Github Action Workflow and environment variable

xinhash · June 19, 2022, 7:50am

Hi,

I’m building a phoenix application and use Pow and Pow Assent for authentication. Pow assent requires sensitive information like provider ID and SECRET for social auth. GitHub - pow-auth/pow_assent: Multi-provider authentication for your Pow enabled app

These values are set via environment variables.

My GitHub action:

name: Fly Deploy

on:
  push:
    branches:
      - main

env:
  FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
  FACEBOOK_AUTH_ID: ${{ secrets.FACEBOOK_AUTH_ID }}
  FACEBOOK_AUTH_SECRET: ${{ secrets.FACEBOOK_AUTH_SECRET }}
  GOOGLE_AUTH_ID: ${{ secrets.GOOGLE_AUTH_ID }}
  GOOGLE_AUTH_SECRET: ${{ secrets.GOOGLE_AUTH_SECRET }}

jobs:
  dependencies:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        elixir: ["1.13.4"]
        otp: ["24.3"]
    steps:
      - name: Cancel previous runs
        uses: styfle/cancel-workflow-action@0.9.1
        with:
          access_token: ${{ github.token }}
      - name: Checkout Github repo
        uses: actions/checkout@v3
      - name: Sets up an Erlang/OTP environment
        uses: erlef/setup-beam@v1
        with:
          elixir-version: ${{ matrix.elixir }}
          otp-version: ${{ matrix.otp }}
      - name: Retrieve cached dependencies
        uses: actions/cache@v3
        id: mix-cache
        with:
          path: |
            deps
            _build
          key: ${{ runner.os }}-${{ matrix.otp }}-${{ matrix.elixir }}-${{ hashFiles('mix.lock') }}
      - name: Install dependencies
        if: steps.mix-cache.outputs.cache-hit != 'true'
        run: |
          mix local.rebar --force
          mix local.hex --force
          mix deps.get
          mix deps.compile
  test:
    needs: dependencies
    runs-on: ubuntu-latest
    strategy:
      matrix:
        elixir: ["1.13.4"]
        otp: ["24.3"]
    services:
      db:
        image: postgres:latest
        ports: ["5432:5432"]
        env:
          POSTGRES_PASSWORD: postgres
        options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
    steps:
      - name: Cancel previous runs
        uses: styfle/cancel-workflow-action@0.9.1
        with:
          access_token: ${{ github.token }}
      - name: Checkout Github repo
        uses: actions/checkout@v3
      - name: Sets up an Erlang/OTP environment
        uses: erlef/setup-beam@v1
        with:
          elixir-version: ${{ matrix.elixir }}
          otp-version: ${{ matrix.otp }}
      - name: Retrieve cached dependencies
        uses: actions/cache@v3
        id: mix-cache
        with:
          path: |
            deps
            _build
          key: ${{ runner.os }}-${{ matrix.otp }}-${{ matrix.elixir }}-${{ hashFiles('mix.lock') }}
      - run: mix test

  deploy:
    needs: test
    name: Deploy app
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: superfly/flyctl-actions/setup-flyctl@master
      - run: flyctl deploy --remote-only

and Dockerfile

# Find eligible builder and runner images on Docker Hub. We use Ubuntu/Debian instead of
# Alpine to avoid DNS resolution issues in production.
#
# https://hub.docker.com/r/hexpm/elixir/tags?page=1&name=ubuntu
# https://hub.docker.com/_/ubuntu?tab=tags
#
#
# This file is based on these images:
#
#   - https://hub.docker.com/r/hexpm/elixir/tags - for the build image
#   - https://hub.docker.com/_/debian?tab=tags&page=1&name=bullseye-20210902-slim - for the release image
#   - https://pkgs.org/ - resource for finding needed packages
#   - Ex: hexpm/elixir:1.13.4-erlang-25.0-debian-bullseye-20210902-slim
#
ARG ELIXIR_VERSION=1.13.4
ARG OTP_VERSION=25.0
ARG DEBIAN_VERSION=bullseye-20210902-slim

