Secrets in NBdev CI

• Intro
• Background
• How to
  • Create Encrypted Secrets for Repo
  • Create Encrypted Secrets for Organization
  • Adding to Github Action
  • Accessing in Python

Intro

Goal: The goal of this article is to walk through how to store encrypted secrets in Github Actions for the purpose of using these for NBDev's CI. From this post you will see how to add secrets to any Github Action, but the focus of this post is on NBDev Continuous Integration

What's Included in this post: The minimum needed to get secrets stored in a specific repositories Github Action.

Where can I find something more detailed on this topic? Github Docs. This guide is mostly a subset of information that in on that page.

Background

What is NBDEV? NBDev is a development environment for python. It allows for "Real" development in jupyter notebooks that will automatically build documentation, run tests, and build the library based on those notebooks. All code, tests, and documentation is written in Jupyter Notebooks and the rest is automated to convert it into the appropriate formats.

What is a Github Action? A github action is a piece of code that you run on a specific trigger. For example, when updates are committed to Github, NBDev runs all the notebooks (which includes tests) to ensure that all tests still pass.

How to

Follow instructions for either the "Create Encrypted Secrets for Repo" section for individual permissions or "Create Encrypted Secrets for Organization" for organization level secrets. Further sections are the same regardless of which approach you take.

Note: A primary reason to use organization level secrets is that they can be used across the organization in multiple different repositories. This is convenient for minimizing redundancy.

Create Encrypted Secrets for Repo

In your Repository go to Settings -> Secrets -> Add New Secret and add your secret

Create Encrypted Secrets for Organization

Note: You must be an admin in your organization for this section

go to Settings -> Secrets -> Add New Secret and add your secret.

Note: For organization secrets there is an extra drop down for you to manage permissions. This is the main difference between "Repository" secrets and "Organization" secrets. You need to select whether you want secrets to be for public repos, private repos, or specific repositories.

You can update which repositories have access to the secret by visiting the Settings -> Secrets page (Same place you created the secret at above) and selecting "Update"

Adding to Github Action

Note: I am demonstrating how to add a secret to the NBDev CI action, though the same thing can be done in any Github Action.

In your reposity go to Actions -> CI -> Select most recent result.

Select "Workflow File and then the edit Symbol. This will give us the main workflow file in our repository for this action and allow us to edit it.

Add our "SUPERSECRET" to the environment in the "Run Tests" section. We will do this by adding a little bit of code which will store our secret "SUPERSECRET" that we created in the repo earlier, and put that as an environment variable "SUPER_SECRET".

Note: I could add multiple secrets here instead of just one, with 1 secret per line.

Here is what it looks like in the full workflow file.

Then you can commit this change right in your browser

Accessing in Python

Now, we can access this environment variable in the normal way in python.

import os
superSecretKey = os.environ['SUPER_SECRET']