In this tutorial, you'll learn how to securely send GitHub secrets to a Docker application running on a virtual machine (VM) using the adnanh/webhooks tool. We'll walk through setting up the GitHub Actions workflow, configuring the webhook, and creating the bash script to handle the incoming data and restart the Docker container.
Prerequisites
- A GitHub repository
- A VM with Docker installed
- adnanh/webhook installed on your VM
- GitHub secrets configured for your project
Step 1: Set Up GitHub Actions Workflow
Create a GitHub Actions workflow file in your repository. This workflow will be triggered on every push to the main branch and will send secrets to the webhook on your VM.
name: Send Secrets to Webhook
on:
push:
branches:
- main
jobs:
send-secrets:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Trigger Webhook
env:
YOUR_SECRET_1: ${{ secrets.YOUR_SECRET_1 }}
YOUR_SECRET_2: ${{ secrets.YOUR_SECRET_2 }}
run: |
echo "YOUR_SECRET_1: $YOUR_SECRET_1"
echo "YOUR_SECRET_2: $YOUR_SECRET_2"
curl -X POST http://<YOUR_VM_IP>:9000/hooks/your-hook-id \
-H 'Content-Type: application/json' \
-d '{
"YOUR_SECRET_1": "'"$YOUR_SECRET_1"'",
"YOUR_SECRET_2": "'"$YOUR_SECRET_2"'"
}'
Step 2: Configure Webhook on VM
On your VM, create a webhook configuration file. This file tells the webhook tool how to handle incoming requests and pass the secrets to the environment variables in your script.
[
{
"id": "your-hook-id",
"execute-command": "/path/to/your/script.sh",
"pass-environment-to-command": [
{
"source": "payload",
"name": "YOUR_SECRET_1",
"envname": "YOUR_SECRET_1"
},
{
"source": "payload",
"name": "YOUR_SECRET_2",
"envname": "YOUR_SECRET_2"
}
]
}
]
Step 3: Create the Bash Script
Create a bash script that will be executed by the webhook. This script will pull the latest changes from the repository, build the Docker image, and restart the Docker container with the new secrets.
#!/bin/bash
set -e
# Set the repository's directory
REPO_DIR="/path/to/your/repository"
# Set the Docker container and image names
CONTAINER_NAME="your_container_name"
IMAGE_NAME="your_image_name"
# Change to the repository directory
cd "$REPO_DIR" || { echo "Failed to change directory to $REPO_DIR"; exit 1; }
# Pull the latest changes from the main branch
git pull origin main || { echo "Failed to pull from the main branch"; exit 1; }
echo "Successfully pulled from the main branch."
# Build the Docker image
docker build -t "$IMAGE_NAME" . || { echo "Docker build failed"; exit 1; }
echo "Docker build successful."
# Stop the old container if it exists
if [ "$(docker ps -aq -f name="$CONTAINER_NAME")" ]; then
docker stop "$CONTAINER_NAME" || { echo "Failed to stop container"; exit 1; }
docker rm "$CONTAINER_NAME" || { echo "Failed to remove container"; exit 1; }
fi
# Echoing ENV variables for debugging purposes
echo "START ECHOING"
echo "YOUR_SECRET_1: $YOUR_SECRET_1"
echo "YOUR_SECRET_2: $YOUR_SECRET_2"
echo "FINISHED ECHOING"
# Start a new container with the updated image and pass the environment variables
docker run -d \
--name "$CONTAINER_NAME" \
-e YOUR_SECRET_1="$YOUR_SECRET_1" \
-e YOUR_SECRET_2="$YOUR_SECRET_2" \
"$IMAGE_NAME" || { echo "Failed to restart the container"; exit 1; }
echo "Container restarted successfully."
Step 4: Start the Webhook on Your VM
Start the webhook tool with the configuration file you created.
webhook -hooks /path/to/your/webhook-config.json -verbose
Step 5: Push Changes to GitHub
Push any changes to your GitHub repository. This will trigger the GitHub Actions workflow, sending the secrets to your VM, where the webhook will handle them and restart your Docker container with the updated environment variables.
Final touch
1 - Try to run adnanh/webhooks as a linux system service.
2 - Make sure your pipeline.sh is executable by chmod +x pipeline.sh
Conclusion
By following these steps, you can securely send GitHub secrets to a Docker application running on a VM using adnanh/webhooks. This setup allows you to keep sensitive information out of your codebase while ensuring your applications have the necessary secrets to run correctly.
Top comments (0)