Securing API Keys for AI Services with GitHub Actions Secrets
PythonWhen working with GitHub Actions for your Continuous Integration/Continuous Deployment (CI/CD) workflows, it's essential to secure sensitive information such as API keys for AI services or any other external services. One way to do that is by using GitHub Actions Secrets, which are encrypted environment variables that you create in a repository or organization and can be used in GitHub Actions workflows.
GitHub Actions Secrets provide a secure mechanism to store sensitive data, and they help in maintaining the security and integrity of your application's operational environment. They are not exposed to the public, and only GitHub Actions Workflow has access to them during execution time. This ensures that sensitive credentials like API keys are not hardcoded into your workflow files or source code.
To set up and use secrets with GitHub Actions, you can declare them in your GitHub repository's settings, and then reference them in your workflow files using the secrets context. Pulumi provides a GitHub provider that can manage resources on GitHub, including actions, workflows, and secrets.
Here's a Pulumi Python program that demonstrates how to create a GitHub Actions secret. The program uses the
github.ActionsSecretresource to create a secret calledAI_SERVICE_API_KEYin a repository. The secret's value is a placeholder in this example, and you should replace it with the actual API key value or a secure way to retrieve it.import pulumi import pulumi_github as github # Replace these with your GitHub organization and repository names. github_organization = "my-organization" github_repository = "my-repository" api_key_value = "your-actual-api-key" # Replace with your actual API key, or securely fetch it. # Create a GitHub Actions secret in the specified repository. ai_service_api_key_secret = github.ActionsSecret("AI_SERVICE_API_KEY", repository=github_repository, secret_name="AI_SERVICE_API_KEY", plaintext_value=api_key_value ) # Export the name of the secret to confirm that the secret was created. pulumi.export("github_secret_name", ai_service_api_key_secret.secret_name)In this program, we first import the required Pulumi packages for Python. We define the organization and repository name variables, and we include the API key value (this should be replaced with a secure retrieval mechanism or the actual API key for your AI service).
We then create a
github.ActionsSecretresource which represents the GitHub Actions secret we want to create. We pass therepositoryandsecret_name(which should be the same as the key we'll use in our GitHub workflow), andplaintext_value, which is the actual value of the API key.Finally, we use
pulumi.exportto output the name of the created secret. This output confirms that the secret has been created successfully.Please note that you should not hardcode sensitive information like API keys in your code. The
api_key_valueshould be obtained from a secure source or environment variable when running the Pulumi program. The way of handlingapi_key_valuein this code is for illustrative purposes only.When running this Pulumi program, it will communicate with GitHub and create the secret in the specified repository. The secret can then be used in a GitHub Actions workflow like so:
jobs: sample_job: runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v2 - name: Use Secret run: | do_something_with_secret ${{ secrets.AI_SERVICE_API_KEY }}In the GitHub Actions workflow example, the secret is accessed using the
${{ secrets.<SECRET_NAME> }}syntax inside the job definition. This allows the workflow to use the API key without exposing it in the workflow file.Remember to keep your
pulumiprogram and actual API keys secure and safely manage access and permissions to the Pulumi stack and the GitHub environment accordingly.