In trying to use the new environment feature in github actions, it appears that it isn’t possible to set a URL for an environment if it may contain secrets. I see this in the logs:
Warning: Skip setting environment url as environment
<environment>may contain secret.
Given that most deployments will probably require some sort of secrets to deploy, is this intended? If so, is there a way around it or what is the underlying reason for this behavior?
Are you using the secrets context there for some reason?
Meaning are you specifically referencing a secret in the url property of the environment key.
Thanks for your reply @chrispat and apologies for not following up earlier.
No, not referencing a secret in the URL. I’m only using github.event.number to form the URL.
It actually seems to be an error unrelated to secrets - what I see on the workflow overview page is this error:
System.AggregateException: One or more errors occurred. (Unexpected type 'BasicExpressionToken' encountered while reading 'Error in Environment Url for <environment>'. The type 'StringToken' was expected.)
The relevant lines from the workflow spec look like this:
environment:
name: environment-${{ github.event.number }}
url: https://environment-${{ github.event.number }}.example.com
Do you perhaps have a more complete example of your workflow? We are not able to reproduce this issue.
Hello,
Do you have a minimalistic repro or a build where you could share?
We tried this:
name: EnvironmentURLIssue
on:
workflow_dispatch:
pull_request:
jobs:
build:
environment:
name: environment-${{ github.event.number }}
url: https://environment-${{ github.event.number }}.example.com
runs-on: ubuntu-latest
steps:
- name: hello world
run: |
echo hello world
- id: env-url-step
name: set environment URL data
run: echo "::set-output name=url::https://github.com"
Which seems to work fine.
Hi @yaananth thanks for your response - here is an example run where the error occurs: fix typo · SwissDataScienceCenter/renku@320fdab · GitHub
Thanks, we will investigate!
We repro’d this, while we will fix so that you won’t get that error and make workflow stuck, what’s happening in terms of URL not getting set is by design.
You probably have some part of the URL as a secret.
For example, I can repro this, if I make a secret “DEV” with value “dev”.
Now if I reference that secret somewhere in my workflow. It’s considered as a secret. If ur URL has “dev” in it, it’s a secret, so we skip setting that.
I’m experiencing a similar issue on a private repo so I’m unable to share links to the workflow, but I can share snippets:
I believe our issue is because we’re concatenating our Docker Image URL from the outputs of aws-actions/amazon-ecr-login@v1:
echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"
Works fine if we keep everything in a single job, but we want the build and deploy in separate jobs (because we don’t always deploy) and when we try to pass the image output to the next job we get Skip output 'image' since it may contain secret.
Is there a way we can unmask that string to help inform the GitHub runner that it’s not a a secret?
That doesn’t seem related to environment URL. May be a new issue for that could help.
But in general, there is some auto masking being done to make sure we don’t leak some secrets, there isn’t a way at the moment to mark something that could potential be recognized as a secret as non-secret
Hi there, I believe we might be running into the same problem over here and was wondering if the issue above was ever addressed/fixed?
We’ve tried for configurations:
env:
STAGING_URL: https://staging-domain.com
jobs:
…
deploy-staging:
needs: build
runs-on: ubuntu-latest
environment:
name: staging
url: ${{ steps.deployment_staging.outputs.url }}
steps:
…
- name: Deploying to staging
run: |
chmod +x .ci/deploy.sh
.ci/deploy.sh
- name: Updating deployment status
if: ${{ success() }}
id: deployment_staging
run: echo "::set-output name=url::$STAGING_URL"
…
jobs:
…
deploy-staging:
needs: build
runs-on: ubuntu-latest
environment:
name: staging
url: ${{ steps.deployment_staging.outputs.url }}
steps:
…
- name: Deploying to staging
run: |
chmod +x .ci/deploy.sh
.ci/deploy.sh
- name: Updating deployment status
if: ${{ success() }}
id: deployment_staging
run: echo "::set-output name=url::https://staging-domain.com"
…
But both always result in the same exact error: Warning: Skip setting environment url as environment "staging" may contain secret.
Any idea what is causing this problem? After all we’re not using any secret…
I have the same problem.
build_and_test:
needs: get_services
runs-on: ubuntu-latest
outputs:
build_number: ${{ steps.get_build_number.outputs.build_number }}
service_name: ${{ env.service_name }}
strategy:
matrix:
service: ${{ fromJson(needs.get_services.outputs.services) }}
steps:
- name: Checkout source
uses: actions/checkout@v2
- name: Get Service Name
id: get_service_name
run: |
set -x
dir=${{ matrix.service }}
svc=${dir%?} # trim / at the end
svc=$(echo "${svc}" | tr '[:upper:]' '[:lower:]') # convert to lowercase
svc=${svc//./-} # replace "." with "-"
echo "##[set-output name=service_name;]$svc"
echo "service_name=${svc}" >> $GITHUB_ENV
I’m facing the same issue when trying to get the registry hostname from one job to another as an output.
Same thing when I try setting an extracted value (awk foo) from an ECR repo as an output var.
export ECR_REG_ID=`echo $ECR_REGISTRY | awk -F'.' '{ print $1 }'`
echo "::set-output name=ecrid::$ECR_REG_ID"
The same thing here when I try to set an extracted URL from a file
run: echo ::set-output name=url_output::$(cat saucelabs-job-id.txt | grep .)
The same issue with me, I tried to pass the url to following job after capture the ECR image url but failed.
run: echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$VERSION_TAG"