ARG BUILDER_IMAGE="hexpm/elixir:${ELIXIR_VERSION}-erlang-${OTP_VERSION}-debian-${DEBIAN_VERSION}"
ARG RUNNER_IMAGE="debian:${DEBIAN_VERSION}"

FROM ${BUILDER_IMAGE} as builder

# install build dependencies
RUN apt-get update -y && apt-get install -y build-essential git \
    && apt-get clean && rm -f /var/lib/apt/lists/*_*

# prepare build dir
WORKDIR /app

# install hex + rebar
RUN mix local.hex --force && \
    mix local.rebar --force

# set build ENV
ENV MIX_ENV="prod"
ENV FACEBOOK_AUTH_ID=${FACEBOOK_AUTH_ID}
ENV FACEBOOK_AUTH_SECRET=${FACEBOOK_AUTH_SECRET}
ENV GOOGLE_AUTH_ID=${GOOGLE_AUTH_ID}
ENV GOOGLE_AUTH_SECRET=${GOOGLE_AUTH_SECRET}

# install mix dependencies
COPY mix.exs mix.lock ./
RUN mix deps.get --only $MIX_ENV
RUN mkdir config

# copy compile-time config files before we compile dependencies
# to ensure any relevant config change will trigger the dependencies
# to be re-compiled.
COPY config/config.exs config/${MIX_ENV}.exs config/
RUN mix deps.compile $FACEBOOK_AUTH_ID $FACEBOOK_AUTH_SECRETFACEBOOK_AUTH_SECRET $GOOGLE_AUTH_ID $GOOGLE_AUTH_SECRET

COPY priv priv

COPY lib lib

COPY assets assets

# compile assets
RUN mix assets.deploy

# Compile the release
RUN mix compile

# Changes to config/runtime.exs don't require recompiling the code
COPY config/runtime.exs config/

COPY rel rel
RUN mix release

# start a new build stage so that the final image will only contain
# the compiled release and other runtime necessities
FROM ${RUNNER_IMAGE}

RUN apt-get update -y && apt-get install -y libstdc++6 openssl libncurses5 locales \
  && apt-get clean && rm -f /var/lib/apt/lists/*_*

# Set the locale
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen

ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8

WORKDIR "/app"
RUN chown nobody /app

# set runner ENV
ENV MIX_ENV="prod"
ENV FACEBOOK_AUTH_ID=${FACEBOOK_AUTH_ID}
ENV FACEBOOK_AUTH_SECRET=${FACEBOOK_AUTH_SECRET}
ENV GOOGLE_AUTH_ID=${GOOGLE_AUTH_ID}
ENV GOOGLE_AUTH_SECRET=${GOOGLE_AUTH_SECRET}

# Only copy the final release from the build stage
COPY --from=builder --chown=nobody:root /app/_build/${MIX_ENV}/rel/handsomegig ./

USER nobody

CMD ["/app/bin/server"]
# Appended by flyctl
ENV ECTO_IPV6 true
ENV ERL_AFLAGS "-proto_dist inet6_tcp"

I have added these env variables in GitHub secrets

In prod my application is unable to access these secrets. Can anybody cross check

msimonborg · June 19, 2022, 8:12am

If you do not want to hardcode the values into the Dockerfile but instead want to set them from your environment, then to make them available to the builder try setting the build args at the command line with the --build-arg option and declaring them in the Dockerfile with ARG:

# in Dockerfile
ARG ENV_VAR1
ARG ENV_VAR2
ENV ENV_VAR1=${ENV_VAR1}
ENV ENV_VAR2=${ENV_VAR2}

# in terminal
$ docker build --build-arg ENV_VAR1=${ENV_VAR1} --build-arg ENV_VAR2=${ENV_VAR2} .

msimonborg · June 19, 2022, 8:15am

I just noticed that you’re deploying to Fly, you can pass --build-arg options to fly deploy. If I want to deploy from my local machine, I’ve created a deploy shell script that does this for me so I just have to call ./deploy. Otherwise Github actions takes care of the rest. Here’s my Github actions, Dockerfile, and deploy script

