This repository implements a simple GitHub composite action that allows logging into any Salesforce org from CI/CD automations based on either a Salesforce DX (SFDX) authorization URL or using a JSON web token (JWT). Logging into an org authorizes the CLI to run other commands that connect to that org, such as deploying or retrieving a project. You can log into different types of orgs, such as sandboxes, Dev Hubs, Env Hubs, production orgs, and scratch orgs.
To be able to log in with an SFDX Auth URL, you must first generate it. The easiest option to achieve this is to redirect the output of the following command for an already authorized org to a JSON file like:
sf org display --target-org my-org --verbose --json > authFile.json
The resulting JSON file contains the URL in the "sfdxAuthUrl" property of the "result" object. Since we need the authFile.json contents for the login action, but saving raw JSON inputs in GitHub secrets is known to cause problems, we perform an additional step and encode the contents as a Base64 string to avoid headaches like:
cat authFile.json | base64
We then only have to store the Base64 string received in a GitHub action secret, e.g. SFDX_AUTH_URL, and can reference it whenever we are using the action in one of our workflows. A complete guide to secrets can be found here: Using secrets in GitHub Actions
In a GitHub workflow, the use of the action after the initial checkout step and the installation of the SF CLI could then look like this:
jobs:
validation:
name: Validation
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install SF CLI
uses: svierk/sfdx-cli-setup@main
- name: Salesforce Org Login
uses: svierk/sfdx-login@main
with:
sfdx-url: ${{ secrets.SFDX_AUTH_URL }}
alias: awesome-org
The SF CLI in this example workflow is installed via the action sfdx-cli-setup.
The JWT login flow requires a custom connected app to be created as well as a digital certificate, also called a digital signature, to sign the JWT request. You can create a self-signed certificate using OpenSSL. How to achieve this is already well documented:
- Authorize an Org Using the JWT Flow | Salesforce DX Developer Guide
- How To Use GitHub Actions, OAuth and SFDX-CLI for Continuous Integration | Blog Post
The following three parameters must be passed to the login action:
- client-id | OAuth client ID (consumer key) of the custom connected app
- jwt-secret-key | Contents of the server.key file containing the private key
- username | Username of the user logging in
In a GitHub workflow, the use of the action after the initial checkout step and the installation of the SF CLI could then look like this:
jobs:
validation:
name: Validation
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Install SF CLI
uses: svierk/sfdx-cli-setup@main
- name: Salesforce Org Login
uses: svierk/sfdx-login@main
with:
client-id: ${{ secrets.SFDX_CONSUMER_KEY }}
jwt-secret-key: ${{ secrets.SFDX_JWT_SECRET_KEY }}
username: ${{ secrets.SFDX_USERNAME }}
The SF CLI in this example workflow is installed via the action sfdx-cli-setup.
The two authorisation options supported by this GitHub composite action can be found in the Salesforce CLI Command Reference here:
Latest release notes can be found on the release page.
The scripts and documentation in this project are released under the MIT License.