Environment Variables and Secrets

CI/CD for Machine Learning

Ravi Bhadauria

Machine Learning Engineer

Contexts

Access information about predefined variables and data
- workflow runs
- variables
- runner environments
- jobs and steps
Access contexts using the expression syntax ${{ context.XXX }}

Contexts used in this course
- github: information about the workflow run
- env: variables set in the workflow
- secrets: names and values that are available to workflow
- job: info about the current job
- runner: info about the machine

¹ https://docs.github.com/en/actions/learn-github-actions/contexts

Variables

Store non-sensitive information in plain text
- compiler flags, usernames, file paths
Declared as value for env key
Global/local scope is controlled by the level where defined
Accessed from the env context as ${{ env.ENV_VAR }}

name: Greeting on variable day
# Global env
env:
  Greeting: Hello

jobs:
  greeting_job:
    runs-on: ubuntu-latest
    # Local env: scoped to greeting_job
    env:
      First_Name: Ravi

    steps:
      - run: | 
          echo "${{ env.Greeting }} \
          ${{ env.First_Name }}."

Secrets

Store sensitive information in encrypted manner
- passwords, API keys
Access values via secrets context
- ${{ secrets.SuperSecret }}
Can store them as input or environment variable

steps:
  - name: Hello world action
    env: # Set the secret as an env var
      super_secret: ${{ secrets.SuperSecret }}

    with: # Or as an input
      super_secret: ${{ secrets.SuperSecret }}

Printing secret

steps:
- name: Print secret
  run: |
    echo "my secret is \
    ${{ secrets.SuperSecret }}"

Output

Image of workflow log showing that *** is printed instead of actual value of secret

Setting secrets

Image showing the settings tab on a repository landing page

Go to Security > Secrets and Variables > Actions

Image displaying how to select secret tab

Setting secrets

Image displaying how to set the secret name and value

GITHUB_TOKEN secret

Built in secret provided by GitHub Actions
Used to perform workflow actions
- Cloning the repository and fetching code
- Opening and closing issues and pull requests
- Commenting on issues and pull requests
Automatically available in every GitHub Actions workflow
- Accessed via ${{ secrets.GITHUB_TOKEN }}
Permissions can be tuned to the right degree

Example: commenting on a pull request

Grant permissions to write comments in PR

permissions: 
  pull-requests: write

Use GITHUB_TOKEN to authorize

permissions: 
  pull-requests: write 
steps:
  - name: Comment PR
    uses: thollander/actions-comment-pull-request@v2
    with:
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      message: |
        Hello world ! :wave:

Snippet from pull request page showing automatic comment by the github-actions bot

¹ https://gist.github.com/rbhadauria29/6d7fc51944b4fb48425c3c307fec77c6

Let's practice!

CI/CD for Machine Learning