Exporting all secrets in a workflow action

knipknap · July 12, 2020, 5:25am

In many of my Github Workflows, I am creating an .env file from all Github Secrets. This is tedious because I have to list every single secret. See here for example:

github.com

barebaric/traefik-swarm/blob/7d33026a3c83ae5eea227247b3dcf87ba50a1ba1/.github/workflows/deploy.yml

name: Deploy to production swarm

on:
  push:
    branches:
      - master
  release:
    types: [created]

jobs:
  deploy:
    runs-on: ubuntu-latest

    steps:
    - name: Checkout master
      uses: actions/checkout@v2
      
    - name: Make envfile for Traefik
      uses: knipknap/create-envfile@master
      with:

This file has been truncated. show original

Is there a way to get every secret to store it in batch?

brightran · July 14, 2020, 4:47am

@knipknap,

Currently, we have no any easy and available to export all the secrets into a specified file.

Maybe you can try to using the API “List repository secrets” to list all the secrets defined in the repository.
This API will list the names of all the secrets as a JSON array in the response body. Then you can try to get each secret name from the response and use the names to access the values of the secrets in the repository.

In addition, there also is an API “List organization secrets” can list all the secrets defined in the organization level.

knipknap · July 13, 2020, 9:56am

Ah, thanks, this looks to be what I was looking for, I will check how to integrate that.

knipknap · July 13, 2020, 5:14pm

Ah, it seems that doesn’t work, as you can’t do anything with those names. The reason is that this endpoint:

https://docs.github.com/en/rest/reference/actions#get-a-repository-secret

does not work in a workflow, probably because according to the docs

GitHub Apps must have the secrets repository permission to use this endpoint

So I don’t see a way to retrieve the value in a workflow dynamically, unfortunately.

AngelOnFira · July 13, 2020, 6:07pm

Just want to add on to this as I’m trying to implement what @knipknap is discussing. I am allowed to use the API endpoint to get a repositry secret, however this endpoint doesn’t expose the secret’s value in plaintext. In fact I’m unsure of why this endpoint is available, unless it’s useful to know when a secret was created. You can see the issue where we discuss this here:

brightran · July 14, 2020, 8:30am

@knipknap,

You must authenticate using an access token with the repo scope to use this endpoint. GitHub Apps must have the secrets repository permission to use this endpoint.

This description in the docs about the Get a repository secret includes two points:

You need to create a personal access token with the repo scope. The GITHUB_TOKEN does not has the repo scope, so you can’t directly use the GITHUB_TOKEN to authenticate on this API.

new_PAT1099×500 26 KB
The GitHub App that runs the API should have the Secrets permission (“Read-only” at least). When running the API in a GitHub Actions workflow, the GitHub App should be “GitHub Actions”. And this app has gained the Secrets permission by default. If you register other GitHub Apps to run this API, you need to grant the Secrets permission to the apps.
To view more details about editing GitHub App’s permissions, you can reference here.

GitHub_App825×90 4.24 KB

brightran · July 16, 2020, 7:03am

@knipknap,

There also is an easier way than the “List repository secrets” API to get the list of all the secrets in a repository. It is using the secrets context.

- name: view the secrets context
  shell: bash
  run: echo "$SECRETS_CONTEXT"
  env:
    SECRETS_CONTEXT: ${{ toJson(secrets) }}

In the secrets context (JSON type), all the secrets you have added on the Secrets page of your repository will be listed, and it also will list the GITHUB_TOKEN (secrets.GITHUB_TOKEN).
For example:
example

Then you can try to export all the secrets (key-value pairs) from the secrets context into the .env file.