14

I read some similar posts but none seem to answer this question. I can set individual GitHub secrets into environment variables in an Action if I know the name of the secret: env: PW_ID0007: "${{secrets.PW_ID0007}}" How can I expose all secrets as environment variables without knowing their names (either in bulk or some way to iterate through them and set them individually?)

mm_sml
  • 143
  • 1
  • 4

3 Answers3

13

There is a way to do that. Please check here

- name: view the secrets context
  shell: bash
  run: echo "$SECRETS_CONTEXT"
  env:
    SECRETS_CONTEXT: ${{ toJson(secrets) }}

In that way you will expose all secrets without knowing names:

enter image description here

And know what you need is go through this json using for instance jq and set them as env variable suing following syntax:

 echo "variable_name=variable_value" >> $GITHUB_ENV
Krzysztof Madej
  • 32,704
  • 10
  • 78
  • 107
  • Thanks, This steered me in the right direction. I was unaware of the GitHub toJson function you mention but found it documented here. – mm_sml Jun 17 '21 at 20:38
  • 1
    I was unaware of the GitHub toJson function you mention but found it documented here. [link](https://docs.github.com/en/actions/reference/context-and-expression-syntax-for-github-actions#tojson) Adding this exposed all secrets in one JSON environment variable. `env: SECRETS_CONTEXT: "${{ toJson(secrets) }}"` I am using Powershell so I did not need jq. Within a Powershell script I can read and parse this with normal commands: `$secrets = ($env:SECRETS_CONTEXT | ConvertFrom-Json -AsHashtable )` – mm_sml Jun 17 '21 at 20:47
5

I created an action exactly for that - takes all the secrets and exports them to environment variables.

An example would be:

- run: echo "Value of MY_SECRET1: $MY_SECRET1"
  env:
    MY_SECRET1: ${{ secrets.MY_SECRET1 }}
    MY_SECRET2: ${{ secrets.MY_SECRET2 }}
    MY_SECRET3: ${{ secrets.MY_SECRET3 }}
    MY_SECRET4: ${{ secrets.MY_SECRET4 }}
    MY_SECRET5: ${{ secrets.MY_SECRET5 }}
    MY_SECRET6: ${{ secrets.MY_SECRET6 }}
    ...

You could convert it to:

- uses: oNaiPs/secrets-to-env-action@v1
  with:
    secrets: ${{ toJSON(secrets) }}
- run: echo "Value of MY_SECRET1: $MY_SECRET1"

Link to the action, which contains more documentation about configuration: https://github.com/oNaiPs/secrets-to-env-action

oNaiPs
  • 551
  • 5
  • 14
2

I came up with a simple solution, which also works for multiline strings. Here is the corresponding GitHub action step:

- name: Expose github environment as shell variables
  env:
    SECRETS_CONTEXT: ${{ toJson(secrets) }}
    VARS_CONTEXT: ${{ toJson(vars) }}
  run: |
    # https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#setting-an-environment-variable
    # https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings
    EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
    to_envs() { jq -r "to_entries[] | \"\(.key)<<$EOF\n\(.value)\n$EOF\n\""; }
    echo "$VARS_CONTEXT" | to_envs >> $GITHUB_ENV
    echo "$SECRETS_CONTEXT" | to_envs >> $GITHUB_ENV

jq takes every key-value pair of the json and produces an env-command of the following form:

{name}<<{delimiter}
{value}
{delimiter}

For security reasons, the delemiter $EOF is a random string.

Those env-commands are then appended to $GITHUB_ENV, so that they are available in the next steps.

Felix Dietze
  • 602
  • 7
  • 16
  • 1
    This is exactly what I was looking for. Just to add you can then use `envsubst < .env.example > .env` to populate your `.env.example` file with those env variables and save it into `.env` – Tomas Trdla May 14 '23 at 14:35