Protect External Secrets in GitHub Actions

Matt Conway

Matt Conway

Co-founder & CTO

GitHub Actions and CloudTruth

Protecting sensitive configuration items like passwords, API keys, and encryption keys has always been a challenge. Since this critical data is needed in nearly all software deployment workflows (build, deploy and run time), many organizations take the easy route. They forego more secure methods by relying on homegrown schemes to inject secrets into CI/CD pipelines. This leads to misconfigurations and potential security flaws. This is why it’s important to protect external secrets in GitHub Actions.

With CloudTruth and GitHub Actions, there’s no excuse to remain insecure again.
In this blog post, you will learn how CloudTruth solves the problem of disparate configurations and protecting your sensitive information when working with GitHub Actions. You’ll see how CloudTruth makes it easier to manage configurations by environment (Dev/Test/Prod) in GitHub Actions allowing you to get to the configuration you need at any level of the deployment process securely.

Protecting External Secrets in GitHub Actions Workflows

GitHub Actions workflows can shave off critical deployment time and ensure a more standardized, tested deployment process through automation. Complimenting GitHub workflows is GitHub Secrets. GitHub Secrets are GitHub’s way of allowing organizations to define sensitive information within workflows.

GitHub Secrets are widely used and do, in fact, serve their purpose of allowing sensitive configuration storage accessible by workflows. But GitHub Secrets have some downfalls. They’re meant to be a general-purpose secret management tool and aren’t necessarily designed with specific deployment environments and integration with other tools in mind. GitHub Secrets don’t consider any other service you have involved in your deployment pipeline.

Working with CloudTruth Secrets in GitHub Actions

Taking GitHub Secrets to the next level is CloudTruth Secrets. Imagine having a single place to store and retrieve all sensitive information; not just in GitHub workflows. By integrating GitHub workflows with CloudTruth Secrets, you expand the reach of GitHub workflows to retrieve sensitive information not just from GitHub secrets but from any secret created in CloudTruth.

CloudTruth allows organizations to access CloudTruth Secrets via the CloudTruth configure-action GitHub action. Calling this action allows you to access all your configurations scoped to a particular environment.
You set this action up by defining a CloudTruth API key as a GitHub Actions secret which CloudTruth’s action then references to get access to all CloudTruth secrets. Similar to GitHub Secrets, CloudTruth Secrets securely access and pass this encrypted information into the workflow where necessary.

You can see how easy it is to access sensitive information with the configure-action GitHub action below. You can see below that by defining a single GitHub secret, you can then access configuration values scoped specifically to environments.

- name: Set environment from cloudtruth
  uses: cloudtruth/configure-action@v2
  with:
    apikey: "${{ secrets.CLOUDTRUTH_API_KEY }}"
    project: "project name"
    environment: "env name"

- name: Login to Docker Hub
  uses: docker/login-action@v1
  with:
    username: ${{ env.DOCKERHUB_USERNAME }}
    password: ${{ env.DOCKERHUB_PASSWORD }}

💡 You can find a great example of using the configure-action GitHub action in CloudTruth’s configure-action GitHub repo.

Conclusion

If you’re ready to start designing a vendor-agnostic secrets management system with all the security of GitHub Secrets, then it’s time to look into CloudTruth’s GitHub Actions integration.

With a single GitHub action, you can securely and efficiently access any secret defined in any system across your organization right within a GitHub Actions workflow.