How can I escape a multi-line secret in Github workflow?

Question

I've been directed to "handle this programmatically" and I don't have the ability to change or add the credentials file.

Using Github Actions, I've created a workflow that needs GCloud authenticated. Unfortunately, it seems that the variable is replaced prior to the run commands being executed, resulting in a multi-line YAML file that produces a bunch of errors.

Here's a snippet of the YAML:

   # Setup gcloud CLI
    - name: Use Google Cloud Platform
      uses: GoogleCloudPlatform/github-actions/setup-gcloud@master
      with:
        version: '270.0.0'
        service_account_email: ${{ secrets.SA_EMAIL }}
        service_account_key: ${{ secrets.GOOGLE_APPLICATION_CREDENTIALS }}

    - run: cd ui/ && pwd && npm install && npm run test
      env:
        CI: true
    - run: |
        echo ${{ secrets.GCP_AUTH_STAGING }} | gcloud auth activate-service-account --key-file=-
        gcloud container clusters get-credentials staging --region northamerica-northeast1 --project example-staging
        cd ui/ && pwd && npm run build && cd build/ && gsutil cp -r . gs://test.example.com/

I've tried escaping the credentials with something like CREDS=$( ${{ secrets.GCP_AUTH_STAGING }} ) but this just results in another multi-line problem. I believe the YAML variable is replaced prior to being executed, instead of being passed as an env.

If anyone has a command-line solution it would be much appreciated!

Please note I'm aware that there's a service account/key in the YAML as well but I cannot access it.

Answer 1

Using base64 we encode the service account JSON and pass it via environment variable. Then before calling the activate-service-account decode using the shell script.

Sample code:

echo "$GCP_CREDENTIALS" > gcp_credentials_enc.json
cat gcp_credentials_enc.json | base64 -d > gcp_credentials.json