Skip to content
NativeLink Docs

API Keys in CI

GitHub Actions

To run NativeLink cloud in your workflow, you will need to create a YAML in your .github/workflows folder with the following added to your jobs section:

jobs:
  build-test:
    runs-on: ubuntu-22.04
    environment: production
    steps:
    - name: Checkout
      uses: >- # v4.1.1
        actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
    - name: Setup Bazelisk
      uses: >- # v0.8.1
        bazel-contrib/setup-bazel@b388b84bb637e50cdae241d0f255670d4bd79f29
      with:
        bazelisk-cache: true
    - name: Run Bazel tests
      shell: bash
      run: |
        bazel test \
          --remote_cache=${{ vars.NATIVELINK_COM_REMOTE_CACHE_URL }} \
          --remote_header=${{ secrets.NATIVELINK_COM_API_HEADER }} \
          --bes_backend=${{ vars.NATIVELINK_COM_BES_URL }} \
          --bes_header=${{ secrets.NATIVELINK_COM_API_HEADER }} \
          --bes_results_url=${{ vars.NATIVELINK_COM_BES_RESULTS_URL }} \
          --remote_header=x-nativelink-project=nativelink-ci \
          //...

Configure Secrets in your GitHub Repository

GitHub Repository Secrets is the recommended way to store your NativeLink Cloud API keys for use with GitHub Actions.

The GitHub repository secrets tutorial will show you how to setup a repository secret. You can then access those variables from the secrets context in your GitHub actions:

Terminal window
${{ secrets.YourSecretKeyName }}

Repositories that use forks

If your repository is open source and uses forks for pull requests (PRs), the secrets and vars context aren’t accessible in the actions for PRs originating from the forks. To address this, we recommend using Read-Only keys.

These keys can be generated in the Settings > API Keys & Certs sections of the cloud dashboard.

Read-Only keys can be used for PRs and be hard-coded into your GitHub actions. For merge-to-main actions, use a Read/Write key stored in the secrets context. An example of this below:

Terminal window
bazel test \
  --remote_cache=grpcs://cas-account-id.build-faster.nativelink.net \
  --remote_header=x-nativelink-api-key=${{ secrets.NATIVELINK_COM_API_HEADER || 'HARD_CODED_READ_ONLY_KEY_HERE' }} \
  ${{ github.ref == 'refs/heads/main' && ' ' || '--nogenerate_json_trace_profile --remote_upload_local_results=false' }} \
  //...

Read Only keys

For Read Only API Keys you need to set these two flags:

Terminal window
--nogenerate_json_trace_profile
--remote_upload_local_results=false

BEP Disabled Keys

For keys where BEP is disabled, remove the following flags from your Config:

Terminal window
build --bes_backend=YOUR_BEP_URL
build --bes_header=x-nativelink-api-key=YOUR_KEY

Third-Party Secrets Management

If you need info on setting up API keys for different CI environments, ask in the Slack channel or open an issue on our GitHub.