This guide shows you how to set up a GitHub Actions workflow to automatically upload your Cerbos policies to a Cerbos Hub store whenever you push changes to the main
branch of your repository.
CERBOS_HUB_CLIENT_ID
and CERBOS_HUB_CLIENT_SECRET
values generated in the Client credentials section of the Cerbos Hub store. Make sure to select the Read & Write
option when creating the credentials to allow uploading policies..github/workflows
..github/workflows
, create a new file named upload-policies.yml
.upload-policies.yml
file.[STORE_ID]
with the ID of your Cerbos Hub store. You can find this in the Cerbos Hub UI under the store settings.# .github/workflows/upload-policies.yml
name: Upload Cerbos Policies
on:
push:
branches:
- main
jobs:
upload-policies:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Upload Policies
env:
CERBOS_HUB_CLIENT_ID: ${{ secrets.CERBOS_HUB_CLIENT_ID }}
CERBOS_HUB_CLIENT_SECRET: ${{ secrets.CERBOS_HUB_CLIENT_SECRET }}
run: |
docker run --rm \
-e CERBOS_HUB_STORE_ID="[STORE_ID]" \
-e CERBOS_HUB_CLIENT_ID=$CERBOS_HUB_CLIENT_ID \
-e CERBOS_HUB_CLIENT_SECRET=$CERBOS_HUB_CLIENT_SECRET \
-v "$PWD":/app \
ghcr.io/cerbos/cerbosctl:latest \
hub store replace-files /app --message="Policy upload from GitHub Actions"
CERBOS_HUB_CLIENT_ID
.CERBOS_HUB_CLIENT_SECRET
for the name and paste your client secret value..github/workflows/upload-policies.yml
file to your repository.main
branch.Book a free Policy Workshop to discuss your requirements and get your first policy written by the Cerbos team
Join thousands of developers | Features and updates | 1x per month | No spam, just goodies.