Securely Handle Secrets in CI/CD with the Zero GitHub Action

Exchange your Zero token for secrets right from your GitHub Actions YAML.

Sam Magura

September 21, 2024

CI/CD platforms allow you to streamline the build and deployment of your software project. CI/CD provides much greater build and deployment reliability compared to running tasks manually on developer computers.

Deployment jobs in CI/CD typically need a secret variable to deploy your code to your hosting provider, such as AWS. In our previous post, we announced Zero's integrations with GitHub Actions, GitLab CI/CD, and Bitbucket pipelines. These integrations sync your secrets from Zero to environment variables in your CI/CD system.

For GitHub Actions, there is another way to retrieve your secrets from Zero, which we'll be covering in this post. This is the Zero GitHub Action , which is invoked just like any other GitHub Action.

Secure your secrets conveniently

Zero is a modern secrets manager built with usability at its core. Reliable and secure, it saves time and effort.

Basic Usage of the Zero GitHub Action

Using the Zero GitHub Action does not require you to create an integration from the Zero web app. The GitHub Action works similarly to the Zero TypeScript SDK, in that it allows you to exchange a Zero token for your secrets. Internally, the GitHub Action is calling the Zero GraphQL API, just like the TypeScript SDK does.

The following sample code shows the basic usage of the Zero GitHub Action in a YAML workflow file:

.github/workflows/main.yml

steps:
  - uses: zerosecrets/github-actions/token-to-secrets@main
    id: zero
    with:
      zero-token: ${{ secrets.ZERO_TOKEN }}
      apis: aws-production,stripe-production
      caller-name: CI/CD

  - name: echo secrets
    run: |
      echo "${{ steps.zero.outputs.zero-secrets }}"
      env | grep ZERO_SECRET

You can see that there are two ways to access the secrets returned by the action. You can either access the output of the step directly via ${{ steps.zero.outputs.zero-secrets }}, or use the environment variables, which are prefixed by ZERO_SECRET.

Deploying to Vercel with Zero

The most common use case for the Zero GitHub Action is to deploy your code to a cloud provider, like AWS, Vercel, or Netlify. This section will showcase a deployment to Vercel, based on Vercel's guide to deployment using GitHub Actions .

This workflow code can be used to deploy any application supported by the Vercel CLI, such as a Next.js app or a SvelteKit app.

.github/workflows/main.yml

on:
  push:
    branches:
      - main

jobs:
  Deploy-Production:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: zerosecrets/github-actions/token-to-secrets@main
        id: zero
        with:
          zero-token: ${{ secrets.ZERO_TOKEN }}
          apis: vercel-production
          caller-name: Vercel Deployment

      - name: Install Vercel CLI
        run: npm install --global vercel@latest

      - name: Pull Vercel Environment Information
        env:
          VERCEL_ORG_ID: ${{ steps.zero.outputs.zero-secrets.VERCEL_ORG_ID }}
          VERCEL_PROJECT_ID: ${{ steps.zero.outputs.zero-secrets.VERCEL_PROJECT_ID }}
        run: vercel pull --yes --environment=production --token=${{ steps.zero.outputs.zero-secrets.VERCEL_TOKEN }}

      - name: Build Project Artifacts
        run: vercel build --prod --token=${{ steps.zero.outputs.zero-secrets.VERCEL_TOKEN }}

      - name: Deploy Project Artifacts to Vercel
        run: vercel deploy --prebuilt --prod --token=${{ steps.zero.outputs.zero-secrets.VERCEL_TOKEN }}

Let's break down the above code sample. First, we invoke the Zero GitHub Action to exchange the Zero token for the VERCEL_TOKEN secret. (You'll need to paste the Vercel token into your project in the Zero web app for this to work.)

Then, we go through the normal steps to deploy to Vercel: vercel pull, vercel build, then vercel deploy. The only thing Zero-specific for this step is that we provide the outputs of the Zero GitHub Action as variables to the vercel pull step.

Sending Slack Notifications from GitHub Actions

Another use case for GitHub Actions is sending a notification when a release is published. This is straightforward to accomplish with the Zero GitHub Action paired with this open source Slack action .

.github/workflows/main.yml

on:
  release:
    types:
      - published

jobs:
  notify-slack:
    name: Notify Slack
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - uses: zerosecrets/github-actions/token-to-secrets@main
        id: zero
        with:
          zero-token: ${{ secrets.ZERO_TOKEN }}
          apis: slack-webhook
          caller-name: Slack Notification

      - name: Notify Slack
        uses: 8398a7/action-slack@v3
        env:
          SLACK_WEBHOOK_URL: ${{ steps.zero.outputs.zero-secrets.SLACK_WEBHOOK_URL }}
        with:
          status: success
          fields: workflow,author
          mention: here
          text: |-
            A new release has been published.
            *Release:* [${{ github.event.release.name }}](${{ github.event.release.html_url }})
            *Tag:* ${{ github.event.release.tag_name }}
            *Description:* ${{ github.event.release.body }}

Retrieve the Slack webhook URL with the Zero action, then invoke the Slack action with the webhook URL and message content. For this to work, you'll need to have set up a Slack application and webhook URL already. Check out my post on sending Slack messages with Zero to learn more about that.

Conclusion

This post showed how you can implement a variety of CI/CD workflows with the Zero GitHub Action. Using our GitHub Action simplifies the management of secret credentials in workflows that need to access 3rd party services. This pattern is especially convenient when multiple pieces of your infrastructure need to access the same secrets, because you can use Zero as the single source of truth for your secrets.