DEV Community

Cover image for Sending GitHub Secrets to Docker Apps on VMs Using adnanh/webhooks
Rodrigo Burgos
Rodrigo Burgos

Posted on

Sending GitHub Secrets to Docker Apps on VMs Using adnanh/webhooks

In this tutorial, you'll learn how to securely send GitHub secrets to a Docker application running on a virtual machine (VM) using the adnanh/webhooks tool. We'll walk through setting up the GitHub Actions workflow, configuring the webhook, and creating the bash script to handle the incoming data and restart the Docker container.

Prerequisites

  • A GitHub repository
  • A VM with Docker installed
  • adnanh/webhook installed on your VM
  • GitHub secrets configured for your project

Step 1: Set Up GitHub Actions Workflow

Create a GitHub Actions workflow file in your repository. This workflow will be triggered on every push to the main branch and will send secrets to the webhook on your VM.

name: Send Secrets to Webhook

on:
  push:
    branches:
      - main

jobs:
  send-secrets:
    runs-on: ubuntu-latest

    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Trigger Webhook
        env:
          YOUR_SECRET_1: ${{ secrets.YOUR_SECRET_1 }}
          YOUR_SECRET_2: ${{ secrets.YOUR_SECRET_2 }}
        run: |
          echo "YOUR_SECRET_1: $YOUR_SECRET_1"
          echo "YOUR_SECRET_2: $YOUR_SECRET_2"
          curl -X POST http://<YOUR_VM_IP>:9000/hooks/your-hook-id \
          -H 'Content-Type: application/json' \
          -d '{
                "YOUR_SECRET_1": "'"$YOUR_SECRET_1"'",
                "YOUR_SECRET_2": "'"$YOUR_SECRET_2"'"
              }'
Enter fullscreen mode Exit fullscreen mode

Step 2: Configure Webhook on VM

On your VM, create a webhook configuration file. This file tells the webhook tool how to handle incoming requests and pass the secrets to the environment variables in your script.

[
  {
    "id": "your-hook-id",
    "execute-command": "/path/to/your/script.sh",
    "pass-environment-to-command": [
      {
        "source": "payload",
        "name": "YOUR_SECRET_1",
        "envname": "YOUR_SECRET_1"
      },
      {
        "source": "payload",
        "name": "YOUR_SECRET_2",
        "envname": "YOUR_SECRET_2"
      }
    ]
  }
]
Enter fullscreen mode Exit fullscreen mode

Step 3: Create the Bash Script

Create a bash script that will be executed by the webhook. This script will pull the latest changes from the repository, build the Docker image, and restart the Docker container with the new secrets.

#!/bin/bash

set -e

# Set the repository's directory
REPO_DIR="/path/to/your/repository"

# Set the Docker container and image names
CONTAINER_NAME="your_container_name"
IMAGE_NAME="your_image_name"

# Change to the repository directory
cd "$REPO_DIR" || { echo "Failed to change directory to $REPO_DIR"; exit 1; }

# Pull the latest changes from the main branch
git pull origin main || { echo "Failed to pull from the main branch"; exit 1; }

echo "Successfully pulled from the main branch."

# Build the Docker image
docker build -t "$IMAGE_NAME" . || { echo "Docker build failed"; exit 1; }

echo "Docker build successful."

# Stop the old container if it exists
if [ "$(docker ps -aq -f name="$CONTAINER_NAME")" ]; then
    docker stop "$CONTAINER_NAME" || { echo "Failed to stop container"; exit 1; }
    docker rm "$CONTAINER_NAME" || { echo "Failed to remove container"; exit 1; }
fi

# Echoing ENV variables for debugging purposes
echo "START ECHOING"
echo "YOUR_SECRET_1: $YOUR_SECRET_1"
echo "YOUR_SECRET_2: $YOUR_SECRET_2"
echo "FINISHED ECHOING"

# Start a new container with the updated image and pass the environment variables
docker run -d \
  --name "$CONTAINER_NAME" \
  -e YOUR_SECRET_1="$YOUR_SECRET_1" \
  -e YOUR_SECRET_2="$YOUR_SECRET_2" \
  "$IMAGE_NAME" || { echo "Failed to restart the container"; exit 1; }

echo "Container restarted successfully."

Enter fullscreen mode Exit fullscreen mode

Step 4: Start the Webhook on Your VM

Start the webhook tool with the configuration file you created.

webhook -hooks /path/to/your/webhook-config.json -verbose

Step 5: Push Changes to GitHub

Push any changes to your GitHub repository. This will trigger the GitHub Actions workflow, sending the secrets to your VM, where the webhook will handle them and restart your Docker container with the updated environment variables.

Final touch

1 - Try to run adnanh/webhooks as a linux system service.
2 - Make sure your pipeline.sh is executable by chmod +x pipeline.sh

Conclusion

By following these steps, you can securely send GitHub secrets to a Docker application running on a VM using adnanh/webhooks. This setup allows you to keep sensitive information out of your codebase while ensuring your applications have the necessary secrets to run correctly.

Top comments (0)