The production build workflow now uses environment secrets for better security and control. This guide walks you through the one-time setup.
-
Token name:
OpenTelemetry Demo GHCR Access -
Expiration: Choose your preference (90 days, 1 year, or no expiration)
-
Select scopes:
-
write:packages- Upload packages to GitHub Package Registry -
read:packages- Download packages from GitHub Package Registry -
delete:packages- Delete packages from GitHub Package Registry (optional)
-
-
Click Generate token
-
IMPORTANT: Copy the token immediately - you won't see it again!
Example token format: ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
In the splunk/opentelemetry-demo repository:
Settings -> Environments -> New environment
Or direct link: https://github.com/splunk/opentelemetry-demo/settings/environments/new
Environment name: production
Protection rules (recommended):
- Add yourself and/or team members who should approve production deployments
- When enabled, workflow will pause and wait for approval before building images
- Provides audit trail of who approved each build
- Select: Selected branches
- Add rule:
main - This ensures only builds from the main branch can use production secrets
- Add a delay (e.g., 5 minutes) before deployment starts
- Gives time to cancel if needed
In the production environment you just created:
- Scroll to Environment secrets
- Click Add secret
- Name:
GHCR_TOKEN - Value: Paste your PAT from Step 1
- Click Add secret
Your environment should now show:
- Name: production
- Secrets: 1 secret (GHCR_TOKEN)
- Protection rules: Your configured rules
- Go to:
Actions -> Build Images - PRODUCTION - Click Run workflow
- Configure:
- Version bump:
patch(or your choice) - Services:
allor specific service
- Version bump:
- Click Run workflow
If you enabled Required reviewers:
- Workflow starts
determine-versionandprepare-matrixjobs completebuild-imagesjob shows: "Waiting for approval"- You receive notification to review deployment
- After approval, build proceeds with GHCR_TOKEN
If no reviewers required:
- Workflow runs automatically with environment secret
- Check that you're running from the
mainbranch - Verify deployment branch rules in environment settings
- Verify secret name is exactly
GHCR_TOKEN(case-sensitive) - Check it's added to the
productionenvironment, not repository secrets
- Verify PAT has
write:packagesscope - Check PAT hasn't expired
- Ensure PAT is from a user with write access to splunk org
- Add yourself as a required reviewer in environment settings
- Or remove the required reviewers protection rule
[x] Token not in repository code - Stored separately in environment [x] Scoped access - Only production builds can use it [x] Manual approval - Optional review before each deployment [x] Audit trail - GitHub logs who approved deployments [x] Easy rotation - Update token in environment settings [x] Branch protection - Only runs from approved branches
When you need to rotate the PAT:
- Generate new PAT (Step 1)
- Go to environment secrets:
https://github.com/splunk/opentelemetry-demo/settings/environments/production/edit - Update
GHCR_TOKENsecret value - Old token can be deleted from GitHub settings
No code changes needed!
For multiple repositories needing the same token:
- Go to:
https://github.com/organizations/splunk/settings/secrets/actions - Create organization secret:
GHCR_TOKEN - Select repository access:
splunk/opentelemetry-demo - Update workflow to use organization secret
You've now configured:
- Personal Access Token with package write permissions
- Production environment with protection rules
- Environment secret (GHCR_TOKEN)
- Workflow configured to use environment
Next build will require approval and use your secure token!