# CI/CD
deploy:
  if: github.event.pull_request.merged || github.event_name == 'push'
  name: Deploy app
  needs: build
  env:
    FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
    RELEASE_COOKIE: ${{ secrets.RELEASE_COOKIE }}
  runs-on: ubuntu-latest
  steps:
    - uses: actions/checkout@v2
    - uses: superfly/flyctl-actions/setup-flyctl@master
    - run: flyctl deploy --remote-only --build-arg RELEASE_COOKIE=${RELEASE_COOKIE}

# Dockerfile
ARG RELEASE_COOKIE
ENV RELEASE_COOKIE=${RELEASE_COOKIE}
COPY rel rel
RUN mix release

# ./deploy
#!/bin/bash

if [ -z "$RELEASE_COOKIE" ]; then
    echo "Set the RELEASE_COOKIE your project uses in the RELEASE_COOKIE ENV value before running this script"
    exit 1
fi

fly deploy --build-arg RELEASE_COOKIE=${RELEASE_COOKIE}

swarmcommerce · June 19, 2022, 9:00am

@xinhash As a side note, is there a specific reason that you are testing with OTP 24.3 and deploying to prod on OTP 25?

xinhash · June 20, 2022, 6:20am

Thanks for pointing that you. Just have been hacking things using elixir and phoenix. Might have forgotten to update while copying

xinhash · June 20, 2022, 7:48am

Thanks for nudging me in right direction. But I found out following things:

You shouldn’t pass sensitive info via –build-arg link
Use secrets instead
If you have to pass env variables in flyctl deploy. Do it via –env or -e link

To check if secrets or env is being set correctly use flyctl config env

So my final GitHub Action script is

name: Fly Deploy

on:
  push:
    branches:
      - main

env:
  FLY_API_TOKEN: ${{ secrets.FLY_API_TOKEN }}
  FACEBOOK_AUTH_ID: ${{ secrets.FACEBOOK_AUTH_ID }}
  FACEBOOK_AUTH_SECRET: ${{ secrets.FACEBOOK_AUTH_SECRET }}
  GOOGLE_AUTH_ID: ${{ secrets.GOOGLE_AUTH_ID }}
  GOOGLE_AUTH_SECRET: ${{ secrets.GOOGLE_AUTH_SECRET }}

jobs:
  dependencies:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        elixir: ["1.13.4"]
        otp: ["25.0.1"]
    steps:
      - name: Cancel previous runs
        uses: styfle/cancel-workflow-action@0.9.1
        with:
          access_token: ${{ github.token }}
      - name: Checkout Github repo
        uses: actions/checkout@v3
      - name: Sets up an Erlang/OTP environment
        uses: erlef/setup-beam@v1
        with:
          elixir-version: ${{ matrix.elixir }}
          otp-version: ${{ matrix.otp }}
      - name: Retrieve cached dependencies
        uses: actions/cache@v3
        id: mix-cache
        with:
          path: |
            deps
            _build
          key: ${{ runner.os }}-${{ matrix.otp }}-${{ matrix.elixir }}-${{ hashFiles('mix.lock') }}
      - name: Install dependencies
        if: steps.mix-cache.outputs.cache-hit != 'true'
        run: |
          mix local.rebar --force
          mix local.hex --force
          mix deps.get
          mix deps.compile
  test:
    needs: dependencies
    runs-on: ubuntu-latest
    strategy:
      matrix:
        elixir: ["1.13.4"]
        otp: ["25.0.1"]
    services:
      db:
        image: postgres:latest
        ports: ["5432:5432"]
        env:
          POSTGRES_PASSWORD: postgres
        options: --health-cmd pg_isready --health-interval 10s --health-timeout 5s --health-retries 5
    steps:
      - name: Cancel previous runs
        uses: styfle/cancel-workflow-action@0.9.1
        with:
          access_token: ${{ github.token }}
      - name: Checkout Github repo
        uses: actions/checkout@v3
      - name: Sets up an Erlang/OTP environment
        uses: erlef/setup-beam@v1
        with:
          elixir-version: ${{ matrix.elixir }}
          otp-version: ${{ matrix.otp }}
      - name: Retrieve cached dependencies
        uses: actions/cache@v3
        id: mix-cache
        with:
          path: |
            deps
            _build
          key: ${{ runner.os }}-${{ matrix.otp }}-${{ matrix.elixir }}-${{ hashFiles('mix.lock') }}
      - run: mix test

