Login/Register
Why The Action Cannot Access Secrets?
Asked Answered
Solved githubgithub-actionsbuilding-github-actions
C

4

9

I am trying to create a workflow to deploy Nuget packages to Github Package Repository using Github Actions.

In this case,

  • The repository is inside an organization
  • I am the owner of that organization
  • I have admin access to the repository
  • The repository has secrets listed
  • The commit is mine
  • The commit is a direct commit to a branch

But the action CANNOT access the secrets

echo

Below is the workflow I am trying to execute

name: Build and Publish
on:
push:
  branches:
    - gh-packages
jobs:
build_and_publish:
env:
  ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
name: Publish Packages to NuGet
runs-on: ubuntu-latest
steps:
  - uses: actions/checkout@v2
  - uses: actions/setup-dotnet@v1
    with:
      dotnet-version: "3.0.100"
  - name: Dump Github Context
    env:
      CONTEXT: ${{ toJson(github) }}
      SECRETS: ${{ toJson(secrets) }}
      TOK: ${{ secrets.ACCESS_TOKEN }}
      TEST: ${{ secrets.TEST }
    run: |
      echo $ACCESS_TOKEN
      echo $TOK
      echo $TEST
      echo $GITHUB_TOKEN
      echo "$SECRETS"
      echo "$CONTEXT"
  - name: Setup Config
    run: sed "s/ACCESS_TOKEN/$ACCESS_TOKEN/g" .nuget.config > nuget.config
  - run: cat nuget.config
  - name: Build
    run: dotnet build -c Release
  - name: Publish
    run: chmod +x ./push.sh && ./push.sh

Both GITHUB_TOKEN and custom secrets like ACCESS_TOKEN are not working.

addition 01:

Even when setting the environment variable name as GITHUB_TOKEN doesn't seam to be working

name: Build and Publish
env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
...

GITHUB_TOKEN

Contrayerva answered 19/4, 2020 at 17:17 Comment(2)
Any secret value (as well as certain encodings, such as Base64, of secret values) is scrubbed from the output and replaced with asterisks in the logs, which is a best security practice. This is true no matter how you render them: if the log text matches a secret, it's scrubbed. They are still accessible to your scripts and workflows, but cannot be viewed.Cygnet
That's a pretty cool feature, not super clear in the documentation, but definitely a good security measure by the Github team. I guess you could print the secret with spaces after every character... updating my answer againNatch
C
5

This problem occurred because of a misunderstanding of mine, which I thought the secret values should show up in the logs if they are passed to the action correctly.

I am combining the answers of Ben Winding and bk2204 to make it clear.

Secret values are scrubbed in action logs. Don't expect to see the actual values in the action logs. Getting the scrubbed text means the value has been passed to the action. you can use the value within the script but you cant see them in the logs. Check Ben's Answer for How you can see the values, but it is not recommended.

Contrayerva answered 21/4, 2020 at 2:55 Comment(0)
N
10

Assuming you've passed the secret into the action:

env: 
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

enter image description here

Then hiding the text with *** is expected behaviour of Github actions.

As you can see, I can get (and use) the value of the environment variables, but the secrets aren't being exposed.

That's because they're secrets. The Actions output is explicitly scrubbed for secrets, and they're not displayed.

The file contents still contain the secret contents.

Printing out a secret is possible, but a very bad practice - use the following command, which evades Github's security measures to prevent secrets leaking out logs

run: echo MYSECRET | sed -e 's/\(.\)/\1 /g'
# this will print "M Y S E C R E T"

Simply replace MYSECRET with the secret you're trying to print e.g. $GITHUB_TOKEN.

See the GitHub docs for detailed instructions on secrets.

Natch answered 19/4, 2020 at 23:46 Comment(4)
Trying to access the values by setting environment variables doesn't work too. please check the latest update of the question.Contrayerva
I have done exactly the same thing. check the code snippetContrayerva
Try passing each secret in individually, without the toJson function. Also just use ${{ secrets.GITHUB_TOKEN }} no need to rename it to ACCESS_TOKEN up the top. Also aparently this question show's that you might be able to echo each secret if you don't include quotes in the commandNatch
Edited my answer again, there's an official method at the bottom of the page (within the link at the bottom of my answer) hope it helpsNatch
C
5

This problem occurred because of a misunderstanding of mine, which I thought the secret values should show up in the logs if they are passed to the action correctly.

I am combining the answers of Ben Winding and bk2204 to make it clear.

Secret values are scrubbed in action logs. Don't expect to see the actual values in the action logs. Getting the scrubbed text means the value has been passed to the action. you can use the value within the script but you cant see them in the logs. Check Ben's Answer for How you can see the values, but it is not recommended.

Contrayerva answered 21/4, 2020 at 2:55 Comment(0)
S
3

If you wish to log something to indicate the secret is there, try this:

auth_token="${{ inputs.auth_token }}"
echo "auth_token length: ${#auth_token}"

The ${#auth_token} will report the length of the secret. You will find the following in the logs:

auth_token length: 72

This lets you know the auth_token is there and how long it is, but does not reduce the security of the token.

Sprite answered 17/4, 2023 at 7:29 Comment(0)
A
-1

UPDATED
(Sorry folks I know my previous answer doesn't suffice this thread, and here is my updated answer)

There are some sort of reasons why you can't access, either you didn't set it up properly on your repo or you have misspelled character, I found github documentation, regards on logging the secrets, here is what I found on their documentation

Secrets are variables that you create in an organization, repository, or repository environment. The secrets that you create are available to use in GitHub Actions workflows. GitHub Actions can only read a secret if you explicitly include the secret in a workflow.

and how properly accessing secrets but in this documentation didn't mention about where should we put our secrets

you must set your secrets under "Repository Settings / Secrets and Variables / actions / Repository Secrets" in order for you to access it through this github action script below

Example of Repository secrets:

enter image description here

Accessing Secrets

steps:
  - shell: bash
    env:
      SUPER_SECRET: ${{ secrets.SuperSecret }}
    run: |
      echo "$SUPER_SECRET" # this line, log your SUPER_SECRET
Acrilan answered 17/6, 2023 at 16:11 Comment(1)
Thank you. I had my secrets under Environment Secrets and that doesn't appear to work, but changing to repo secrets workedAnother

© 2022 - 2024 — McMap. All rights reserved.