5

To run pytest within GitHub Actions, I have to pass some secrets for Python running environ. e.g.,

  - name: Test env vars for python
    run: python -c 'import os;print(os.environ)'
    env:
      TEST_ENV: 'hello world'
      TEST_SECRET: ${{ secrets.MY_TOKEN }}

However, the output is as follows,

environ({
'TEST_ENV': 'hello world',
'TEST_SECRET':'',
...})

It seems not working due to GitHub's redaction.

Based on @raspiduino 's answer, I did more explore on both options to import env vars.

name: python

on: push

jobs:
  test_env:
    runs-on: ubuntu-latest
    steps:
    - name: Set up Python
      uses: actions/setup-python@v2
      with:
        python-version: 3.8
        
    - name: Test env vars for python
      run: python -c 'import os;print(os.environ)'
      env:
        ENV_SECRET: ${{ secrets.ENV_SECRET }} 
        REPO_SECRET: ${{ secrets.REPO_SECRET }} 
    
    - name: Test inline env vars for python
      run: ENV_SECRET=${{ secrets.ENV_SECRET }} REPO_SECRET=${{ secrets.REPO_SECRET }} python -c 'import os;print(os.environ)'

Basically, both steps are in same outputs. The REPO_SECRET can be passed thru but not the ENV_SECRET.

enter image description here

Outputs enter image description here

northtree
  • 8,569
  • 11
  • 61
  • 80
  • Secrets are redacted *from output*, meaning your program is seeing it correctly. If you absolutely need to *output* them, try encoding in some way (like base64) to bypass GitHub redaction. – iBug Mar 12 '21 at 05:28
  • @iBug Just attached the outputs. They are different from Environment and Repository secrets. – northtree Mar 12 '21 at 05:31
  • OK I think I know what's going on. For the time being please stick to repository secrets and stay away from "environment secrets". GitHub's "environment" is not like that of an operating system. – iBug Mar 12 '21 at 06:13
  • Hi @northtree, I did something very similar here with secrets if you want to take a look :) https://github.com/GuillaumeFalourd/ritchie-formulas-scheduler-demo/blob/main/.github/workflows/formulas-scheduler-secrets.yml – GuiFalourd Mar 19 '21 at 14:57

2 Answers2

3

There are three types of secrets within GitHub Actions.

  1. Organization secrets
  2. Repository secrets
  3. Environment secrets

To access Environment secrets, you have to referencing an environment in your job. (Thanks to @riQQ)

Actions secrets

name: python

on: push

jobs:
  test_env:
    environment: TEST_SECRET
    runs-on: ubuntu-latest
    steps:
    - name: Set up Python
      uses: actions/setup-python@v2
      with:
        python-version: 3.8
        
    - name: Test env vars for python
      run: python -c 'import os;print(os.environ)'
      env:
        ENV_SECRET: ${{ secrets.ENV_SECRET }} 
        REPO_SECRET: ${{ secrets.REPO_SECRET }}
northtree
  • 8,569
  • 11
  • 61
  • 80
0

You try the things below:

  - name: Test env vars for python
    run: TEST_SECRET=${{ secrets.MY_TOKEN }} python -c 'import os;print(os.environ['TEST_SECRET'])

This will pass ${{ secrets.MY_TOKEN }} directly as an environment variable to the python process and not share with other processes. Then you can use os.environ['TEST_SECRET'] to get it.

I have done this here and here

raspiduino
  • 601
  • 7
  • 16
  • I tried more on both Environment and Repository secrets. Only `Repository secrets` can be passed thru. Had you tried on `Environment secrets`? – northtree Mar 12 '21 at 05:26
  • 2
    @northtree you need to reference the environment in your job: https://stackoverflow.com/questions/66521958/how-to-access-environment-secrets-from-a-github-workflow – riQQ Mar 12 '21 at 18:07