  deploy:
    needs: test
    name: Deploy app
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: superfly/flyctl-actions/setup-flyctl@master
      - run: flyctl deploy --remote-only

Dockerfile

# Find eligible builder and runner images on Docker Hub. We use Ubuntu/Debian instead of
# Alpine to avoid DNS resolution issues in production.
#
# https://hub.docker.com/r/hexpm/elixir/tags?page=1&name=ubuntu
# https://hub.docker.com/_/ubuntu?tab=tags
#
#
# This file is based on these images:
#
#   - https://hub.docker.com/r/hexpm/elixir/tags - for the build image
#   - https://hub.docker.com/_/debian?tab=tags&page=1&name=bullseye-20210902-slim - for the release image
#   - https://pkgs.org/ - resource for finding needed packages
#   - Ex: hexpm/elixir:1.13.4-erlang-25.0-debian-bullseye-20210902-slim
#
ARG ELIXIR_VERSION=1.13.4
ARG OTP_VERSION=25.0.1
ARG DEBIAN_VERSION=bullseye-20210902-slim

ARG BUILDER_IMAGE="hexpm/elixir:${ELIXIR_VERSION}-erlang-${OTP_VERSION}-debian-${DEBIAN_VERSION}"
ARG RUNNER_IMAGE="debian:${DEBIAN_VERSION}"

FROM ${BUILDER_IMAGE} as builder

# install build dependencies
RUN apt-get update -y && apt-get install -y build-essential git \
    && apt-get clean && rm -f /var/lib/apt/lists/*_*

# prepare build dir
WORKDIR /app

# install hex + rebar
RUN mix local.hex --force && \
    mix local.rebar --force

# set build ENV
ENV MIX_ENV="prod"

# install mix dependencies
COPY mix.exs mix.lock ./
RUN mix deps.get --only $MIX_ENV
RUN mkdir config

# copy compile-time config files before we compile dependencies
# to ensure any relevant config change will trigger the dependencies
# to be re-compiled.
COPY config/config.exs config/${MIX_ENV}.exs config/
RUN mix deps.compile

COPY priv priv

COPY lib lib

COPY assets assets

# compile assets
RUN mix assets.deploy

# Compile the release
RUN mix compile

# Changes to config/runtime.exs don't require recompiling the code
COPY config/runtime.exs config/

COPY rel rel
RUN mix release

# start a new build stage so that the final image will only contain
# the compiled release and other runtime necessities
FROM ${RUNNER_IMAGE}

RUN apt-get update -y && apt-get install -y libstdc++6 openssl libncurses5 locales \
  && apt-get clean && rm -f /var/lib/apt/lists/*_*

# Set the locale
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen

ENV LANG en_US.UTF-8
ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8

WORKDIR "/app"
RUN chown nobody /app

# set runner ENV
ENV MIX_ENV="prod"

# Only copy the final release from the build stage
COPY --from=builder --chown=nobody:root /app/_build/${MIX_ENV}/rel/handsomegig ./

USER nobody

CMD ["/app/bin/server"]
# Appended by flyctl
ENV ECTO_IPV6 true
ENV ERL_AFLAGS "-proto_dist inet6_tcp"