Environment URL not set because env may contain secret

In trying to use the new environment feature in github actions, it appears that it isn’t possible to set a URL for an environment if it may contain secrets. I see this in the logs:

Warning: Skip setting environment url as environment <environment> may contain secret.

Given that most deployments will probably require some sort of secrets to deploy, is this intended? If so, is there a way around it or what is the underlying reason for this behavior?

1 Like

Are you using the secrets context there for some reason?

Meaning are you specifically referencing a secret in the url property of the environment key.

Thanks for your reply @chrispat and apologies for not following up earlier.

No, not referencing a secret in the URL. I’m only using github.event.number to form the URL.

It actually seems to be an error unrelated to secrets - what I see on the workflow overview page is this error:

System.AggregateException: One or more errors occurred. (Unexpected type 'BasicExpressionToken' encountered while reading 'Error in Environment Url for <environment>'. The type 'StringToken' was expected.)

The relevant lines from the workflow spec look like this:

  name: environment-${{ github.event.number }}
  url: https://environment-${{ github.event.number }}.example.com

Do you perhaps have a more complete example of your workflow? We are not able to reproduce this issue.


Do you have a minimalistic repro or a build where you could share?

We tried this:

name: EnvironmentURLIssue

      name: environment-${{ github.event.number }}
      url: https://environment-${{ github.event.number }}.example.com
    runs-on: ubuntu-latest
        - name: hello world
          run: |
            echo hello world
        - id: env-url-step
          name: set environment URL data
          run: echo "::set-output name=url::https://github.com"

Which seems to work fine.

Hi @yaananth thanks for your response - here is an example run where the error occurs: fix typo · SwissDataScienceCenter/renku@320fdab · GitHub

Thanks, we will investigate!

We repro’d this, while we will fix so that you won’t get that error and make workflow stuck, what’s happening in terms of URL not getting set is by design.

You probably have some part of the URL as a secret.

For example, I can repro this, if I make a secret “DEV” with value “dev”.

Now if I reference that secret somewhere in my workflow. It’s considered as a secret. If ur URL has “dev” in it, it’s a secret, so we skip setting that.

I’m experiencing a similar issue on a private repo so I’m unable to share links to the workflow, but I can share snippets:

I believe our issue is because we’re concatenating our Docker Image URL from the outputs of aws-actions/amazon-ecr-login@v1:

echo "::set-output name=image::$ECR_REGISTRY/$ECR_REPOSITORY:$IMAGE_TAG"

Works fine if we keep everything in a single job, but we want the build and deploy in separate jobs (because we don’t always deploy) and when we try to pass the image output to the next job we get Skip output 'image' since it may contain secret.

Is there a way we can unmask that string to help inform the GitHub runner that it’s not a a secret?

That doesn’t seem related to environment URL. May be a new issue for that could help.
But in general, there is some auto masking being done to make sure we don’t leak some secrets, there isn’t a way at the moment to mark something that could potential be recognized as a secret as non-secret