Menu
I've started playing with GitHub actions, but I'm struggling with accessing repository secrets which I pass as env's.
My workflow file:
name: Invite
on:
pull_request:
branches: [master]
types: [closed]
jobs:
invite:
runs-on: ubuntu-latest
steps:
- name: Hello world action
uses: lekterable/inclusive-organization-action@master
env:
SECRET_TOKEN: ${{ secrets.SECRET_TOKEN }}
organization: string
SUPER_SECRET: ${{ secrets.SUPER_SECRET }}
action index file
const core = require('@actions/core')
const github = require('@actions/github')
const run = async () => {
try {
...
console.log('env', process.env)
const token = process.env.SECRET_TOKEN
const secret = process.env.SUPER_SECRET
const organization = process.env.organization
console.log('organization', organization)
console.log('token?', !!token)
console.log('secret?', !!secret)
console.log('token length', token.length)
...
} catch (error) {
core.setFailed(error.message)
}
}
run()
as you can see I'm passing 3 env's, the organization which has a value of 'string' exists as expected, but SECRET_TOKEN and SUPER_SECRET are empty.
And yes, I do have the secrets set in the repo which runs the action:
Is there something that I'm doing wrong?
335
To help prevent accidental secret disclosure, GitHub Actions automatically redact secrets printed to the log, but this is not a true security boundary because secrets can be intentionally sent to the log.
GitHub Actions usage is free for standard GitHub-hosted runners in public repositories, and for self-hosted runners. For private repositories, each GitHub account receives a certain amount of free minutes and storage for use with GitHub-hosted runners, depending on the product used with the account.
Update
While the original answer below does still apply to public repositories, there are a couple of new updates that may help for some use cases.
If your repository is private, you can now enable workflows from forks.
If your repository is public, there is a new pull_request_target event that is not subject to any token restrictions.
Original Answer
The reason you are experiencing this behaviour is because the Invite workflow is being triggered by a pull request from a forked repository.
With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.
When this happens, the actor of the workflow is the user that opened the pull request. If that user doesn't have write access to your repository then they cannot use secrets (other than GITHUB_TOKEN).
Anyone with write access to a repository can create, read, and use secrets.
ref: https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets#using-encrypted-secrets-in-a-workflow
If you run this step in your workflow you will see that it has nothing to do with your action. The TEST_SECRET secret won't be available in the workflow either.
- name: Test
env:
TEST_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TEST_SECRET: ${{ secrets.TEST_SECRET }}
run: |
echo ${#TEST_GITHUB_TOKEN}
echo ${#TEST_SECRET}
Checking the event data in the GitHub context you'll see that actor is the user that forked the repository and opened the pull request.
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
This is a different but related issue answered by a GitHub staff member where it's explained that these limitations on forked repositories exist to "prevent malicious actors from using actions to poison upstream or downstream repos."
137
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
