-
Hi there I am currently working with colleagues on a small webapp that is based on PHP and a database. We have set up a workflow where every push to the master branch copies the repository to our test webserver. Until now we have always worked with ZIP files and email - now that is automated and simplified but now we fail because the secrets do not work as we want them to. We don’t want to store the real database accesses, but rather a variable that is replaced by the real credential when it is delivered to the web server, so that the web server gets a running webapp while there is no critical data in the repository. Is there a way to automate this or do we have to upload manually again? Thank you very much in advance! |
Beta Was this translation helpful? Give feedback.
Replies: 20 comments
-
That’s what GitHub secrets are, aren’t they? docs.github.comEncrypted secrets - GitHub Docs |
Beta Was this translation helpful? Give feedback.
-
Yes exactly. I use them always for the Action / Deploy process to store my FTP credentials in it. But now i have a repository cotaining a php file with credentials for my database and i dont want to expose them. I hoped that there is a way to hide them with with secrets. |
Beta Was this translation helpful? Give feedback.
-
idea; can I create a file via |
Beta Was this translation helpful? Give feedback.
-
I haven’t tested it personally, but the documentation describes how to commit an encrypted file and decrypt it using a secret. Maybe that would help? |
Beta Was this translation helpful? Give feedback.
-
Having any sort of credentials hardcoded in a PHP file sounds like a bad idea. Why don’t you you let PHP read the credentials from environment variables for instance? |
Beta Was this translation helpful? Give feedback.
-
Can you be more specific? I know there is such a thing, but I don’t think I’ve really worked with it. |
Beta Was this translation helpful? Give feedback.
-
Something along the following, with the database password stored as GitHub secret with name
script.php: php.net PHP: getenv - Manual |
Beta Was this translation helpful? Give feedback.
-
Sorry, I was on the road for a few days and could not test nor answer anything. Your solution looks good, would do that. In the converted file on the server you will only find the variables but not the modified data (the content of the variables)
The folder is in the correct path on the server, it just seems like the php command doesn’t work. Does that need a special package? |
Beta Was this translation helpful? Give feedback.
-
Can you check what the working directory is with Looks like it cannot find |
Beta Was this translation helpful? Give feedback.
-
Thanks a lot for this!. I want to do the same using python and email credentials, instead. In python I’m using |
Beta Was this translation helpful? Give feedback.
-
To quote from your Stackoverflow post:
The problem is that you’re turning setting a text block for
I also highly recommend moving the pip install to a separate, previous step so it doesn’t have access to the secrets. Principle of least privilege and all that. |
Beta Was this translation helpful? Give feedback.
-
Thank you, it worked!. And thank you for the recommendation to move |
Beta Was this translation helpful? Give feedback.
-
.py file
.yml file
ERROR Please help me solve this problem |
Beta Was this translation helpful? Give feedback.
-
Are you using Python 2? |
Beta Was this translation helpful? Give feedback.
-
There was an issue with the GitHub secrets, was setting secrets in environment instead of repo. |
Beta Was this translation helpful? Give feedback.
-
I am trying to use the above approach in a flutter web app with no success,
can I replace it with
|
Beta Was this translation helpful? Give feedback.
-
maheshmnj:
No, because your code isn’t processed by the workflow parser. In general it’s better to read the secret value from an environment variable or configuration file at runtime. Your workflow can then set that environment variable from a secret, or write the configuration file before calling your application. |
Beta Was this translation helpful? Give feedback.
-
Thanks for the reply
Does the env file has to be already present or will it get created with the content? and what should the run key do I did not specify the run key and the test failed with an error
|
Beta Was this translation helpful? Give feedback.
-
The
What you define in |
Beta Was this translation helpful? Give feedback.
-
Hi from 2023, |
Beta Was this translation helpful? Give feedback.
Something along the following, with the database password stored as GitHub secret with name
SCRIPT_CREDENTIALS
:script.php:
php.net
PHP: getenv - Manual