Some ideas on passing credentials in GitHub workflow

toptal · Aug 17, 2024 · 1bd1440 · 1bd1440
1 parent 0539aa9
commit 1bd1440
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/.github/workflows/ruby.yml b/.github/workflows/ruby.yml
@@ -46,8 +46,15 @@ jobs:
           docker compose up elasticsearch_test -d
           sleep 10
 
+      - name: Extract credentials
+        run: docker compose cp elasticsearch_test:/usr/share/elasticsearch/config/certs/http_ca.crt {{ runner.temp }}
+        run: docker compose exec elasticsearch_test "/usr/share/elasticsearch/bin/elasticsearch-reset-password" -u elastic -b | grep New | awk '{print "es_password="$3}' >> "$GITHUB_OUTPUT"
+
       - name: Tests
         run: bundle exec rspec
+        env:
+          ES_PASSWORD: ${{ steps.vars.outputs.es_password }}
+          ES_CA_CERT: ${{ runner.temp }}/http_ca.crt
 
   rubocop:
     runs-on: ubuntu-latest

diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb
@@ -20,6 +20,7 @@
 port = ENV['ES_PORT'] || 9250
 user = ENV['ES_USER'] || 'elastic'
 password = ENV.fetch('ES_PASSWORD')
+ca_cert = ENV['ES_CA_CERT'] || './tmp/http_ca.crt'
 
 Chewy.settings = {
   host: "https://#{host}:#{port}",
@@ -32,7 +33,7 @@
   },
   transport_options: {
     ssl: {
-      ca_file: './tmp/http_ca.crt'
+      ca_file: ca_cert
     }
   },
   delete_all_enabled: false