检查环境变量
环境变量对于创建灵活且可维护的 GitHub Actions 工作流至关重要。 它们允许你配置行为、在步骤之间传递数据,并将工作流适应不同的环境,而无需硬编码值。
了解 GitHub Actions 中的环境变量
环境变量提供了在工作流中存储和访问配置数据的方法。 可以在不同的范围内设置它们,并在整个自动化管道中使用,以便进行一致的安全配置管理。
变量范围和层次结构
GitHub Actions 支持多个级别的环境变量:
工作流级别:可用于工作流 作业级别中的所有作业:可用于特定作业中的所有步骤
步骤级别:仅适用于该特定步骤
name: Multi-level Environment Variables
# Workflow-level variables
env:
NODE_VERSION: "20"
BUILD_CONFIGURATION: "Release"
jobs:
build:
runs-on: ubuntu-latest
# Job-level variables
env:
DATABASE_NAME: "production_db"
API_TIMEOUT: "30000"
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: ${{ env.NODE_VERSION }}
- name: Run tests with custom config
run: npm test
# Step-level variables
env:
TEST_ENVIRONMENT: "ci"
LOG_LEVEL: "debug"
内置 GitHub 环境变量
GitHub 自动为许多环境变量提供有关工作流上下文的信息:
基本内置变量
| Variable | Description | 示例值 |
|---|---|---|
GITHUB_WORKFLOW |
工作流的名称 | "CI Pipeline" |
GITHUB_ACTION |
动作的唯一标识符 | "__actions_checkout" |
GITHUB_REPOSITORY |
仓库名称(所有者/仓库) | "microsoft/vscode" |
GITHUB_REF |
分支或标记引用 | "refs/heads/main" |
GITHUB_SHA |
提交已触发工作流的 SHA | "ffac537e6cbb..." |
GITHUB_ACTOR |
触发工作流的用户的用户名 | "octocat" |
GITHUB_EVENT_NAME |
触发工作流的事件 | "push" |
RUNNER_OS |
运行器的操作系统 | "Linux" |
高级内置变量
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Display workflow context
run: |
echo "Workflow: $GITHUB_WORKFLOW"
echo "Repository: $GITHUB_REPOSITORY"
echo "Branch: ${GITHUB_REF#refs/heads/}"
echo "Commit: $GITHUB_SHA"
echo "Actor: $GITHUB_ACTOR"
echo "Event: $GITHUB_EVENT_NAME"
echo "Runner OS: $RUNNER_OS"
重要的命名规则:
- 内置变量使用
GITHUB_前缀 - 不能使用
GITHUB_前缀创建自定义变量 - 变量名称在大多数上下文中区分大小写
实用环境变量模式
配置管理
name: Environment-specific Deployment
env:
# Global configuration
APP_NAME: "my-awesome-app"
DOCKER_REGISTRY: "ghcr.io"
jobs:
deploy-staging:
if: github.ref == 'refs/heads/develop'
runs-on: ubuntu-latest
env:
ENVIRONMENT: "staging"
API_URL: "https://api.staging.example.com"
DATABASE_TIER: "basic"
steps:
- name: Deploy to staging
run: |
echo "Deploying $APP_NAME to $ENVIRONMENT"
echo "API URL: $API_URL"
docker build -t $DOCKER_REGISTRY/$APP_NAME:$GITHUB_SHA .
deploy-production:
if: github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
env:
ENVIRONMENT: "production"
API_URL: "https://api.example.com"
DATABASE_TIER: "premium"
steps:
- name: Deploy to production
run: |
echo "Deploying $APP_NAME to $ENVIRONMENT"
echo "API URL: $API_URL"
docker build -t $DOCKER_REGISTRY/$APP_NAME:latest .
动态变量创建
steps:
- name: Generate build metadata
id: metadata
run: |
BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
BUILD_NUMBER=$GITHUB_RUN_NUMBER
VERSION_TAG=${GITHUB_REF#refs/tags/}
echo "BUILD_DATE=$BUILD_DATE" >> $GITHUB_ENV
echo "BUILD_NUMBER=$BUILD_NUMBER" >> $GITHUB_ENV
echo "VERSION_TAG=$VERSION_TAG" >> $GITHUB_ENV
- name: Use generated variables
run: |
echo "Build Date: $BUILD_DATE"
echo "Build Number: $BUILD_NUMBER"
echo "Version: $VERSION_TAG"
多平台配置
jobs:
build:
strategy:
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
include:
- os: ubuntu-latest
BUILD_COMMAND: "make build-linux"
PACKAGE_EXT: ".deb"
- os: windows-latest
BUILD_COMMAND: "msbuild /p:Configuration=Release"
PACKAGE_EXT: ".msi"
- os: macos-latest
BUILD_COMMAND: "xcodebuild -configuration Release"
PACKAGE_EXT: ".dmg"
runs-on: ${{ matrix.os }}
env:
BUILD_COMMAND: ${{ matrix.BUILD_COMMAND }}
PACKAGE_EXT: ${{ matrix.PACKAGE_EXT }}
steps:
- name: Build application
run: ${{ env.BUILD_COMMAND }}
环境变量的安全最佳做法
敏感数据处理
# DON'T: Store secrets in plain environment variables
env:
DATABASE_PASSWORD: 'super-secret-password' # Visible in logs!
# DO: Use GitHub Secrets for sensitive data
env:
DATABASE_HOST: 'db.example.com'
DATABASE_PORT: '5432'
DATABASE_USER: 'app_user'
DATABASE_PASSWORD: ${{ secrets.DATABASE_PASSWORD }} # Secure!
环境变量验证
steps:
- name: Validate required environment variables
run: |
required_vars=("API_URL" "DATABASE_HOST" "ENVIRONMENT")
for var in "${required_vars[@]}"; do
if [ -z "${!var}" ]; then
echo "ERROR: Required environment variable $var is not set"
exit 1
else
echo "OK: $var is set"
fi
done
高级技术
条件环境变量
steps:
- name: Set environment-specific variables
run: |
if [ "$GITHUB_REF" = "refs/heads/main" ]; then
echo "LOG_LEVEL=info" >> $GITHUB_ENV
echo "CACHE_TTL=3600" >> $GITHUB_ENV
elif [ "$GITHUB_REF" = "refs/heads/develop" ]; then
echo "LOG_LEVEL=debug" >> $GITHUB_ENV
echo "CACHE_TTL=300" >> $GITHUB_ENV
else
echo "LOG_LEVEL=warn" >> $GITHUB_ENV
echo "CACHE_TTL=60" >> $GITHUB_ENV
fi
环境变量模板化
env:
APP_VERSION: ${{ github.ref_name }}
BUILD_ID: ${{ github.run_number }}
FULL_VERSION: ${{ github.ref_name }}-build.${{ github.run_number }}
CONTAINER_TAG: ${{ github.repository }}:${{ github.ref_name }}
环境变量是一种功能强大的工具,用于创建灵活、可维护且安全的 GitHub Actions 工作流。 在策略上使用这些值可以避免硬编码的值,并跨不同环境轻松进行配置管理。
有关环境变量的完整文档,请参阅 GitHub Actions 中的环境变量。