tekton, it's a CI system for kubernetes so
| you're letting kubernetes solve all those problems. I have far
| more faith that k8s will be alive and kicking and not breaking
| core things like secrets, logs, container execution, etc. in
| painful ways in the future than anything else.
|
| In general though I try to put all the CI work into a simple
| shell or similar script and then just configure whatever CI
| system is in use to call it in the appropriate environment (in
| a container, bespoke VM, etc.). I agree putting all kinds of
| complexity in a unique CI system is just asking for trouble
| down the road as it's now basically a hard dependency for your
| code to be shippable.
| asciiii wrote:
| I really like the format and layout of this.
| Kreotiko wrote:
| Word of advice, if you are thinking of running self hosted
| runners and use Actions for your organisation, do yourself a
| favour and check them out in a year or two and use something like
| Argo Workflows or Tekton instead.
|
| GHA isn't a product thought for GH private organisations, you
| will find that every much needed feature for this use is very low
| in GH roadmap.
| longcommonname wrote:
| Could you provide more details?
| Kreotiko wrote:
| Sure, the main things for me are:
|
| It doesn't matter how smart you are with reusable workflows
| you will never get to a truly DRY setup that scales for
| dozens of repositories.
|
| Another major pain is that we still haven't private actions.
| It was due end of 2021 (maybe it is out now but I checked a
| couple of days ago).
|
| Setting up runners to look after a pool of repositories needs
| elevated permissions.
|
| GH offers a way to enforce a list of enabled actions but this
| does not work with private binary registries hosting pre
| built Docker actions. The only thing that could prevent you
| to pull software at runtime from the internet, which means,
| if you want to have a decent security posture all you are
| left with is referencing actions using the full git sha
| version.
|
| Many common use case require hacks, which is fun for a
| weekend project but isn't great for a large scale operation.
| An example is simply running a workflow dynamically targeting
| the folders containing changes. At the moment you have to
| create a job, generate a build matrix on the fly and pass it
| in input as the matrix to the actual job.
___________________________________________________________________
(page generated 2022-01-24 23:02 UTC)