3

I have a github action workflow job that has a couple of outputs that github is detecting as secrets by they are not at all. One is the first 7 chars of github.sha and the another is random UUID that I generate using uuidgen.

These outputs are used by multiple other jobs in the same workflow, so I can't just move the steps in the job where I used them because then I have to duplicate the code.

This is the warning I am getting:

enter image description here

How does github assume that it may contain a secret? Is it because of the property name and/or value?

So if I try to read these outputs from another job, they are empty and break the logic of the workflow.

Is there a way to force to not skip these outputs?

EDITS:

I added now the sha_short but the other output was already exported and used before. It was working, now it's detected as secret. I am doing some attempt to fix it and sometime sha_short is exported. It seems quite random.

I tried to change the name of the variables and generate values with a different format using nanoid. At moment it looks like pretty random. Sometime one is skipped and sometime the other is skipped. So yeah, the ideal it would be something that tells the runner to never skip these two outputs.

Output:

   **mecho "docker_build_image_trigger=eff63***95-***ef***-***68c-9edb-***6570a8eb79c" >> $GITHUB_OUTPUT
  **mecho "sha_short=dba69ba" >> $GITHUB_OUTPUT

Steps:

steps:
  - name: Setup AWS
    if: env.SHOULD_REBUILD_DOCKER_IMAGES == 'false'
    uses: aws-actions/configure-aws-credentials@v1
    with:
      aws-access-key-id: ${{ env.TF_VAR_AWS_ACCESS_KEY_ID }}
      aws-secret-access-key: ${{ env.TF_VAR_AWS_SECRET_ACCESS_KEY }}
      aws-region: ${{ env.TF_VAR_AWS_REGION }}

  - name: Write secrets
    if: env.SHOULD_REBUILD_DOCKER_IMAGES == 'false'
    run: |
      aws secretsmanager get-secret-value --secret-id puck-legacy-${{ needs.get-environment-info.outputs.environment }}-secrets --output text --query SecretString >> aws-secrets.json

  - name: Get docker build image trigger
    id: docker-build-image-trigger
    if: env.SHOULD_REBUILD_DOCKER_IMAGES == 'false'
    uses: sergeysova/jq-action@v2
    with:
      cmd: cat aws-secrets.json | jq -r .INFRA_REBUILD_TRIGGER

  - name: Get sha short
    id: sha-short
    if: env.SHOULD_REBUILD_DOCKER_IMAGES == 'false'
    uses: sergeysova/jq-action@v2
    with:
      cmd: cat aws-secrets.json | jq -r .ACTION_CURRENT_COMMIT

  - name: nanoid
    id: nanoid
    if: env.SHOULD_REBUILD_DOCKER_IMAGES == 'true'
    run: |
      echo "nanoid=$(npx nanoid -s 8 -a 1234567890abcdef)" >> $GITHUB_OUTPUT

  - name: Current commit
    id: current-commit
    if: env.SHOULD_REBUILD_DOCKER_IMAGES == 'true'
    run: |
      SHA=${{ github.sha }}
      echo "hash=${SHA:0:7}" >> $GITHUB_OUTPUT

  - name: Get outputs
    id: get-outputs
    run: |
      echo "rebuild_trigger=${{ steps.docker-build-image-trigger.outcome == 'success' && steps.docker-build-image-trigger.outputs.value || steps.nanoid.outputs.nanoid }}" >> $GITHUB_OUTPUT
      echo "current_commit=${{ steps.sha-short.outcome == 'success' && steps.sha-short.outputs.value || steps.current-commit.outputs.hash }}" >> $GITHUB_OUTPUT

In the tests that I am running SHOULD_REBUILD_DOCKER_IMAGES is 'true', so many of the steps are skipped and outputs are always new.

