Running Trace-Based Tests with GitHub Actions and Secrets

When creating CI test scripts in GitHub, you sometimes need to use sensitive information like passwords and API Keys. To keep this information safe, GitHub provides a feature called [Secrets](https://docs.github.com/en/actions/reference/encrypted-secrets). Secrets are encrypted environment variables you create in a repository and are available in your workflows.

In this article, you will see how to configure a repository to use Tracetest and GitHub Actions with Secrets to run trace-based tests, keeping your sensitive information safe.

## Scenario: Payment Ecosystem

We have a mini Payment ecosystem with 4 APIs to emulate a Payment system, and we want to test it with Tracetest. This system is composed by:

• Gateway API: User-facing API that receives payment orders, protected with Basic Auth.
• Payment Executor API: Executes a payment order after analyzing the customer profile.
• Risk Analysis API: Analyzes a user profile to understand its score.
• Wallet API: Retains data about each user's wallet balance.
  

These APIs are instrumented with [OpenTelemetry SDKs](https://opentelemetry.io/docs/languages/) and send data to [Jaeger](https://www.jaegertracing.io/) via the [OpenTelemetry Collector](https://opentelemetry.io/docs/collector/).


Each one of these APIs has their code specified inside our source code on GitHub ([here](https://github.com/kubeshop/tracetest/tree/main/examples/tracetest-with-github-action-and-secrets)) inside the `services` folder. You can run them together using Docker Compose along with a Tracetest Agent, which we will use to test these services with the following command:

```bash

git clone git@github.com:kubeshop/tracetest.git
cd ./tracetest/examples/tracetest-with-github-action-and-secrets
TRACETEST_API_KEY=<your-agent-key> docker compose up

```

However, to run a test, you need to execute an API call against the Gateway API, which is protected with Basic Auth. This could be troublesome with Tracetest and GitHub Actions, since you don't have this Basic Auth password logged into the test definition and also on GitHub Action execution.

To solve that, you will use a Github Secret to store the Basic Auth credentials, which you can use in our Github Action workflow by adding it to a [VariableSet](https://docs.tracetest.io/concepts/variable-sets) as a secret.

## Creating a GitHub Actions Workflow[​](https://docs.tracetest.io/ci-cd-automation/github-actions-pipeline-with-secrets#creating-a-github-actions-workflow)

First you will create a repository in your machine and add it to GitHub. After that you will structure a Github Action Workflow file that will start the API and run the trace-based tests for it.

### Creating the API Services GitHub Repo[​](https://docs.tracetest.io/ci-cd-automation/github-actions-pipeline-with-secrets#creating-the-api-services-github-repo)

You need to create a new folder on your machine to store the service code and the repository code. Do this by running the following commands:

```bash

# sandbox folder to store our files
mkdir github-actions-test
cd ./github-actions-test
‍
mkdir my-repository
cd ./my-repository

```

Now, copy the code of the Payment Ecosystem to this repository. Do this by running the following commands:

```bash
cd ..
‍
git clone git@github.com:kubeshop/tracetest.git
cp -r ./tracetest/examples/tracetest-with-github-action-and-secrets/services ./my-repository

cd ./my-repository
‍
# remove the .git folder to start a new repository
rm -rf .git
git init
‍
git add .
git commit -m "Initial commit"
```

Then, [create a new repository](https://docs.github.com/en/repositories/creating-and-managing-repositories/quickstart-for-repositories#create-a-repository) on GitHub and perform the commands below:

```bash

git remote add origin https://github.com/<your-github-user>/<your-github-name>.git
git push origin main

```

After that, you need to configure a new environment on [Tracetest](http://app.tracetest.io/) with [these instructions](https://docs.tracetest.io/concepts/environments) and generate an environment token for it ([here](https://docs.tracetest.io/concepts/environment-tokens)). Remember to store the API Key generated for the Tracetest Agent and the environment token, as they will be used in the next step.

You need to register three secrets in your GitHub repository using [these instructions](https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#creating-secrets-for-a-repository):

- `TRACETEST_API_KEY`: The API key used by your [agent](https://docs.tracetest.io/concepts/agent) to connect to Tracetest.

- `TRACETEST_CLI_TOKEN`: An [environment token](https://docs.tracetest.io/concepts/environment-tokens) used by the CI to run a test.

- `API_SECRET_PASSWORD`: The password used to authenticate on the Gateway API. For demo purposes, its value is `supersecret`.

