1

Is there a way to pass data securely from between repos using the client_payload in a repository dispatch event?

I create a repository dispatch event for a CI pipeline I have between my two of my repos. My first repo uses Terraform in a GitHub Action to create Azure cloud resources and then is suppose to take the outputs for the sever address, username, and password of my container registry resource created using my azure.tf script.

In the final step of my GitHub Action in the first repo, it makes a POST request curl to notify my second repo that the initial cloud resources for the Azure Container Registry (ACR) have been created. It should now be safe to build my container images from my second repo and push them to ACR.

My problem is with the client_payload being sent over to my second repo, it is using unsecure raw json that will expose the password most importantly and other information in the output string of my running CI jobs under the GitHub action in my second repo.

This is why I'd like to understand if there's a way to pass data securely from between repos using the client_payload?

curl --location --request POST 'https://api.github.com/repos/ME_SECOND_REPO_WITH_THE_CONTAINERS/dispatches' \
--header 'Accept: application/vnd.github.everest-preview+json' \
--header 'Authorization: token <MY_PAT>' \
--header 'Content-Type: application/json' \
--data-raw '{
  "event_type": "MY_EVENT_TYPE",
  "client_payload": {
    "login_server": "UNSECURE_VALUE",
    "username": "UNSECURE_VALUE",
    "password": "UNSECURE_VALUE"
  }
}'
greg
  • 1,118
  • 1
  • 20
  • 40

1 Answers1

3

Organization Secrets

Github Action recently launched something called organization secrets. That would be a better way to handle the service account credentials (assuming you are using service accounts).

Manually trigger workflow

If you don't have service account setup, then the most recent workflow_dispatch offering might be a better fit.

Workflow

on: 
  workflow_dispatch:
    inputs:
      logLevel:
        description: 'Log level'     
        required: true
        default: 'warning'
      tags:
        description: 'Test scenario tags'

Trigger screenshot: screenshot

Modified workflow would be like

on: 
  workflow_dispatch:
    inputs:
      login_server:
        description: 'login server'     
        required: true
        default: "xx.xx.xx.xx"
      username:
        description: 'username'  
        required: true
      password:
        description: 'password'  
        required: true

And you can use access them as

  • ${{github.event.inputs.login_server}}
  • ${{github.event.inputs.username}}
  • ${{github.event.inputs.password}}

EDIT: To enable some level of Obfuscating

Masking a value in log

greg
  • 1,118
  • 1
  • 20
  • 40
chenrui
  • 8,910
  • 3
  • 33
  • 43
  • Is there way to create these secrets using code in the GitHub action or they can only be manually created? I'm using secrets in both of my repos currently, but the container server address and credentials will change each time I run the Terraform job. – greg Jul 06 '20 at 19:12
  • 1
    Yeah, currently there is no API support for the Github secrets. (I hope they can fill this gap soon) – chenrui Jul 06 '20 at 19:15
  • 1
    version control the secrets is big challenge for us as well. – chenrui Jul 06 '20 at 19:15
  • 1
    @greg, i have updated my answer to include a better approach, let me know if that works. – chenrui Jul 07 '20 at 20:44
  • this approach appears to work for me. i also add another layer of obfuscation by placing these event inputs into env variables in my action. in my case i am using `github.event.client_payload.my_var` since it's a `repository_dispatch` event. – greg Jul 11 '20 at 20:36
  • how did you do the `obfuscation`? – chenrui Jul 11 '20 at 22:05
  • this may be another solution we can use. there's a way for the terraform github provider to manage secrets for github. i'll propose another edit to your accepted answer to show this https://wahlnetwork.com/2020/05/12/continuous-integration-with-github-actions-and-terraform/ – greg Jul 12 '20 at 23:24
  • Looks like you are trying to introduce the terraform resource to address the setup? Did see bunch of edit rejections though. XD – chenrui Jul 13 '20 at 15:11
  • I am yes, Terraform is where the `login_server` and credentials is generated from. Was any feedback provided for why this was rejected? – greg Jul 13 '20 at 16:13
  • i think it probably because i did intend to make it overly complicated. LOL – chenrui Jul 14 '20 at 02:06
  • 1
    maybe worth a separate post on this. – chenrui Jul 14 '20 at 02:06
  • I have also shared the details in GitHub too https://github.community/t/secure-github-action-inputs/122310/2 – greg Jul 14 '20 at 09:07