I'm trying to access the value of <code>SECRET</code>s sent to a GitHub Action, but I'm struggling. The values are returned as <code>[FILTERED]</code> every time, no matter what the key or the original value is. I can access <code>ENVIRONMENT VARIABLES</code> without a problem, so I must be screwing up somewhere else. Essentially, what I'm trying to do is send an ssh key to my action/container, but I get the same issue when sending any other key/value as a secret. My (simplified) GitHub Action is as follows: <pre class="prettyprint"><code>action "Test" { uses = "./.github/actions/test" secrets = [ "SSH_PRIVATE_KEY", "SSH_PUBLIC_KEY", ] env = { SSH_PUBLIC_KEY_TEST = "thisisatestpublickey" } } </code></pre> Dockerfile: <pre class="prettyprint"><code>FROM ubuntu:latest # Args ARG SSH_PRIVATE_KEY ARG SSH_PUBLIC_KEY ARG SSH_PUBLIC_KEY_TEST # Copy entrypoint ADD entrypoint.sh /entrypoint.sh RUN chmod +x /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] </code></pre> entrypoint.sh: <pre class="prettyprint"><code>#! /bin/sh SSH_PATH="$HOME/.ssh" mkdir "$SSH_PATH" touch "$SSH_PATH/known_hosts" echo "$SSH_PRIVATE_KEY" > "$SSH_PATH/id_rsa" echo "$SSH_PUBLIC_KEY" > "$SSH_PATH/id_rsa.pub" echo "$SSH_PUBLIC_KEY_TEST" > "$SSH_PATH/id_rsa_test.pub" cat "$SSH_PATH/id_rsa" cat "$SSH_PATH/id_rsa.pub" cat "$SSH_PATH/id_rsa_test.pub" </code></pre> The output of those three <code>cat</code> commands is: <pre class="prettyprint"><code>[FILTERED] [FILTERED] thisisatestpublickey </code></pre> As you can see, I can get (and use) the value of the environment variables, but the secrets aren't being exposed. Anyone got any clues? Just to update this, I've also simply tried echoing out both the secrets without quotes in entrypoint.sh: <pre class="prettyprint"><code>echo $SSH_PRIVATE_KEY echo $SSH_PUBLIC_KEY </code></pre> ...and in the log, I see the full decrypted content of <code>$SSH_PRIVATE_KEY</code> (ie, the actual contents of my ssh key) while <code>$SSH_PUBLIC_KEY</code> still returns <code>[FILTERED]</code>. So, I can assume that we are able to see the contents of secrets inside of an action, but I don't know why I can see just one of them, while the other returns <code>[FILTERED]</code>. Is it a caching thing, maybe? I'm just trying to figure out a predictable way to work with this.

<blockquote> As you can see, I can get (and use) the value of the environment variables, but the secrets aren't being exposed. </blockquote> That's because they're secrets. The Actions output is explicitly scrubbed for secrets, and they're not displayed. The file contents still contain the secret contents.

How to access the value of SECRETS in Github Actions?

I'm trying to access the value of SECRETs sent to a GitHub Action, but I'm struggling. The values are returned as [FILTERED] every time, no matter what the key or the original value is.

I can access ENVIRONMENT VARIABLES without a problem, so I must be screwing up somewhere else.

Essentially, what I'm trying to do is send an ssh key to my action/container, but I get the same issue when sending any other key/value as a secret.

My (simplified) GitHub Action is as follows:

action "Test" {
  uses = "./.github/actions/test"
  secrets = [
    "SSH_PRIVATE_KEY",
    "SSH_PUBLIC_KEY",
  ]
  env = {
    SSH_PUBLIC_KEY_TEST = "thisisatestpublickey"
  }
}

Dockerfile:

FROM ubuntu:latest

# Args
ARG SSH_PRIVATE_KEY
ARG SSH_PUBLIC_KEY
ARG SSH_PUBLIC_KEY_TEST

# Copy entrypoint
ADD entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

entrypoint.sh:

#! /bin/sh

SSH_PATH="$HOME/.ssh"

mkdir "$SSH_PATH"
touch "$SSH_PATH/known_hosts"

echo "$SSH_PRIVATE_KEY" > "$SSH_PATH/id_rsa"
echo "$SSH_PUBLIC_KEY" > "$SSH_PATH/id_rsa.pub"
echo "$SSH_PUBLIC_KEY_TEST" > "$SSH_PATH/id_rsa_test.pub" 

cat "$SSH_PATH/id_rsa"
cat "$SSH_PATH/id_rsa.pub"
cat "$SSH_PATH/id_rsa_test.pub"

The output of those three cat commands is:

[FILTERED]
[FILTERED]
thisisatestpublickey

As you can see, I can get (and use) the value of the environment variables, but the secrets aren't being exposed.

Anyone got any clues?

Just to update this, I've also simply tried echoing out both the secrets without quotes in entrypoint.sh:

echo $SSH_PRIVATE_KEY
echo $SSH_PUBLIC_KEY

...and in the log, I see the full decrypted content of $SSH_PRIVATE_KEY (ie, the actual contents of my ssh key) while $SSH_PUBLIC_KEY still returns [FILTERED].

So, I can assume that we are able to see the contents of secrets inside of an action, but I don't know why I can see just one of them, while the other returns [FILTERED].

Is it a caching thing, maybe?

I'm just trying to figure out a predictable way to work with this.

Who has access to GitHub secrets?

GitHub ties repository secrets to only one repository. They're available to anyone with the collaborator role to use in actions. You can store 100 secrets per repository.

How do I use GitHub secrets in terraform?

Set up a GitHub repository Fork the Learn Terraform GitHub Actions repository. In your forked repository, navigate to "Settings" then "Secrets". Create a new secret named TF_API_TOKEN , setting the Terraform Cloud API token you created in the previous step as the value.

As you can see, I can get (and use) the value of the environment variables, but the secrets aren't being exposed.

That's because they're secrets. The Actions output is explicitly scrubbed for secrets, and they're not displayed.

The file contents still contain the secret contents.

How to access the value of SECRETS in Github Actions?

Tags:

github

github-actions

Contention

People also ask

1 Answers

Edward Thomson

Recent Activity

Donate For Us

How to access the value of SECRETS in Github Actions?

Tags:

github

github-actions

Contention

People also ask

1 Answers

Edward Thomson

Related questions

Recent Activity

Donate For Us