Connect GitHub as an Artifact Source in Spinnaker

Configure a GitHub trigger in Spinnaker

Spinnaker^TM pipelines can be configured to trigger when a change is committed to a GitHub repository. This doesn’t require any configuration of Spinnaker other than adding a GitHub trigger but does require administration of the GitHub repositories to configure the webhook.

The open source Spinnaker documentation has concise instructions for configuring GitHub webhooks.

Configure GitHub as an artifact source

If you actually want to use a file from the GitHub commit in your pipeline, you’ll need to configure GitHub as an artifact source in Spinnaker.

Many of the commands below have additional options that may be useful (or possibly required). If you need more detailed help, take a look at the Halyard command reference if you’re deploying Spinnaker with Halyard.

Enable GitHub artifacts

If you haven’t done this yet (for example, if you’ve just installed Armory Spinnaker fresh), you’ll need to enable GitHub as an artifact source:

• Operator
• Halyard

apiVersion: spinnaker.armory.io/v1alpha2
kind: SpinnakerService
metadata:
  name: spinnaker
spec:
  spinnakerConfig:  
    config:
      features:
        artifacts: true
      artifacts:
        github:
          enabled: true

hal config features edit --artifacts true
hal config artifact github enable

Add a GitHub credential

To access private GitHub repositories, you need a GitHub “Personal Access Token”. This can be generated by going to the “Settings” page in GitHub, then clicking on “Developer Settings” and then “Personal Access Token”. The token will need the repo scope.

Once you have a token, you should provide that token for Spinnaker’s Igor service as a credential to use to access GitHub. This can be done with a command like this:

Replace the account name github_user with the string you want to use to identify this GitHub credential.

• Operator
• Halyard

apiVersion: spinnaker.armory.io/v1alpha2
kind: SpinnakerService
metadata:
  name: spinnaker
spec:
  spinnakerConfig:  
    config:
      features:
        artifacts: true
      artifacts:
        github:
          enabled: true
          accounts:
          - name: github_user
            token: abc  # GitHub's personal access token. This fields supports `encrypted` references to secrets.
            # username: abc # GitHub username
            # password: abc # GitHub password. This fields supports `encryptedreferences` to secrets.
            # usernamePasswordFile: creds.txt # File containing "username:password" to use for GitHub authentication. This fields supports `encryptedFilereferences` to secrets.
            # tokenFile: token.txt # File containing a GitHub authentication token. This fields supports `encryptedFile` references to secrets.

kubectl -n >spinnaker namespace> apply -f <SpinnakerService manifest>

GITHUB_ACCOUNT_NAME=github_user
hal config artifact github account add ${GITHUB_ACCOUNT_NAME} \
    --token # you'll be prompted for this interactively

Using the GitHub credential

You may note that the above GitHub “account” doesn’t actually have a endpoint for your GitHub; this account is basically just the credential used by Spinnaker artifacts to access GitHub. The actual GitHub API endpoint is specified in the artifact reference. There are a couple ways to use this credential, one example of which is detailed here:

Troubleshooting credentials and URIs

To verify that your token and URI are correct, you can run a curl command to test authentication (the user field doesn’t matter):

curl https://api.github.com/repos/armory/demo/contents/manifests/deployment.yml \
  -u nobody:abcdef0123456789abcdef0123456789abcdef01

If you receive metadata about your file, the credential and URI are correct.