In a project I’ve been working on we faced a problem. While using Github Actions to handle our CI/CD, we wanted to reuse our deployment scripts across all environments for each app. Thus giving us less code to maintain.

The plan was to set up identical secret keys (with different values though) in two different Github repo environments. The actions would trigger on changes to either the dev branch or the main branch. The source code from each branch would then be deployed to either the dev or production environment, using the dev or prod secrets accordingly.

But how do we make the action know when to get which secrets and where?

The following solution did the trick, but it’s a bit of a backyard hack. To follow along, you should have some basic knowledge of YAML and Github Actions.

Step 1

For this example I’ve added two environments in the repo from which I will build my app.

Two environments in a Github repo

They both contain a secret named MY_PRETTY_SECRET. Although they have the same name/key, they contain different values. This could for instance be an API key, a password, a URL or such. Depending on if I want to deploy this application to my dev environment or my production environment, I want to retrieve the corresponding value for that environment using only one script. Instead of having two identical scripts, each specific for each environment.

Click here to read more about environments in Github.

Step 2

Add a YAML file under the .github/workflows folder in your project

name: My pretty YAML script #presentation name of your script

  workflow_dispatch: #run this script on manual trigger in Github
  push:              #or on push to branches named main or dev
      - main
      - dev

jobs: #collection of jobs
  set-environment: #this is a job named 'set-environment'
    runs-on: ubuntu-latest #your preferred OS
    outputs: #the env value needs to be exposed as an output in order to be reached from other jobs
      current_env: ${{ steps.set_env.outputs.current_env }} #output variable to store the relevant environment
      - name: Check if prod
        if: endsWith(github.ref, '/main') #if the triggering branch is 'main'
        run: |
          echo "ENVIRONMENT_NAME=prod" >> $GITHUB_ENV #retrieve secrets from 'prod' environment in Github
      - name: Check if dev
        if: endsWith(github.ref, '/dev') #if the triggering branch is 'dev'
        run: |
          echo "ENVIRONMENT_NAME=dev" >> $GITHUB_ENV #retrieve secrets from 'dev' environment in Github
      - name: Set output
        id: set_env
        run: echo "::set-output name=current_env::${{ env.ENVIRONMENT_NAME }}" #assign the value of ENVIRONMENT_NAME to the output variable 'current_env' 

  build-and-deploy: #this is a job named 'build-and-deploy'
    runs-on: ubuntu-latest #your preferred OS
    needs: set-environment #this job won't be executed until the set-environment job is finished
    environment: ${{ needs.set-environment.outputs.current_env }} #this job will now retrieve secret values stored in either 'dev' or 'prod' repo environments, depending on the value set in previous job
      - name: Get secret from Github
      - uses: MyPrettyGithubAction #example action
          creds: ${{ secrets.MY_PRETTY_SECRET }} #gets the value of MY_PRETTY_SECRET from the current repo environment
      - run: echo "Deploying to ${{ needs.set-environment.outputs.current_env }} environment" #output: "Deploying to {environment name}"

In the example above I’ve separated the logic into multiple jobs. You can of course do this in a single job, eliminating the need for exposing the current_env value.

Happy coding!