In many of my Github Workflows, I am creating an .env file from all Github Secrets. This is tedious because I have to list every single secret. See here for example:
Is there a way to get every secret to store it in batch?
Currently, we have no any easy and available to export all the secrets into a specified file.
Maybe you can try to using the API “List repository secrets” to list all the secrets defined in the repository.
This API will list the names of all the secrets as a JSON array in the response body. Then you can try to get each secret name from the response and use the names to access the values of the secrets in the repository.
In addition, there also is an API “List organization secrets” can list all the secrets defined in the organization level.
Ah, thanks, this looks to be what I was looking for, I will check how to integrate that.
Ah, it seems that doesn’t work, as you can’t do anything with those names. The reason is that this endpoint:
https://docs.github.com/en/rest/reference/actions#get-a-repository-secret
does not work in a workflow, probably because according to the docs
GitHub Apps must have the
secretsrepository permission to use this endpoint
So I don’t see a way to retrieve the value in a workflow dynamically, unfortunately.
Just want to add on to this as I’m trying to implement what @knipknap is discussing. I am allowed to use the API endpoint to get a repositry secret, however this endpoint doesn’t expose the secret’s value in plaintext. In fact I’m unsure of why this endpoint is available, unless it’s useful to know when a secret was created. You can see the issue where we discuss this here:
You must authenticate using an access token with the repo scope to use this endpoint. GitHub Apps must have the secrets repository permission to use this endpoint.
This description in the docs about the Get a repository secret includes two points:
- You need to create a personal access token with the repo scope. The GITHUB_TOKEN does not has the repo scope, so you can’t directly use the GITHUB_TOKEN to authenticate on this API.
- The GitHub App that runs the API should have the Secrets permission (“Read-only” at least). When running the API in a GitHub Actions workflow, the GitHub App should be “GitHub Actions”. And this app has gained the Secrets permission by default. If you register other GitHub Apps to run this API, you need to grant the Secrets permission to the apps.
To view more details about editing GitHub App’s permissions, you can reference here.
There also is an easier way than the “List repository secrets” API to get the list of all the secrets in a repository. It is using the secrets context.
- name: view the secrets context
shell: bash
run: echo "$SECRETS_CONTEXT"
env:
SECRETS_CONTEXT: ${{ toJson(secrets) }}
In the secrets context (JSON type), all the secrets you have added on the Secrets page of your repository will be listed, and it also will list the GITHUB_TOKEN (secrets.GITHUB_TOKEN).
For example:
Then you can try to export all the secrets (key-value pairs) from the secrets context into the .env file.
1 Like
Excellent solution, @brightran! I’m new to all this and, following your steps, was able to generate my .env file.
I used jq to convert the secrets JSON string to key-value pairs.
For anyone interested, in the working directory I added the following createEnvFile script:
#!/bin/bash
# Create .env file from GitHub secrets
json_secrets_str=$1
env_filename=".env"
jq -r 'to_entries|map("\(.key)=\(.value|tostring)")|.[]' <<< "$json_secrets_str" > "$env_filename"
Then, in the workflow file, added this step:
- run: bash ../createEnvFile.sh "$secrets"
env:
secrets: ${{ toJson(secrets) }}
3 Likes
thank you @donovanperalta your script really helped me,
but I had a problem with a multiline secret, I solved with this python script:
import json
import os
import sys
secrets = json.loads(sys.argv[1])
for key, value in secrets.items():
print(f"Setting {key} ...")
lines = len(value.split("\n"))
if lines > 1:
os.system(f"echo '{key}<<EOF' >> $GITHUB_ENV")
os.system(f"echo '{value}' >> $GITHUB_ENV")
os.system("echo 'EOF' >> $GITHUB_ENV")
else:
os.system(f"echo '{key}={value}' >> $GITHUB_ENV")