GitHub secrets created using API REST but returned empty

Question

I created GitHub secrets using the GitHub REST API as it's given in the folowing documentation: https://docs.github.com/en/rest/actions/secrets

The code that I used to crypt and then create my list of GitHub environnment secrets is te following :

from github import Github
import requests

access_token = base["TOKEN"]
user = gitLogin["user"]

api_url = f"https://api.github.com/users/"+user+"/repos"
response = requests.get(api_url, auth=(user, access_token))
print(response)

dev_secrets_names = [...]
dev_secrets_list = [...]
dev_encrypted_secrets_list = []

def encrypt(public_key: str, secret_value: str) -> str:
   """Encrypt a Unicode string using the public key."""
   public_key = public.PublicKey(public_key.encode("utf-8"), encoding.Base64Encoder())
   sealed_box = public.SealedBox(public_key)
   encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
   return b64encode(encrypted).decode("utf-8")

for i in range(len(dev_secrets_list)):
   encrypted_secret = encrypt(public_key, dev_secrets_list[i])
   dev_encrypted_secrets_list.append(encrypted_secret)

for i in range(len(dev_secrets_list)):
   url = f"https://api.github.com/repositories/"+"${{ steps.repos.outputs.repos_id }}"+"/environments/"+environnments["dev"]+"/secrets/"+dev_secrets_names[i]
   print(url)
   body = {"encrypted_value": f"{dev_encrypted_secrets_list[i]}", "key_id": "${{ steps.keys.outputs.key_id }}"}
   response = requests.put(url, json=body, auth=(user, access_token))

The code executes correctly and when I go to check the secrets are well created in GitHub. Only, when I try to retrieve the secrets in a task, they are not read as if they were empty. The folowing code is where I'm trying to use the secrets :

on:
  workflow_call:
    inputs:
      Organization:
        required: true
        type: string
      Repository:
        required: true
        type: string
      devEnv:
        required: true
        type: string
      uatEnv: 
        required: true
        type: string
      prodEnv:
        required: true
        type: string
      devBranch:
        required: true
        type: string
      uatBranch:
        required: true
        type: string
      prodBranch:
        required: true
        type: string
      releaseBranch:
        required: true
        type: string
      rootFolder:
        required: true
        type: string
    
    secrets:
      DEV_SF_ACCOUNT:
        required: true
      DEV_SF_USERNAME:
        required: true
      DEV_SNOWFLAKE_PASSWORD:
        required: true
      DEV_SF_ROLE:
        required: true
      DEV_SF_WAREHOUSE:
        required: true

deploy-snowflake-changes-dev:
    name: deploy schamas changes to dev
    needs: ShitTest 
    if: needs.ShitTest.outputs.output == 'true'
    environment: 
      name: ${{inputs.devEnv}}
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Use Python 3.8.x
        uses: actions/[email protected]
        with:
          python-version: 3.8.x

      - name: Run schemachange
        shell: pwsh
        run: |
          python --version
          echo "Step 1: Installing schemachange"
          pip install schemachange

          echo "Step 3: Running schemachange"
          schemachange deploy -f ./${{inputs.rootFolder}} -a ${{secrets.DEV_SF_ACCOUNT}} -u ${{secrets.DEV_SF_USERNAME}} -r ${{secrets.DEV_SF_ROLE}} -w ${{secrets.DEV_SF_WAREHOUSE}} -d DEV_${{secrets.SF_DATABASE}} -c DEV_${{secrets.SF_DATABASE}}.${{secrets.SF_SCHEMA}}.${{secrets.SF_HISTORY_TABLE}} --vars $varsString --create-change-history-table -v  
        env:
          SNOWFLAKE_PASSWORD: ${{ secrets.DEV_SNOWFLAKE_PASSWORD }}

I voluntarily removed some part of the code to keep it simple.

Can you help to understand why secrets are returned as empty ?

note: when I update the secrets manually, everything works.

The following code is the one from witch I call the previous workflow :

jobs:
  snowflake-devops:
    uses: ./.github/workflows/snowflake-devops.yml
    with:
      Organization: $($parametersFileContent.organization)
      Repository: $($parametersFileContent.repository)
      devEnv: $($parametersFileContent.environnments.dev)
      uatEnv: $($parametersFileContent.environnments.uat)
      prodEnv: $($parametersFileContent.environnments.prod)
      devBranch: ${{ env.dev }}
      uatBranch: ${{ env.uat }}
      prodBranch: ${{ env.prod }}
      releaseBranch: ${{ env.release }}
      rootFolder: $($parametersFileContent.rootFolder)
     secrets:
      TOKEN: $TOKEN
      SF_DATABASE: $SF_DATABASE
      SF_SCHEMA: $SF_SCHEMA
      SF_HISTORY_TABLE: $SF_HISTORY_TABLE
                
      DEV_SF_ACCOUNT: $DEV_SF_ACCOUNT
      DEV_SF_USERNAME: $DEV_SF_USERNAME
      DEV_SF_ROLE: $DEV_SF_ROLE
      DEV_SF_WAREHOUSE: $DEV_SF_WAREHOUSE
      DEV_SNOWFLAKE_PASSWORD: $DEV_SNOWFLAKE_PASSWORD

Answer 1

Which public key value are you passing to your encrypt function? I just went through this scenario where the secret was being output as a blank string when attempting to use it in the workflow.

My problem was, and I'm assuming yours too, is that I was getting the repository public key, and not the environment public key.

Try using the Get an Environment Public Key endpoint and saving your secret again. I was able to retrieve the value after doing that.