Environment URL not set because env may contain secret

In trying to use the new environment feature in github actions, it appears that it isn’t possible to set a URL for an environment if it may contain secrets. I see this in the logs:

Warning: Skip setting environment url as environment <environment> may contain secret.

Given that most deployments will probably require some sort of secrets to deploy, is this intended? If so, is there a way around it or what is the underlying reason for this behavior?

1 Like

Are you using the secrets context there for some reason?

Meaning are you specifically referencing a secret in the url property of the environment key.

Thanks for your reply @chrispat and apologies for not following up earlier.

No, not referencing a secret in the URL. I’m only using github.event.number to form the URL.

It actually seems to be an error unrelated to secrets - what I see on the workflow overview page is this error:

System.AggregateException: One or more errors occurred. (Unexpected type 'BasicExpressionToken' encountered while reading 'Error in Environment Url for <environment>'. The type 'StringToken' was expected.)

The relevant lines from the workflow spec look like this:

environment:
  name: environment-${{ github.event.number }}
  url: https://environment-${{ github.event.number }}.example.com

Do you perhaps have a more complete example of your workflow? We are not able to reproduce this issue.

Hello,

Do you have a minimalistic repro or a build where you could share?

We tried this:

name: EnvironmentURLIssue

on:
  workflow_dispatch:
  pull_request:
    
jobs:
  build:
    environment:
      name: environment-${{ github.event.number }}
      url: https://environment-${{ github.event.number }}.example.com
    runs-on: ubuntu-latest
    steps:
        - name: hello world
          run: |
            echo hello world
        - id: env-url-step
          name: set environment URL data
          run: echo "::set-output name=url::https://github.com"

Which seems to work fine.

Hi @yaananth thanks for your response - here is an example run where the error occurs: fix typo · SwissDataScienceCenter/renku@320fdab · GitHub

Thanks, we will investigate!

We repro’d this, while we will fix so that you won’t get that error and make workflow stuck, what’s happening in terms of URL not getting set is by design.

You probably have some part of the URL as a secret.

For example, I can repro this, if I make a secret “DEV” with value “dev”.

Now if I reference that secret somewhere in my workflow. It’s considered as a secret. If ur URL has “dev” in it, it’s a secret, so we skip setting that.

I’m experiencing a similar issue on a private repo so I’m unable to share links to the workflow, but I can share snippets:

I believe our issue is because we’re concatenating our Docker Image URL from the outputs of aws-actions/amazon-ecr-login@v1:

echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"

Works fine if we keep everything in a single job, but we want the build and deploy in separate jobs (because we don’t always deploy) and when we try to pass the image output to the next job we get Skip output 'image' since it may contain secret.

Is there a way we can unmask that string to help inform the GitHub runner that it’s not a a secret?

1 Like

That doesn’t seem related to environment URL. May be a new issue for that could help.
But in general, there is some auto masking being done to make sure we don’t leak some secrets, there isn’t a way at the moment to mark something that could potential be recognized as a secret as non-secret

Hi there, I believe we might be running into the same problem over here and was wondering if the issue above was ever addressed/fixed?

We’ve tried for configurations:

env:
  STAGING_URL: https://staging-domain.com

jobs:
  …

  deploy-staging:
    needs: build
    runs-on: ubuntu-latest
    environment:
      name: staging
      url: ${{ steps.deployment_staging.outputs.url }}
    
    steps:
      …

      - name: Deploying to staging
        run: |
          chmod +x .ci/deploy.sh
          .ci/deploy.sh

      - name: Updating deployment status
        if: ${{ success() }}
        id: deployment_staging
        run: echo "::set-output name=url::$STAGING_URL"

      …
jobs:
  …

  deploy-staging:
    needs: build
    runs-on: ubuntu-latest
    environment:
      name: staging
      url: ${{ steps.deployment_staging.outputs.url }}
    
    steps:
      …

      - name: Deploying to staging
        run: |
          chmod +x .ci/deploy.sh
          .ci/deploy.sh

      - name: Updating deployment status
        if: ${{ success() }}
        id: deployment_staging
        run: echo "::set-output name=url::https://staging-domain.com"

      …

But both always result in the same exact error: Warning: Skip setting environment url as environment "staging" may contain secret.

Any idea what is causing this problem? After all we’re not using any secret…

I have the same problem.

  build_and_test:
    needs: get_services
    runs-on: ubuntu-latest

    outputs:
      build_number: ${{ steps.get_build_number.outputs.build_number }}
      service_name: ${{ env.service_name }}

    strategy:
      matrix:
        service: ${{ fromJson(needs.get_services.outputs.services) }}

    steps:
      - name: Checkout source
        uses: actions/checkout@v2

      - name: Get Service Name
        id: get_service_name
        run: |
          set -x
          dir=${{ matrix.service }}
          svc=${dir%?}                                      # trim / at the end
          svc=$(echo "${svc}" | tr '[:upper:]' '[:lower:]') # convert to lowercase
          svc=${svc//./-}                                   # replace "." with "-"
          echo "##[set-output name=service_name;]$svc"
          echo "service_name=${svc}" >> $GITHUB_ENV
1 Like

I’m facing the same issue when trying to get the registry hostname from one job to another as an output.

Same thing when I try setting an extracted value (awk foo) from an ECR repo as an output var.

export ECR_REG_ID=`echo $ECR_REGISTRY | awk -F'.' '{ print $1 }'`
echo "::set-output name=ecrid::$ECR_REG_ID"

The same thing here when I try to set an extracted URL from a file

run: echo ::set-output name=url_output::$(cat saucelabs-job-id.txt | grep .)

The same issue with me, I tried to pass the url to following job after capture the ECR image url but failed.

run: echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$VERSION_TAG"