Are there plans to allow the Actions token to modify secrets?

daniel-white · February 14, 2020, 2:47pm

I worked on an Action to rotate AWS access keys that are stored as secrets in my repository. To my dismay, it fails at the point of accessing the public key required to encrypt the new values with the dreaded

Resource not accessible by integration

Are there plans to allow Actions to update secrets? I know i can create a personal access token, but that seems like a bad hack.

logankilpatrick · February 14, 2020, 4:31pm

Using the GitHub API, you can currently update a secret: https://developer.github.com/v3/actions/secrets/#create-or-update-a-secret-for-a-repository

Note that this GitHub Actions API is currently in Public Beta and could change without warning.

daniel-white · February 14, 2020, 4:57pm

I know about that api. The token provided by actions is not scoped to have access. Hence my question

logankilpatrick · February 14, 2020, 5:06pm

Right, that seems like it’s by design. It does not make much sense from a security standpoint to allow a GitHub action itself to have the power to update, delete, or add GitHub secrets. I think the only way for this to occur is to use a Personal Access Token (which I think is how you access pretty much all of the GitHub API).

mscoutermarsh · February 15, 2020, 4:58pm

Yes, we did this intentionally. If the token had secret access, any Action with the token could modify the repositories secrets.

You’ll need to use a PAT to use the Secrets API from within Actions.

qoomon · April 23, 2020, 11:11am

Hi, we desperately need this feature. We want to have a cron job that rotates the repository own aws credentials on a regular base.

dend · June 22, 2022, 1:03am

@mscoutermarsh seems like there is an issue even using the PAT: Can't read secrets public key of a public repository

Can you confirm whether there is a workaround?