Another job in the workflow where I want read those outputs:

  infrastructure:
    ...
    needs: [get-environment-info, get-dependent-info]
    env:
      ...
      TF_VAR_ACTION_CURRENT_COMMIT: ${{ needs.get-dependent-info.outputs.current_commit }}
      TF_VAR_INFRA_REBUILD_TRIGGER: ${{ needs.get-dependent-info.outputs.rebuild_trigger }}

    steps:
      - name: Job info
        run: |
          echo "TF_VAR_ACTION_CURRENT_COMMIT=${{ env.TF_VAR_ACTION_CURRENT_COMMIT }}"
          echo "TF_VAR_INFRA_REBUILD_TRIGGER=${{ env.TF_VAR_INFRA_REBUILD_TRIGGER }}"

The output is:

TF_VAR_ACTION_CURRENT_COMMIT=
TF_VAR_INFRA_REBUILD_TRIGGER=
chenny
  • 769
  • 2
  • 17
  • 44
  • Can we see your output specifications? – Schwern Dec 14 '22 at 23:55
  • I added the output from the a actions console. `github.sha` returns something like `0a4d7f98788881e454ee6b31c6de3efb602f7d07` and I am taking just the first 7 chars. `docker_build_image_trigger` is a common uuid. – chenny Dec 15 '22 at 00:03
  • Probably related to [this](https://github.com/community/community/discussions/37942)? What if you set the values to env through `GITHUB_ENV` instead of output? – akortex Dec 15 '22 at 00:19
  • Could you show us the output spec *in your workflow file*? – Schwern Dec 15 '22 at 00:27
  • @akortex `GITHUB_ENV` doesn't work for me because the env var will be available within the same job, I have to use the result in different jobs too. @Schwern, sorry I don't know what output you are referring to, do you mean the code of the workflow? – chenny Dec 15 '22 at 00:35
  • I added some part of the workflow. – chenny Dec 15 '22 at 00:44
  • Are they in the same workflow file, or are you calling a shared workflow? – Schwern Dec 15 '22 at 00:46
  • They are in the same workflow/file, just different jobs. `get-dependent-info` is supposed to export these outputs that will be used in `infrastructure` and `build-backend`. Since there's all this logic I don't want to duplicate the code. – chenny Dec 15 '22 at 00:49
  • Since they are in the same workflow, what prevents you to simply export the value in the environment and re-use it? I am pretty sure you can do that. – akortex Dec 15 '22 at 08:00
  • Nothing but as far I understood`echo "{name}={value}" >> $GITHUB_ENV` makes the environment value available within the boundaries of the job, so it will be empty when I try to read it from another job. Right? Maybe I missed something. – chenny Dec 15 '22 at 10:12
  • I have ran into this issue before, there was no solution that I liked. The matching seems very basic, e.g. if I had a secret whose value was `username`, then I can never have `username` in any outputs. One thing you can try is to base64 encode your outputs and then base64 decode them before using. The encoding will thwart GitHubs attempts to detect the secret in outputs – aknosis Dec 15 '22 at 16:12
  • Yes, I see. A little bit disappointing I would say. For the moment I used [this](https://github.com/micronaut-projects/micronaut-views/blob/master/.github/workflows/release.yml#L134-L142) workaround using artifacts but I am not that satisfied because I noticed different behavior depending on the workflow trigger (on push or manual) and I had to duplicate the code anyway. How can I do base64 encoding in an action? I couldn't find it. – chenny Dec 16 '22 at 09:17
  • @aknosis never mind, I figured out that in bash exists the `base64` command. :) – chenny Dec 16 '22 at 09:23
  • Nope, base64 encoded strings are detected as secrets too. @aknosis with which solution did you go for in the end? – chenny Dec 16 '22 at 11:03
  • @chenny I guess my use case was for actually retrieving the values. I would echo them out to the console so I could see what they were. I was never able to keep these items as secrets AND use them in outputs etc. In my case I removed the secrets that weren't sensitive and through them at the top level of the workflow as env variables. `- run: echo '${{ secrets.foo }}' | base64` – aknosis Dec 18 '22 at 20:37

0 Answers0