8

I'm trying to access the value of SECRETs sent to a GitHub Action, but I'm struggling. The values are returned as [FILTERED] every time, no matter what the key or the original value is.

I can access ENVIRONMENT VARIABLES without a problem, so I must be screwing up somewhere else.

Essentially, what I'm trying to do is send an ssh key to my action/container, but I get the same issue when sending any other key/value as a secret.

My (simplified) GitHub Action is as follows:

action "Test" {
  uses = "./.github/actions/test"
  secrets = [
    "SSH_PRIVATE_KEY",
    "SSH_PUBLIC_KEY",
  ]
  env = {
    SSH_PUBLIC_KEY_TEST = "thisisatestpublickey"
  }
}

Dockerfile:

FROM ubuntu:latest

# Args
ARG SSH_PRIVATE_KEY
ARG SSH_PUBLIC_KEY
ARG SSH_PUBLIC_KEY_TEST

# Copy entrypoint
ADD entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

entrypoint.sh:

#! /bin/sh

SSH_PATH="$HOME/.ssh"

mkdir "$SSH_PATH"
touch "$SSH_PATH/known_hosts"

echo "$SSH_PRIVATE_KEY" > "$SSH_PATH/id_rsa"
echo "$SSH_PUBLIC_KEY" > "$SSH_PATH/id_rsa.pub"
echo "$SSH_PUBLIC_KEY_TEST" > "$SSH_PATH/id_rsa_test.pub" 

cat "$SSH_PATH/id_rsa"
cat "$SSH_PATH/id_rsa.pub"
cat "$SSH_PATH/id_rsa_test.pub"

The output of those three cat commands is:

[FILTERED]
[FILTERED]
thisisatestpublickey

As you can see, I can get (and use) the value of the environment variables, but the secrets aren't being exposed.

Anyone got any clues?

Just to update this, I've also simply tried echoing out both the secrets without quotes in entrypoint.sh:

echo $SSH_PRIVATE_KEY
echo $SSH_PUBLIC_KEY

...and in the log, I see the full decrypted content of $SSH_PRIVATE_KEY (ie, the actual contents of my ssh key) while $SSH_PUBLIC_KEY still returns [FILTERED].

So, I can assume that we are able to see the contents of secrets inside of an action, but I don't know why I can see just one of them, while the other returns [FILTERED].

Is it a caching thing, maybe?

I'm just trying to figure out a predictable way to work with this.

Bless
  • 5,052
  • 2
  • 40
  • 44
Contention
  • 539
  • 5
  • 19
  • You can see the content of a secret inside the pipeline execution, here they said how to proceed, under unix perspective by creating a step or something with `echo ${{secrets.SECRET_NAME}} | sed 's/./& /g'` https://github.community/t/how-to-see-my-git-secrets/123668/5 Just that by default that is not possible, because those are secrets – bgarcial Nov 09 '20 at 16:05

1 Answers1

7

As you can see, I can get (and use) the value of the environment variables, but the secrets aren't being exposed.

That's because they're secrets. The Actions output is explicitly scrubbed for secrets, and they're not displayed.

The file contents still contain the secret contents.

Edward Thomson
  • 74,857
  • 14
  • 158
  • 187
  • Yeah, that's what I thought at first too - that it was designed like that. – Contention Feb 03 '19 at 18:16
  • (Sorry - hit send too soon.) ... however I've been playing a little more today. I can echo out both secrets without quotes `echo $SSH_PRIVATE_KEY` and `echo $SSH_PUBLIC_KEY` and I see the full contents of one of the variables as expected, and I still see `[FILTERED]` for the other. I'm treating them both exactly the same and getting unexpected results, and so far I just can't figure it out. – Contention Feb 03 '19 at 18:22
  • `SSH_PUBLIC_KEY` isn't secret; it's just an environment variable. Regular environment variables aren't filtered at all. – Edward Thomson Feb 03 '19 at 19:16
  • Yep, but in this case both `SSH_PRIVATE_KEY` and `SSH_PUBLIC_KEY` are added as secrets. I'm now echoing out `$SSH_PRIVATE_KEY` without quotes and I see the decrypted ssh key _in full_ in the log. I'm also echoing out `$SSH_PUBLIC_KEY` without quotes in exactly the same way in the same entrypoint.sh file and this still returns `[FILTERED]`. I can't get to the bottom of it! – Contention Feb 03 '19 at 19:23
  • Ah, sorry. I misread that, I thought it was `SSH_PUBLIC_KEY` that was in `env`. Reading again, I realize that it was `SSH_PUBLIC_KEY_TEST`. But in your question, both `SSH_PRIVATE_KEY ` and `SSH_PUBLIC_KEY` are marked as `[FILTERED]`. Can you update your question with what you're seeing now? – Edward Thomson Feb 03 '19 at 19:25
  • just dropped a quick update in there. There's not much additional info though - sorry! – Contention Feb 03 '19 at 19:36
  • You can reveal the value in the AWS and Azure versions of the same thing, though. It is a pain. – Alex Feb 09 '21 at 12:18