Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I extract secrets using GitHub Actions?

I have a fairly basic scenario. I made a dedicated ssh key for this purpose and added it to my repository secrets.

  1. Code gets pushed to master

  2. GitHub action uploads it to server using ssh by doing echo "${{ secrets.SSH_KEY }}" > key.

  3. After that I can use this key to connect to my server e.g. ssh -i key [email protected] lsb_release -a

The problem is that for some reason GitHub actions cannot write it to file, it writes characters *** instead of the actual secret value into the file. Therefore obviously I cannot connect to my server.

How can I connect with ssh using this secret? Is there a way to connect without using a file? Can someone who did this common scenario using GitHub actions shed some light?

like image 816
Stan Avatar asked Dec 25 '19 21:12

Stan


2 Answers

GitHub Actions should be able to write a secret to a file this way. The reason you see the stars is that the log is filtered, so if a secret would be logged, it's replaced in the log with three asterisks instead. This is a security measure against an accidental disclosure of secrets, since logs are often publicly available.

However, it's a good idea to avoid writing the secret to the log anyway if possible. You can write your command like this so you don't write the secret to the log:

    - run: 'echo "$SSH_KEY" > key'       shell: bash       env:         SSH_KEY: ${{secrets.SSH_KEY}} 

All you'll see in the log is echo "$SSH_KEY" > key, not the secret or any asterisks.

Note that you do want quotes here, since the > character is special to YAML.

If this doesn't work to log into your server, there's likely a different issue; this technique does work for writing secrets in the general case.

like image 58
bk2204 Avatar answered Sep 19 '22 13:09

bk2204


I found a way to do this. We used GatsbyJS for a project and it relies on a .env.production file for the env variables. I tried to pass them as env: to the github action, but that didn't work and they were ignored.

Here is what I did. I base 64 encoded the .env.production file:

base64 -i .env.production 

Added the output to an env variable in github action. Then in my action I do:

echo ${{ secrets.ENV_PRODUCTION_FILE }} | base64 -d > .env.production 

This way the contents of my .env.production file ended being written to the machine that executes the github action.

like image 36
Daniel Dimitrov Avatar answered Sep 18 '22 13:09

Daniel Dimitrov