Examining environment variables in GitHub CI workflows

Written by

Rajnish Kumar Jha

Under the topic

Azure DevOps

Dated:

November 27, 2024

Table Of Content

Examining environment variables in GitHub CI workflows

Environment variables in GitHub Actions provide a way to store and access sensitive information, configuration values, or temporary data across jobs and steps in CI/CD workflows. These variables are critical for managing secrets, configuring build environments, and ensuring secure handling of sensitive data.

Types of Environment Variables

GitHub-Defined Variables: Automatically available in workflows (e.g., GITHUB_TOKEN, GITHUB_REPOSITORY, GITHUB_SHA).
Custom Environment Variables: Defined and managed within the workflow (env key in jobs or steps).
Secrets: Encrypted environment variables that are defined and stored in GitHub Secrets (e.g., API keys, database credentials).

1. GitHub-Defined Environment Variables

GitHub provides built-in environment variables that are useful for workflow metadata and GitHub-specific actions:

Variable	Description
`GITHUB_WORKFLOW`	Name of the current workflow.
`GITHUB_RUN_ID`	Unique ID of the current workflow run.
`GITHUB_REPOSITORY`	Full name of the repository (`owner/repo`).
`GITHUB_SHA`	SHA of the current commit.
`GITHUB_REF`	The reference (branch or tag) for the current run.
`GITHUB_TOKEN`	A GitHub token with permissions to perform actions on the repository.
`RUNNER_OS`	Operating system on the runner.

2. Custom Environment Variables

Custom environment variables are defined within the workflow using the env key at the job level or step level:

Example Workflow with Custom Environment Variables:


xxxxxxxxxx
22
1
name: CI Workflow
2
on:
3
  push:
4
    branches:
5
     - main
6
jobs:
7
  build:
8
    runs-on: ubuntu-latest
9
    env:
10
      NODE_ENV: production
11
      API_URL: https://api.example.com
12
    steps:
13
     - name: Checkout Repository
14
        uses: actions/checkout@v3
15
     - name: Setup Node.js
16
        uses: actions/setup-node@v3
17
        with:
18
          node-version: 16
19
     - name: Install Dependencies
20
        run: npm install
21
     - name: Run Tests
22
        run: npm test

In this example:

NODE_ENV and API_URL are custom environment variables.

3. Using Secrets as Environment Variables

GitHub Secrets are encrypted environment variables that are useful for storing sensitive information like API keys, tokens, or credentials.

Defining a Secret:

Navigate to the Settings tab of your repository.
Go to Secrets.
Add a new secret (e.g., MY_API_KEY).

Example Using Secrets:


xxxxxxxxxx
15
1
name: Deploy Workflow
2
on:
3
  push:
4
    branches:
5
     - main
6
jobs:
7
  deploy:
8
    runs-on: ubuntu-latest
9
    env:
10
      API_KEY: ${{ secrets.MY_API_KEY }}
11
    steps:
12
     - name: Checkout Repository
13
        uses: actions/checkout@v3
14
     - name: Deploy to Production
15
        run: ./deploy.sh --api-key ${{ env.API_KEY }}

In this case, MY_API_KEY is securely accessed via the GitHub Secrets system.

4. Accessing Environment Variables in Steps

You can access both custom environment variables and secrets within different steps of a workflow.

Example Access in a Step:


xxxxxxxxxx
5
1
steps:
2
   - name: Print Environment Variables
3
    run: |
4
      echo "NODE_ENV: $NODE_ENV"
5
      echo "API_URL: $API_URL"


xxxxxxxxxx
3
1
steps:
2
   - name: Print Secret
3
    run: echo "My API Key is: $MY_API_KEY"

5. Conditional Logic with Environment Variables

You can define conditional logic based on the value of environment variables.

Example: Conditional Step Execution


xxxxxxxxxx
13
1
jobs:
2
  deploy:
3
    runs-on: ubuntu-latest
4
    env:
5
      DEPLOY_ENV: production
6
    steps:
7
     - name: Check Deployment Environment
8
        run: |
9
          if [ "$DEPLOY_ENV" == "production" ]; then
10
            echo "Deploying to production"
11
          else
12
            echo "Not deploying to production"
13
          fi

Best Practices for Using Environment Variables

Use Secrets for Sensitive Data: Never hard-code sensitive information into workflows. Use encrypted secrets for storing API keys, tokens, or credentials.
Limit Access: Use permissions in workflows to restrict which environment variables are exposed to specific steps or jobs.
Environment Variables in Matrix Testing: Use dynamic values in environment variables to handle different configurations or matrix testing scenarios.
Avoid Hardcoding: Always define environment variables declaratively within the workflow YAML file for maintainability.
Debugging with Debug Logs: Enable debugging (ACTIONS_STEP_DEBUG) for detailed information on environment variables in use.

Summary

By leveraging environment variables effectively, GitHub Actions ensure secure, flexible, and dynamic CI workflows.

Course Navigation Learn Azure DevOps from scratch

Hand-on Demo – GitHub Flow for Continuous…

Hand-on Demo – GitHub Flow for Continuous Deliver…

A Guide to Azure Automation

A Guide to Azure Automation Azure Automation is a cloud…

Exploring Continuous Security Validation in DevOps

Exploring Continuous Security Validation in DevOps Cont…

Learn how to measure and manage Technical Debt

Learn how to measure and manage Technical Debt Technica…

Tags attached to this Post

About the Author

Rajnish Kumar Jha

MCT, MCSA, MCSE, MCAD, MCPD, MCTS, MCSD

My name is Rajnish Kumar Jha. I am Technical architect on Azure Cloud and .NET since 21+ years. I’ve worked for pioneer companies and as freelance trainer/consultant helping my clients to achieve their IT goals.

I find blogging, a great way to share back what I’ve learned all through my professional journey. You are welcome to connect or share feedback/suggestion here or through an email.