feat: added support for environment variable injection

davidB · davidB · commit 0633374907df · 2025-08-28T18:00:10.000+02:00
Here's what I implemented:

  Key Features:
  1. Automatic env var passing: The action scans all environment variables and passes any that start with CDVIZ_COLLECTOR__ to the container
  2. No additional inputs needed: Uses GitHub Actions' native env support
  3. Secure secret injection: Allows injecting secrets via environment variables without exposing them in config files

  Usage patterns:
  - Step-level env vars: Set environment variables for specific action steps
  - Job-level env vars: Set environment variables for entire job
  - Workflow-level env vars: Set environment variables for entire workflow
  - Repository secrets: Use ${{ secrets.SECRET_NAME }} in environment variables

  Security benefits:
  - ✅ Secrets never appear in config files
  - ✅ Secrets never appear in logs (GitHub automatically masks them)
  - ✅ Environment variables are only passed to the container, not stored on disk
  - ✅ Follows cdviz-collector's own environment variable convention

  This provides a much more secure way to handle sensitive configuration values like API keys, tokens, and webhook secrets compared to putting them in configuration
   files.
diff --git a/README.md b/README.md
@@ -70,6 +70,32 @@ jobs:
             prefix = "sha256="
 ```
 
+### Using Environment Variables for Secrets
+
+```yaml
+name: Send CDEvent with Environment Variables
+on:
+  push:
+    branches: [main]
+
+jobs:
+  send-event:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Send CDEvent with env vars
+        uses: cdviz-dev/send-cdevents@v1
+        env:
+          CDVIZ_COLLECTOR__SINKS__HTTP__HEADERS__X_SIGNATURE_256__TOKEN: ${{ secrets.WEBHOOK_SECRET }}
+        with:
+          data: '{"type": "dev.cdevents.build.started.0.1.1", "source": "github-action"}'
+          url: "https://your-webhook-endpoint.com/cdevents"
+          config: |
+            [sinks.http.headers.x-signature-256]
+            type = "signature"
+            algorithm = "sha256"
+            prefix = "sha256="
+```
+
 ### Reading from File
 
 ```yaml
@@ -104,6 +130,19 @@ jobs:
 | `additional-args` | Additional arguments to pass to the cdviz-collector send command | No | - |
 | `version` | Version/tag of the cdviz-collector container to use | No | `latest` |
 
+## Environment Variables
+
+The action automatically passes all environment variables starting with `CDVIZ_COLLECTOR__` to the cdviz-collector container. This allows you to override configuration values securely using GitHub secrets without exposing them in config files.
+
+### Environment Variable Naming Convention
+
+Environment variables should follow the pattern: `CDVIZ_COLLECTOR__<SECTION>__<SUBSECTION>__<KEY>`
+
+Examples:
+- `CDVIZ_COLLECTOR__SINKS__HTTP__HEADERS__X_API_KEY__VALUE` → `sinks.http.headers.x-api-key.value`
+- `CDVIZ_COLLECTOR__SINKS__HTTP__HEADERS__X_SIGNATURE__TOKEN` → `sinks.http.headers.x-signature.token`
+- `CDVIZ_COLLECTOR__SINKS__HTTP__DESTINATION` → `sinks.http.destination`
+
 ## Data Input Formats
 
 ### Direct JSON String
diff --git a/action.yml b/action.yml
@@ -79,9 +79,18 @@ runs:
     - name: 'Run cdviz-collector'
       shell: bash
       run: |
+        # Build environment variable arguments for CDVIZ_COLLECTOR__ prefixed variables
+        ENV_ARGS=""
+        while IFS='=' read -r name value; do
+          if [[ "$name" == CDVIZ_COLLECTOR__* ]]; then
+            ENV_ARGS="$ENV_ARGS -e $name=$value"
+          fi
+        done < <(env)
+        
         docker run --rm \
           -v "$PWD:/workspace" \
           -w /workspace \
+          $ENV_ARGS \
           ghcr.io/cdviz-dev/cdviz-collector:${{ inputs.version }} \
           ${{ steps.args.outputs.args }}
     
