Using environment
in github actions without creating Deployments
#36919
Replies: 86 comments 34 replies
-
what do you mean by accessing env variables? those are just there for your jobs to consume them, they are not triggering anything whatsoever, if you can share your yml would be nice |
Beta Was this translation helpful? Give feedback.
-
Hi there @connor-luna and welcome to our community 😄. Thanks so much for asking a great question! |
Beta Was this translation helpful? Give feedback.
-
I would also love it if we could use Environments for setting up repeatable workflows without every Job that references an I have a complex multi-job setup in a monorepo that utilizes matrices for concurrent steps. These matrix jobs reference an The problem is that I have, is my workflow creates 40+ jobs related to an Each update to a PR adds another set of 40+ messages into the PR history. This completely buries any conversion in PR because of the interface hiding messages for you. This is a public repo, so you can see the workflow here: Here's an example PR where Deployments noise, hides active important conversations. |
Beta Was this translation helpful? Give feedback.
-
We also find this frustrating. We run a number of environment-specific checks as part of pull request tests and they are shown in the UI as having deployed to environments where they have not truly been. It would be great to have the ability to distinguish "prepare deployment" or "verify deployment" or similar read-only operations from an actual "deploy to environment" update action. (worth noting that there's prior art here: GitLab supports this distinction: https://docs.gitlab.com/ee/ci/environments/#access-an-environment-for-preparation-or-verification-purposes) |
Beta Was this translation helpful? Give feedback.
-
Same frustration here. I need to access Environment secret for a Terraform Plan job, but of course nothing is being deployed at that stage. And to make it worse we have have enabled human approval for some environments so we have to manually approve Terraform plans, which is obviously a bit daft and a waste of time |
Beta Was this translation helpful? Give feedback.
-
Same issue here |
Beta Was this translation helpful? Give feedback.
-
Another thumbs up for this issue. It would be nice to get some feature that would let you specify if the workflow should create a "deploy" or not |
Beta Was this translation helpful? Give feedback.
-
Same issue! I just want to have access to the variables per env. |
Beta Was this translation helpful? Give feedback.
-
same issue, I have a workflow which deploys logic, and one which deploys infra using terraform - both use env secrets but now both look the same and cause "deployments" to be created. |
Beta Was this translation helpful? Give feedback.
-
Same issue, for us we have a docker image hosted in ECR but only in our prod account. We want to use it as a service container in our PR workflow test job but we need to login to ECR and get the docker password and secret in prod. So we have a job before the tests job that uses the "production" environment to get secrets for logging in to ECR. We haven't deployed anything just need the outputs but now all our PR's have marks saying they were deployed to prod even though they haven't been. 😞 Edit: Clean up wording |
Beta Was this translation helpful? Give feedback.
-
Same issue here, I'd like to decide when a successfully run action that references an environment creates or not a deployment. Mostly because I use environment over variables because they have approval. |
Beta Was this translation helpful? Give feedback.
-
same problem, anyone have a workaround? it's super annoying to have a terraform plan always trigger a "deployment" when nothing is being deployed at all. |
Beta Was this translation helpful? Give feedback.
-
Same here. I'm doing a dry run (Terraform) deploy into the target environment as part of a PR but then says it was deployed. It seems like a missing piece of the puzzle. |
Beta Was this translation helpful? Give feedback.
-
Same issue. |
Beta Was this translation helpful? Give feedback.
-
We have same issue here, |
Beta Was this translation helpful? Give feedback.
-
We've got around this by having 1 PR environment. Might not work for everyone, but fits our use and stops us getting an environment for each PR branch. e.g. |
Beta Was this translation helpful? Give feedback.
-
Functionally, |
Beta Was this translation helpful? Give feedback.
-
+1 |
Beta Was this translation helpful? Give feedback.
-
Everybody is saying the same things. Can we please agree to use a 👍 reaction so that everybody that is subscribed doesn't receive a constant barrage of replies that don't really add much to the discussion? |
Beta Was this translation helpful? Give feedback.
-
Hello... Any updates on this.. We spent a lot of time moving everything over to environments using git actions.. And now we have this massive mess with 15 deployment events being created from one deployment... We need the environment secrets in each of 15 different dependency actions... But now we have 15 staging/production deployments... when it should only be one.. This should only be triggered after our final run. Please Please help! I need to be able to specify in the first 14 actions to not create a deployment... deployment: false If one of these actions fail... we don't want Jira and other devops tools being notified that a deployment went through. |
Beta Was this translation helpful? Give feedback.
-
Interesting..... This problem confuse people almost 2 years, but still no fix from Github... I just need a variable from different env group, I don't want any deployment... |
Beta Was this translation helpful? Give feedback.
-
Had the same issue, also in a terraform plan step where I didn't want the "noise" of a deployment. Solved this with the
var_name=$(gh variable list -R ${{ github.repository }} -e ${{ inputs.environment_name }} --json name --jq '.[].name')
var_value=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/${{ github.repository }}/environments/${{ inputs.environment_name }}/variables/${var_name} | jq -r '.value') |
Beta Was this translation helpful? Give feedback.
-
Jeez can it be just |
Beta Was this translation helpful? Give feedback.
-
I wonder if it is better to provide feature requests / feedback via account managers instead of piling on threads like this one here. Kinda feels stupid to beg for QoL improvements when your employer writes checks worth dozens of millions to Microsoft |
Beta Was this translation helpful? Give feedback.
-
What a great feature request. It certainly is annoying that all our PRs produce a deployment to production from needing to do a terraform plan. So far this isn't a problem but there is some automation via webhooks happening with our ITSM platform where we will track all Production environment deployments that is forcing us to have to look and exclude deployments initiated from pull requests. |
Beta Was this translation helpful? Give feedback.
-
I'd like to have a solution for this, too. I think Gitlab also solves this by allowing jobs to qualify their access to environment-specific secrets documented here: https://docs.gitlab.com/ee/ci/yaml/index.html#environmentaction
here the access property allows to qualify what is happening to the environment with this job. (gitlab has abstractions for: start, stop, verify, access and prepare). I think this would do it for github, too. right? |
Beta Was this translation helpful? Give feedback.
-
It would be great if you could also specify whether non deployment environment accessing needs a review or not. For example, when accessing the environment for a terraform plan, deployment could be set to false and no review required to progress the job. Then when running terraform apply, deployment would be true and a review would be required. In lower environments I'd allow the same developer to approve their own plan, but in prod this could be restricted. This would make GH Actions way more useable for terraform CICD. |
Beta Was this translation helpful? Give feedback.
-
I have environment-specific secrets defined which I'd like to reference from my Action. I think this requires me to set an
environment
for the job. The problem is that it seems like as soon as I set anenvironment
, there's no way for me to prevent an associated Deployment from being created, which I don't always want. Is there a way to access environment-specific secrets without having the job create a Deployment?Beta Was this translation helpful? Give feedback.
All reactions