GitHub secret created using REST API REST, but value is empty

Question

When I was trying to store a GitHub Actions secret using the REST API, it stored an empty value in secrets. But when I created secrets manually from the GitHub Actions web UI, it stored the value and works perfectly in scripts.

curl -L \
  -X PUT \
  -H "Accept: application/vnd.github+json" \
  -H "Authorization: Bearer <YOUR-TOKEN>" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  https://api.github.com/repos/OWNER/REPO/actions/secrets/SECRET_NAME \
  -d '{"encrypted_value":"c2VjcmV0","key_id":"012345678912345678"}'

Above is the API call and body to create the secret.

const sodium = require('libsodium-wrappers')
const secret = 'plain-text-secret' // replace with the secret you want to encrypt
const key = 'base64-encoded-public-key' // replace with the Base64 encoded public key

//Check if libsodium is ready and then proceed.
sodium.ready.then(() => {
  // Convert Secret & Base64 key to Uint8Array.
  let binkey = sodium.from_base64(key, sodium.base64_variants.ORIGINAL)
  let binsec = sodium.from_string(secret)

  //Encrypt the secret using LibSodium
  let encBytes = sodium.crypto_box_seal(binsec, binkey)

  // Convert encrypted Uint8Array to Base64
  let output = sodium.to_base64(encBytes, sodium.base64_variants.ORIGINAL)

  console.log(output)
});

Aaove code is to create the encrypted_value for the API call's body.

If we use this, it creates the secret, but the value of that secrets is empty.

How can I store a GitHub Actions secret using the REST API?

Answer 1

The GitHub CLI can do that for you with secret set:

gh secret set SECRET_NAME --body "plain-text-secret"

Or, if you're not currently in the repository you want to set the secret for, add --repo OWNER/REPO.

This takes care of the encryption, too.