Goal

The goal of this article is to show you how to add and remove the public IP address of the GitHub Hosted runner, on which your (CI/CD) workflow is running, to the list of trusted sources of your DigitalOcean managed database.

The Problem

So here’s the scenario:

  • You are creating a workflow using Github actions,
  • and you are using a Digital Ocean Managed Database.
  • You are also a responsible human being, and decided to limit the access of your databases to trusted sources only.
  • But, you realize that your CI/CD GitHub workflow needs to interact with your database,
  • And because you are cheap or lazy (or both like me)
  • You don’t want to set up a droplet (with a fixed IP) to host your runner
  • You just want to use Github hosted runners to run your workflow.
  • But you don’t know the IP address of your GitHub hosted runners
  • So you decided to read this article to know how to modify your workflow to add the runner’s IP to the list of trusted sources of your database.

The solution

Because I am such a nice guy, I created this GitHub Action to be able to easily add and/or remove the public IP address of your runner to the list of trusted sources of your database.

This github action requires 2 inputs to work:

  • a DigitalOcean access token
  • the ID of you database

Step 1: Create a Digital Access Token

Check the doc

  1. Log in to the DigitalOcean Control Panel
  2. On the left, click on API
  3. On the tab “Tokens/keys” > Personal Access token, click “Generate new token”
  4. Choose a name, example: github_access_token
  5. Give it READ & WRITE permissions
  6. Click “Generate Token”
  7. Save it somewhere, we will need it later

Step 2: Get the ID of your database

Getting the ID of a managed database is suprisingly more difficult than I expected, because it seems like this information is not visible on the web interface of DigitalOcean (unless if I am blind).

So to get the Id, we need to use the DigitalOcean CLI doctl.

Step 2.1: Install doctl

This step depends of your OS, so:

  1. Install doctl by following the doc
  2. Use the API token to grant doctl access to the DigitalOcean account
  3. doctl auth init
  4. Paste the token
  5. Validate that it’s working: doctl account get

Step 2.2: Get the database’s ID

  1. Get the ID of the database with: doctl database list

Step 3: Create GitHub secrets

The Digital Ocean access token & the database’s ID are sensitive information and you should store them inside secrets.

  1. Go on your repository’s GitHub page
  2. Click on “Settings”
  3. Click “Secrets” > “New repository secret”
  4. Name: DIGITALOCEAN_TOKEN
  5. Paste your token HERE
  6. Click “Add Secret”
  7. Repeat to add the database id, in a secret named: DATABASE_ID

Now we are ready to modify the GitHub workflow

Step 4: Modify the workflow

It is now time to modify your workflow (YAML file in .github/workflows/).

Step 4.1: Add the runner’s IP to the trusted sources

  • Add a first step, that will add the runner’s IP address to the list of trusted source of your database:
    # Step 1, add the IP address
    - name: Add IP address to trusted source (managed database)
      uses: GarreauArthur/manage-digital-ocean-managed-database-trusted-sources-gh-action@main
      with:
        action: "add"
        database_id: $
        digitalocean_token: $

Step 4.2: Do something with your database (example: Prisma, EXTREMELY VALUABLE INFORMATION)

  • Do something with your database

For example, if you are using Prisma, you can migrate your database with something like:

    # Step 2, do whatever you need to do with you database
    - name: Deploy to database 
      run: npx prisma migrate deploy
      env:
        DATABASE_URL: $

IMPORTANT: you need to create a GH secret containing the connection string of your database, !!! BUT !!! you need to modify it to make it work: you need to append &connect_timeout=60&pool_timeout=60&socket_timeout=60 at the end of the string, otherwise, the runner will not be able to connect, the connection will timeout.

Step 4.3: Remove the runner’s IP of the trusted sources

  • Add one step in your workflow, to remove the runner’s IP address of the trusted sources
    # Step 3, remove the IP address
    - name: Remove IP address of trusted sources (managed database)
      uses: GarreauArthur/manage-digital-ocean-managed-database-trusted-sources-gh-action@main
      with:
        action: "remove"
        database_id: $
        digitalocean_token: $

Step 5

Commit & Push, and it should work.

Bye.