Integration With Github Actions

Plural is generally meant to implement a GitOps based workflow that is somewhat tangential to general CI strategies. The main point of friction is that CI will usually run against commits against application code, usually resulting in a complete docker image build, but GitOps workflows require a follow-on commit in a secondary infrastructure config repo (or subsection of a monorepo).

Automating that is typically not done, with teams manually managing config files and executing tedious processes. You also don't want to compromise the security of your GitOps controller by exposing its credentials to a public CI solution like Github Actions. Plural takes the following approach:

1. You can delegate federated credentials to issue temporary JWTs against your Plural instance to authenticate, with scopes usually limited to minimal changes (eg create a PR)
2. We provide decent prebuilt actions to make integration as simple as possible.

Lets show how its done.

Create a federated credential

The first step is creating a federated credential to allow a token exchange between Github's OIDC provider and Plural:

apiVersion: deployments.plural.sh/v1alpha1
kind: FederatedCredential
metadata:
  name: gh-actions
spec:
  issuer: https://token.actions.githubusercontent.com # the oidc issuer url for gh actions, can be swapped for any other platform with oidc federation support
  user: someone@example.com # should point to the user email you want the federated credential to auth as
  scopes:
    - createPullRequest
  claimsLike:
    sub: "repo:pluralsh/console:ref:refs/heads/master" # any regex is supported

Define the PR Automation

In this case we're going to have Github Actions trigger a PR automation, it can also perform other api actions like kicking a Plural Pipeline as well. Just to show how it would work, here's an example PR automation spec: