3

I am using secrets in my reusable workflow and also have outputs. My output is a path, that has parts of AWS secrets, so I get an error Skip output 'file-url' since it may contain secret.

          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_REGION  }}
          aws-bucket: ${{ secrets.S3_BUCKET }}
          bucket-root: ${{ secrets.S3_KEY }}
          file-path: ${{ steps.apk-file-path.outputs.file-path }} 
          output-file-url: 'true'
          output-qr-url: 'true'

I tried to change it so instead of secrets, those would be inputs and then have secrets in caller workflow, but then I get error Unrecognized named-value: 'secrets'.

          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ inputs.aws_region  }}
          aws-bucket: ${{ inputs.s3_bucket }}
          bucket-root: ${{ inputs.s3_key }}

Caller workflow:

    uses: ./.github/workflows/reusable-test.yml
    secrets: inherit
    with:
      aws_region: ${{ secrets.AWS_REGION }}
      s3_bucket: ${{ secrets.S3_BUCKET }}
      s3_key: ${{ secrets.S3_KEY }}

Is there any way to get around it? Need some help

Polina_A
  • 31
  • 1
  • 2
  • Welcome to SO Polina_A. Please follow https://stackoverflow.com/help/minimal-reproducible-example to create a reproducible example. – rethab Jun 08 '22 at 05:40

2 Answers2

2

Can be caused by Github inspecting URLs and noticing the same value as within secrets. You might need to use mask-aws-account-id: no.

erPe
  • 558
  • 2
  • 11
  • 22
  • 4
    Is there a generalized solution for this problem (ie if we're not using the aws package)? – Miguel Mota Sep 07 '22 at 02:55
  • Im not sure about that one - however it has not been a problem to use the non-masked account in my scenarios. – erPe Sep 12 '22 at 09:21
  • 1
    @MiguelMota I wrote an aswer with a workaround I found (https://nitratine.net/blog/post/how-to-pass-secrets-between-runners-in-github-actions/). Unfortunately it seems that there is no real solution yet, since not being able to pass masked values as outputs is done by design. – Bruno Alexandre Rosa Feb 08 '23 at 14:57
0

A more general workaround for this issue is to encrypt the output using as password a secret and then decrypting it in the job where it is needed.

Here are examples of how gpg can be used:

Encrypting:

encrypted_value=$(gpg --symmetric --batch --passphrase ${{ secrets.GPG_SECRET }} --output - <(echo "my-secret-string") | base64 -w0)

Decrypting:

decrypted_value=$(gpg --decrypt --quiet --batch --passphrase ${{ secrets.GPG_SECRET }} --output - <(echo "$encrypted_value" | base64 --decode))

This is based on https://nitratine.net/blog/post/how-to-pass-secrets-between-runners-in-github-actions/

Bruno Alexandre Rosa
  • 550
  • 6
  • 20