9

I am trying to create a workflow to deploy Nuget packages to Github Package Repository using Github Actions.

In this case,

  • The repository is inside an organization
  • I am the owner of that organization
  • I have admin access to the repository
  • The repository has secrets listed
  • The commit is mine
  • The commit is a direct commit to a branch

But the action CANNOT access the secrets

echo

Below is the workflow I am trying to execute

name: Build and Publish
on:
push:
  branches:
    - gh-packages
jobs:
build_and_publish:
env:
  ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
name: Publish Packages to NuGet
runs-on: ubuntu-latest
steps:
  - uses: actions/checkout@v2
  - uses: actions/setup-dotnet@v1
    with:
      dotnet-version: "3.0.100"
  - name: Dump Github Context
    env:
      CONTEXT: ${{ toJson(github) }}
      SECRETS: ${{ toJson(secrets) }}
      TOK: ${{ secrets.ACCESS_TOKEN }}
      TEST: ${{ secrets.TEST }
    run: |
      echo $ACCESS_TOKEN
      echo $TOK
      echo $TEST
      echo $GITHUB_TOKEN
      echo "$SECRETS"
      echo "$CONTEXT"
  - name: Setup Config
    run: sed "s/ACCESS_TOKEN/$ACCESS_TOKEN/g" .nuget.config > nuget.config
  - run: cat nuget.config
  - name: Build
    run: dotnet build -c Release
  - name: Publish
    run: chmod +x ./push.sh && ./push.sh

Both GITHUB_TOKEN and custom secrets like ACCESS_TOKEN are not working.

addition 01:

Even when setting the environment variable name as GITHUB_TOKEN doesn't seam to be working

name: Build and Publish
env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
...

GITHUB_TOKEN

Shanaka Rusith
  • 421
  • 1
  • 4
  • 19
  • 2
    Any secret value (as well as certain encodings, such as Base64, of secret values) is scrubbed from the output and replaced with asterisks in the logs, which is a best security practice. This is true no matter how you render them: if the log text matches a secret, it's scrubbed. They are still accessible to your scripts and workflows, but cannot be viewed. – bk2204 Apr 21 '20 at 00:35
  • That's a pretty cool feature, not super clear in the documentation, but definitely a good security measure by the Github team. I guess you could print the secret with spaces after every character... updating my answer again – Ben Winding Apr 21 '20 at 02:36

4 Answers4

9

Assuming you've passed the secret into the action:

env: 
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

enter image description here

Then hiding the text with *** is expected behaviour of Github actions.

As you can see, I can get (and use) the value of the environment variables, but the secrets aren't being exposed.

That's because they're secrets. The Actions output is explicitly scrubbed for secrets, and they're not displayed.

The file contents still contain the secret contents.

Printing out a secret is possible, but a very bad practice - use the following command, which evades Github's security measures to prevent secrets leaking out logs

run: echo MYSECRET | sed -e 's/\(.\)/\1 /g'
# this will print "M Y S E C R E T"

Simply replace MYSECRET with the secret you're trying to print e.g. $GITHUB_TOKEN.

See the GitHub docs for detailed instructions on secrets.

mikemaccana
  • 110,530
  • 99
  • 389
  • 494
Ben Winding
  • 10,208
  • 4
  • 80
  • 67
  • Trying to access the values by setting environment variables doesn't work too. please check the latest update of the question. – Shanaka Rusith Apr 20 '20 at 01:49
  • I have done exactly the same thing. check the code snippet – Shanaka Rusith Apr 20 '20 at 11:13
  • Try passing each secret in individually, without the `toJson` function. Also just use `${{ secrets.GITHUB_TOKEN }}` no need to rename it to ACCESS_TOKEN up the top. Also aparently [this question](https://stackoverflow.com/a/54505698/2419584) show's that you might be able to `echo` each secret if you don't include quotes in the command – Ben Winding Apr 20 '20 at 12:07
  • Edited my answer again, there's an official method at the bottom of the page (within the link at the bottom of my answer) hope it helps – Ben Winding Apr 20 '20 at 13:37
4

This problem occurred because of a misunderstanding of mine, which I thought the secret values should show up in the logs if they are passed to the action correctly.

I am combining the answers of Ben Winding and bk2204 to make it clear.

Secret values are scrubbed in action logs. Don't expect to see the actual values in the action logs. Getting the scrubbed text means the value has been passed to the action. you can use the value within the script but you cant see them in the logs. Check Ben's Answer for How you can see the values, but it is not recommended.

Shanaka Rusith
  • 421
  • 1
  • 4
  • 19
1

If you wish to log something to indicate the secret is there, try this:

auth_token="${{ inputs.auth_token }}"
echo "auth_token length: ${#auth_token}"

The ${#auth_token} will report the length of the secret. You will find the following in the logs:

auth_token length: 72

This lets you know the auth_token is there and how long it is, but does not reduce the security of the token.

Grant Carthew
  • 177
  • 1
  • 10
0

While reading all content of github documentation accessing your secrets, and finally I saw this, it taught me a lot in terms of best practices and standard use case of secrets

Marvin
  • 647
  • 7
  • 15