- create an empty private or internal repository
domain-protect-gcp-deployin your organisation
git clone git@github.com:domain-protect/domain-protect-gcp-deploy.git
cd domain-protect-gcp-deploy
git remote set-url origin git@github.com:YOUR_ORG_NAME/domain-protect-gcp-deploy.git
git push
- GitHub Actions environment is needed for manual approval steps
- within GitHub repository web console, select Settings, Code and automation, Environments
- create new environment
devwith no protection rules - create new environment
prd - configure Environment protection rules for
prd - select Required reviewers
- enter an appropriate team
- save protection rules
- Settings, Security, Secrets, Actions, enter Repository secrets:
| REPOSITORY SECRETS | EXAMPLE VALUE / COMMENT |
|---|---|
| GCP_WORKLOAD_IDENTITY_PROVIDER | projects/123456789/locations/global/workloadIdentityPools/github-actions/providers/domain-protect-gcp-github |
| GCP_SERVICE_ACCOUNT | domain-protect-gcp-deploy@mygcpprojectid.iam.gserviceaccount.com |
| TERRAFORM_STATE_BUCKET | tfstate48903 |
| TERRAFORM_STATE_PREFIX | terraform/state/domain-protect-gcp |
| SLACK_CHANNELS | ["security-alerts"] |
| SLACK_CHANNELS_DEV | ["security-alerts-dev"] |
| SLACK_WEBHOOK_URLS | ["https://hooks.slack.com/services/XXX/XXX/XXX"] |
| PROJECT | mygcpprojectid |
| APP_SERVICE_REGION | europe-west1 |
Environment variables should be created as secrets where:
- the information is sensitive, e.g. an API key
- the variable would otherwise require double quotes, e.g. a list with string elements
- enter additional environment variables to turn on other optional features
- enter additional environment variables to customise settings
- ensure each secret has a corresponding definition in the
envblock at the start of workflow
git commit -am "environment variable update"
git push