The goal of this article is to show you how to add and remove the public IP address of the GitHub Hosted runner, on which your (CI/CD) workflow is running, to the list of trusted sources of your DigitalOcean managed database.
So here’s the scenario:
- You are creating a workflow using Github actions,
- and you are using a Digital Ocean Managed Database.
- You are also a responsible human being, and decided to limit the access of your databases to trusted sources only.
- But, you realize that your CI/CD GitHub workflow needs to interact with your database,
- And because you are cheap or lazy (or both like me)
- You don’t want to set up a droplet (with a fixed IP) to host your runner
- You just want to use Github hosted runners to run your workflow.
- But you don’t know the IP address of your GitHub hosted runners
- So you decided to read this article to know how to modify your workflow to add the runner’s IP to the list of trusted sources of your database.
Because I am such a nice guy, I created this GitHub Action to be able to easily add and/or remove the public IP address of your runner to the list of trusted sources of your database.
This github action requires 2 inputs to work:
- a DigitalOcean access token
- the ID of you database
Step 1: Create a Digital Access Token
- Log in to the DigitalOcean Control Panel
- On the left, click on API
- On the tab “Tokens/keys” > Personal Access token, click “Generate new token”
- Choose a name, example:
- Give it READ & WRITE permissions
- Click “Generate Token”
- Save it somewhere, we will need it later
Step 2: Get the ID of your database
Getting the ID of a managed database is suprisingly more difficult than I expected, because it seems like this information is not visible on the web interface of DigitalOcean (unless if I am blind).
So to get the Id, we need to use the DigitalOcean CLI
Step 2.1: Install doctl
This step depends of your OS, so:
- Install doctl by following the doc
- Use the API token to grant doctl access to the DigitalOcean account
doctl auth init
- Paste the token
- Validate that it’s working:
doctl account get
Step 2.2: Get the database’s ID
- Get the ID of the database with:
doctl database list
Step 3: Create GitHub secrets
The Digital Ocean access token & the database’s ID are sensitive information and you should store them inside secrets.
- Go on your repository’s GitHub page
- Click on “Settings”
- Click “Secrets” > “New repository secret”
- Paste your token HERE
- Click “Add Secret”
- Repeat to add the database id, in a secret named:
Now we are ready to modify the GitHub workflow
Step 4: Modify the workflow
It is now time to modify your workflow (YAML file in
Step 4.1: Add the runner’s IP to the trusted sources
- Add a first step, that will add the runner’s IP address to the list of trusted source of your database:
# Step 1, add the IP address - name: Add IP address to trusted source (managed database) uses: GarreauArthur/manage-digital-ocean-managed-database-trusted-sources-gh-action@main with: action: "add" database_id: $ digitalocean_token: $
Step 4.2: Do something with your database (example: Prisma, EXTREMELY VALUABLE INFORMATION)
- Do something with your database
For example, if you are using Prisma, you can migrate your database with something like:
# Step 2, do whatever you need to do with you database - name: Deploy to database run: npx prisma migrate deploy env: DATABASE_URL: $
IMPORTANT: you need to create a GH secret containing the
of your database, !!! BUT !!! you need to modify it to make it work: you
need to append
&connect_timeout=60&pool_timeout=60&socket_timeout=60 at the
end of the string, otherwise, the runner will not be able to connect, the
connection will timeout.
Step 4.3: Remove the runner’s IP of the trusted sources
- Add one step in your workflow, to remove the runner’s IP address of the trusted sources
# Step 3, remove the IP address - name: Remove IP address of trusted sources (managed database) uses: GarreauArthur/manage-digital-ocean-managed-database-trusted-sources-gh-action@main with: action: "remove" database_id: $ digitalocean_token: $
Commit & Push, and it should work.