-
Notifications
You must be signed in to change notification settings - Fork 8
Secrets and Access Control
This section describes the organization-level secrets used across CI/CD workflows in Netcracker/* GitHub repositories.
These secrets are centrally managed and shared across all standard workflows (build, test, release, publish, etc.). If you're using common reusable workflows from qubership-workflow-hub, you do not need to configure these secrets manually.
All CI/CD workflows within our GitHub organization are powered by a consistent set of secrets that manage authentication, artifact signing, and access control. These secrets are pre-configured and do not require manual setup in individual repositories unless explicitly stated.
| Secret/Variable | Purpose |
|---|---|
GITHUB_TOKEN |
Used by GitHub Actions for basic authentication. |
CLA_ACCESS_TOKEN |
Grants access to centralized Contributor License Agreement storage. |
MAVEN_USER |
Username used to publish to the Maven Central repository. |
MAVEN_PASSWORD |
Corresponding password or token for MAVEN_USER. |
MAVEN_GPG_PRIVATE_KEY |
Private GPG key to sign Maven artifacts (e.g., .jar, .pom). |
MAVEN_GPG_PASSPHRASE |
Passphrase used to unlock the GPG key during the signing process. |
PYPI_API_TOKEN |
Authentication token for publishing packages to PyPI. |
GH_ACCESS_TOKEN |
Personal access token for a “tech user” with elevated repository access. |
WORKFLOWS_TOKEN |
A scoped GitHub token for triggering or managing workflows. |
SONAR_TOKEN |
Token used for authenticating with SonarQube during static analysis. |
GH_RWD_PACKAGE_TOKEN |
Grants full access (Read/Write/Delete) to GitHub Packages. |
GH_BUMP_VERSION_APP_ID |
GitHub Application ID used to bypass branch protection rules in CI |
GH_BUMP_VERSION_APP_KEY |
GitHub Application key used to bypass branch protection rules in CI |
These secrets are used in shared CI/CD workflows defined in the Netcracker CI/CD Template Hub.
They are automatically picked up by workflows such as:
- Build & test pipelines
- Release & publish to Maven Central or PyPI
- GitHub Packages publishing
- SonarQube code quality checks
- Contributor License Agreement (CLA) automation
- etc...
You don’t need to configure them manually — they’re already available in all Netcracker/* repositories.
- For local testing of these workflows (e.g., via
actor PR previews), you may override any of these secrets by redefining them in the consuming repository. - Never expose these secrets directly in workflow logs or through
echo. - GitHub masks secret values in logs by default.
- Home
- Work Architecture
- Secrets and Access Control
- Clenup Strategy
- Standalone Docker Build
- Maven Central
- Actions