I love GitHub Actions and I am keen to migrate my employer’s CI/CD processes to it. Right now there are a couple of unfortunate blockers stopping that. I thought it would be worth making a feature request here for a) visibility and b) to see if anyone else is in this situation.
As far as I can see, it is only possible to set secrets at a per-repo level. Ideally this would be at a per-org level as we have 1000+ repos and repo-level management becomes unwieldy/impossible at that level. EDIT : I see a request for this already.
Right now, the only way to authenticate to our AWS environments is to create an IAM user and store its access key ID and secret access key as secrets in Github. This is a blocker for us as we don’t use IAM users at all. We want to have granular roles and different repos should have different levels of access - creating a huge number of IAM users to cater to this won’t work.
Ideally GitHub Actions would provide an environment variable with a JWT that identifies a handful of properties about the job. Things like repo name, org name, etc - basically the event.json signed by Github. We would then be able to use this JWT to retrieve AWS credentials through the AssumeRoleWithWebIdentity API. We’d then be able to create policies limiting access, etc - and not need to store any secrets in the repo.
Interestingly, there is already a JWT in the Actions runtime environment named ACTIONS_RUNTIME_TOKEN. However, this doesn’t seem to have many useful fields and is primarily used for authentication to the internal cache?
Additionally, self-hosted runners are something we are keen to avoid - and don’t _really _solve the problem. While they would give us an instance profile to start with, we still wouldn’t have a Github-signed copy of the event.json – so we’d have to trust developers not to play funny games with that file. And as a cheeky developer, I know that can’t be relied upon. Also, Github-hosted runners are a big part of the appeal of Github Actions.
Is anyone else in this situation? Is this a use case GitHub Actions aims to support?