Skip to main content

The DfE technical guidance and its content is intended for internal use by the DfE community.

Github actions

Github actions is a powerful workflow system entirely defined in code. See the original documentation.

Working with Azure

To run GitHub actions against Microsoft Azure, use the Azure Login action. The default policy is to create an environmental secret in the Repo, and supply it with a json credential in the format:

{
   "clientId": "<GUID>",
   "clientSecret": "<STRING>",
   "subscriptionId": "<GUID>",
   "tenantId": "<GUID>",
   "resourceManagerEndpointUrl": "https://management.azure.com/"
}

These credentials are created through an Azure service principal

Re-use existing work

Our central respository of tested GitHub actions enable teams to set up their environments quickly and without needing to re-write existing actions. If you build something new, please consider adding it to the repo for everyone else to use.

Environment variables

Variables can be declared at the workflow level, or job and step level. Avoid declaring secrets at a global level if it can be done at more local level. Environment variables are available as:

  • Workflow variable: ${{ env.MY_VAR }}
  • Shell variable inside run: run: echo ”$MY_VAR”

Use the second form in run when possible but be careful as the variable won’t be expanded.

env:
  TEST_DIR: $HOME/app/tests         # Contains a variable which should be expanded
...
    steps:
    - name: Check test directory
      run: |
        echo "$TEST_DIR"            # $HOME is not expanded
        echo "${{ env.TEST_DIR }}"  # $HOME is expanded

ACT

ACT is a useful tool allowing you to run GitHub Actions from your command line, prior to having to check them into GitHub and run them on the server.

Installation

To install follow the instructions.

Tips

Secrets

To use secrets you will need to use the Shell export command and create environment variables for example:

export GOVUKPAAS_USERNAME=<GOVUKPAAS_USERNAME>
export GOVUKPAAS_PASSWORD=<GOVUKPAAS_PASSWORD>

Then you are able to run the act command line; from the root of the cloned repository:

act -s GOVUKPAAS_USERNAME -s GOVUKPAAS_PASSWORD

Commit SHA

If your action refers to the commit SHA, you will need need to supply this as an environment variable. It should be added to a env file. Example with test.env:

GITHUB_SHA=ad46c15da83d85b9f97d7bbcbac6f2fc3e24efa7

Then run the act command:

act --env-file test.env -s GOVUKPAAS_PASSWORD ...

Dependabot

GitHub actions are generally supplied by the Marketplace and can occasionallly become out of date. To help prevent this you can use the GitHub Dependabot tool.

Follow the Dependabot documentation to configure it for GitHub actions.