### Creating the GitHub Actions Workflow[​](https://docs.tracetest.io/ci-cd-automation/github-actions-pipeline-with-secrets#creating-the-github-actions-workflow)

Now that you have the repository set, let's create a new Github Actions workflow file in your repository. First, create a new file in the `.github/workflows` folder with the following content:

```yaml

name: Run trace-based tests
‍
on:
 # runs on every push to main
 push:
   branches: [main]
 # allows run manually via Actions tab on Github
 workflow_dispatch:
‍
env:
 TRACETEST_API_KEY: ${{secrets.TRACETEST_API_KEY}}
‍
jobs:
 run-trace-based-tests:
   name: Run trace based tests for Payment Ecosystem
   runs-on: ubuntu-latest
   steps:
     - name: Checkout
       uses: actions/checkout@v3
     # more steps to add

```

This file defines a workflow that runs on every push to the `main` branch and can be manually triggered via the Actions tab on GitHub. It also establishes an environment variable `TRACETEST_API_KEY` that is set to the value of the secret `TRACETEST_API_KEY`. The Tracetest Agent defined inside our `docker-compose.yml` file will use this value. The file also adds the first step that checks out the repository code into the CI container.

The next step is to install the Tracetest CLI in the CI container with the [Tracetest Github Action](https://github.com/kubeshop/tracetest-github-action) and configure the CLI. You can do this by adding the following step:

```yaml
   # ...
   steps:
     # previous steps ...
‍
     - name: Configure Tracetest CLI
       uses: kubeshop/tracetest-github-action@v1
       with:
         token: ${{secrets.TRACETEST_CLI_TOKEN}}
     # more steps to add

```

Then, the two following steps will start the APIs locally using Docker Compose and configure the Tracetest Agent to read traces from the Jaeger instance running inside of the Docker Compose network:

```yaml
   # ...
   steps:
     # previous steps ...
     - name: Run APIs locally with docker compose
       run: |
         docker-compose up -d
         docker compose logs -f > /tmp/docker-log &
‍
     - name: Configure Tracing Backend
       run: |
         tracetest datastore apply --file ./tracing-backend.yaml
     # more steps to add

```

Now, you will set up a [VariableSet](https://docs.tracetest.io/concepts/variable-sets) with the id `tracetesting-vars` with all variables used in your test context, including the `API_SECRET_PASSWORD` secret. This will help Tracetest understand that this variable is a secret and should not be presented in the UI and CLI outputs. You can do this by adding the following step to the workflow file:

```yaml
   # ...
   steps:
     # previous steps ...
‍
     - name: Inject secrets as a variable set in Tracetest
       run: |
         cat << EOF > vars.yaml
         type: VariableSet
         spec:
           id: tracetesting-vars
           name: AuthKeys for test
           description: Variables used in basic auth for my API
           values:
           - key: USER
             value: admin
           - key: PASSWORD
             value: ${{secrets.API_SECRET_PASSWORD}}
             type: secret
         EOF
‍
         tracetest apply variableset --file ./vars.yaml
‍
     # more steps to add

```

Finally, you will run the test using the Tracetest CLI, passing the `tracetesting-vars` Variable Set with the `--vars` argument and the test file `trace-based-test.yaml` that contains the test definition. You can do this by adding the following step to the workflow file:

```yaml

   # ...
   steps:
‍
     # previous steps ...
‍
     - name: Run trace-based tests
       run: |
         tracetest run test --vars tracetesting-vars --file ./trace-based-test.yaml
‍
     # more steps to add

```

You can run the test by pushing a new commit to the `main` branch with:

```bash

# assuming that you are on "my-repository" folder
git add .
git commit -m "Add Tracetest Github Action workflow"
git push origin main

```

After a while, you can go to the "Actions" on GitHub and see the workflow running, as shown below.

Drill down to see the jobs contained in this workflow.

You can also see the execution of this workflow.

Once it's finished, you can see the test results in the Tracetest Web UI by going to your environment on [app.tracetest.io](https://app.tracetest.io/) and clicking on "Runs.”

## Final Remarks

In conclusion, running trace-based tests with GitHub Actions and Secrets offers a secure and efficient way to manage sensitive information while ensuring the reliability of your systems. By following the steps outlined in this article, you can configure your GitHub repository to securely store and use secrets, set up your APIs, and run comprehensive tests with Tracetest.

Would you like to learn more about Tracetest and what it brings to the table? Visit the Tracetest [docs](https://docs.tracetest.io/getting-started/installation) and try it out by signing up today!

Also, please feel free to join our [Slack Community](https://dub.sh/tracetest-community), give [Tracetest a star on GitHub](https://github.com/kubeshop/tracetest), or schedule a [time to chat 1:1](https://calendly.com/ken-kubeshop/45min).