Trigger GitHub Actions Workflow from ReARM
N.B. This functinality is not part of ReARM Community Edition and is only available on ReARM Pro.
GitHub Part
- You need to register a GitHub application that would trigger events in your repositories. To do so, refer to instructions here.
Leave most values at their defaults, uncheck Active on Webhook, and set the following permissions: Repository Permissions -> Contents -> Access: Read and write.
Select to install for only this account or other accounts as well based on your organization needs.
Once the GitHub App is created, note its App ID.
Generate App Private Key as suggested by GitHub (on the home page of your app scroll down to the
Private keyssection and click onGenerate a private key). A .pem file would be downloaded onto your machine.From your bash terminal, perform the following commands on this .pem file (I would assume the file to be named
key.pemfor the commands below):
openssl pkcs8 -topk8 -inform PEM -outform DER -in key.pem -out key.der -nocrypt
base64 -w 0 key.derNote the output, you would need it to paste into ReARM integration form.
- In your browser, from the home page of your GitHub App, click on the
Install Appand install it for desired Account(s) and repository or repositories.
Once installed, the App would display installation ID in the browser address bar as shown on the image below.
Note this installation ID for adding into ReARM integration form later.
- Create a desired GitHub Actions script in your repository which would fire on repository dispatch event, i.e.
on:
repository_dispatch:
types: [reliza-build-event]See sample script here.
This script must be present on the main branch of your repository as GitHub Actions does not support branch selection for triggers.
Note that the event type is optional, and you can choose any event and configure it on ReARM.
In your script, you may also make use of client payload as described in the GitHub Documentation here. For this, add payload JSON to the Optional Client Payload JSON field in ReARM's output trigger. For example, to pass approved release version to GitHub Actions, you can use the following JSON:
{"approvedRelease": "$releaseversion"}Then in the workflow, you can access the payload using github.event.client_payload.approvedRelease. See full sample here.
ReARM Part
Note that for integration triggers firing on approval policy events, you would need an Approval Policy configured; for firing on vulnerabilities or policy violations, you would need Dependency Track integration configured.
Organization-Wide CI Integration Part (requires Organization Admin permissions)
In ReARM, open Organization Settings menu. Under Integrations tab, in the
CI Integrationssub-section, click onAdd CI Integration.Enter description (try to make this descriptive as this will be used to identify integration).
Choose
GitHubas CI Type.Paste your Base64-encoded key noted above in the
GitHub Private Key DER Base64field.Enter your GitHub App noted above in the
GitHub Application IDfield.Click
Save. Your CI Integration is now created.
Component Part (requires User with Write permissions)
In ReARM, make sure you register your VCS repository that contains desired GitHub Actions script either via Component creation or via VCS menu item and the plus-circle icon.
You need to set up a ReARM component that will have corresponding triggers configured. Once your component is created, open it and click on the tool icon to toggle component settings:
If you are setting triggers based on approvals, make sure you have Approval Policy selected under Core Settings tab.
Open Output Triggers tab and click on the
plus-circle iconin the bottom left (Add Output Trigger).Enter name for your trigger, i.e.
Trigger GitHub Actions Approval Workflow.Select
External Integrationas Type.Choose your previously created GitHub Integration in the
Choose CI IntegrationfieldEnter your GitHub App's Installation ID as noted above.
Enter name of your GitHub Actions event as referenced in your GitHub Actions script (the event name used in these instructions was
reliza-build-event).If you require any additional client payload, enter it in the JSON format in the Optional Client Payload JSON field.
For example, input: {"product_version": "$releaseversion"} to pass the release version on which the trigger fired to the GitHub Actions workflow.
Optionally, you can set a Dynamic client payload (CEL string expression) instead of — or in addition to — the static JSON above. This is a CEL expression evaluated against the release at the moment the trigger fires; when set, the evaluated result overrides the Optional Client Payload JSON field before delivery.
When to reach for it. The static field already supports the
$releaseversionplaceholder, so for a simple{"version": "<release-version>"}you do not need CEL —{"version": "$releaseversion"}in the static field does the same thing. CEL earns its keep when the payload needs to depend on conditional logic or fields the placeholder system doesn't expose (lifecycle, vulnerability counts, approval state, head-commit metadata, etc.).Format rules — the same as the static field, because the evaluated string is then JSON-parsed and sent as the GitHub
client_payload:- The expression must produce a JSON object string (top-level
{...}). - All values must be flat strings — nested objects, arrays, or non-string scalars cause the JSON parse to fail and the trigger silently falls back to the static field (the failure is logged on the server side at
WARN). - Don't use CEL's
{}literal syntax —{"version": release.version}evaluates to a CEL map and stringifies to Java's{version=0.5.0}form, which is not valid JSON. Build the JSON string by concatenation instead.
Sample expressions:
cel// Build a JSON object the consuming workflow can read '{"version": "' + release.version + '"}'cel// Multi-field, with a conditional value '{"ref": "refs/tags/' + release.version + '", "skip_tests": "' + (release.criticalVulns > 0 ? 'true' : 'false') + '"}'Fields exposed to the expression (under
release.*):release.version,release.lifecycle,release.component,release.branchType- vulnerability counts:
release.criticalVulns,release.highVulns,release.mediumVulns,release.lowVulns,release.unassignedVulns,release.firstScanned - policy violations:
release.securityViolations,release.operationalViolations,release.licenseViolations - approvals:
release.anyApproved,release.anyDisapproved,release.approvals["<entry-uuid>"]returning"APPROVED" | "DISAPPROVED" | "UNSET".approvalsis also a top-level alias so macros likeapprovals.exists(k, approvals[k] == "DISAPPROVED")work. - context:
release.agentSessions,release.commits,release.headCommit
Reading the payload in the GitHub Actions workflow — identical to the static-field case. The trigger fires GitHub's
repository_dispatchevent with body{"event_type": "<your event>", "client_payload": <parsed-map>}:yamlname: react-to-rearm on: repository_dispatch: types: [reliza-build-event] # must match step 9 jobs: build: runs-on: ubuntu-latest steps: - name: Show payload run: | echo "version=${{ github.event.client_payload.version }}" echo "ref=${{ github.event.client_payload.ref }}" - name: Checkout the tag the trigger pointed at uses: actions/checkout@v4 with: ref: ${{ github.event.client_payload.ref }} - name: Conditional skip if: github.event.client_payload.skip_tests != 'true' run: ./gradlew testEach key from the payload map is accessed as
github.event.client_payload.<key>; values arrive as strings since the server sends a flat string-to-string map.- The expression must produce a JSON object string (top-level
Under CI Repository click on the Edit icon and select your GitHub repository containing desired GitHub Actions workflow set up above.
Click on 'Save', your trigger is now created.
Now create a Trigger Event linked to this trigger to make it fire on desired events (TODO - to be documented soon).