Github Actions args not honoring variables

I have an action which runs a script that was built in a container from a previous step. I’m trying to execute that script and use a mix of envs, secrets, and args, but it seems like they are not being interpolated (or I have it configured incorrectly).

Here is the action:

action "Script Runner" {
  needs = ["Docker Build", "Integration Branch"]
  uses = "docker://"
  env = {
    PROJECT = "project1"
    SERVICE = "app1"
    ROLE = "my_encrypt_role"
  secrets = ["PASSWORD", "TOKEN"]
  runs = "local_scripts/"
  args = ["$PROJECT", "$SERVICE", "$TOKEN", "$ROLE", "$PASSWORD"]

Here is the logged event:

### STARTED Script Runner 15:04:11Z

Already have image (with digest): redacted
Can't open /root/$ROLE for reading, No such file or directory ##YOU CAN SEE ROLE WASN"T READ
139722621944256:error:02001002:system library:fopen:No such file or directory:../crypto/bio/bss_file.c:72:fopen('/root/$ROLE','r')
139722621944256:error:2006D080:BIO routines:BIO_new_file:no such file:../crypto/bio/bss_file.c:79:
You are in project:=============>$PROJECT . ##PROJECT WASN'T READ
You are deploying to service:===>$SERVICE . ## SERVICE WASN'T READ

### FAILED Script Runner 15:04:12Z (486ms)

I’ve marked it, but you can see $ROLE, $PROJECT, and $SERVICE were not echoed (by the script) as their interpolated values but as literals. I’d expect this if I wrapped the args in single quotes. What am I doing wrong here?

Thank you! 

Args can be read out as $1, $2, $3, $4, $5 inside

That being said, Environment variables should be accessible the way you’re using them, you’ll have to review Dockerfile and to identify the problem. You can start by specifying 

runs = “env”

with no arg to look at all the environment variables present.

Hi @wei 

I would think that is how it works, but the very top of the script reads in passed args.


The project would be $1 and it does not post correctly. However, if I put in my args like this

args = [“project1”, “app1”, “TOKEN”, “role1”, “PASSWORD”] (PASSWORD and TOKEN are secrets)

Then my log comes back better:

bad decrypt

You are in project:=============>project1

You are deploying to service:===>app1

 But I can tell the secrets still didn’t make it through correctly, and I’d rather not expose it to debug but I may have to.

Just create a new test secret and see if it comes back. Regardless, secrets are masked with [FILTERED] in the output anyways. Try my “env” test mentioned above if you still have troubles.

The runs env block, are you suggesting a block right before the script block? Such as

action “environment check” {
  needs = [“Previous step”]
  uses = “env”

Also, I echoed out all passed args to the script then cat’d that script. I also wanted to see if there is a difference from my test secret being with our without $.

My result is, they were passed but not interpolated.

My test secret was TESTSECRET with a value of: TESTTESTTEST

Args looked like this:

args = “projec1 app1 $TOKEN encrypted_role $PASS TESTSECRET $TESTSECRET”

My cat (from the script) showed this:

project1 app1 $TOKEN encrypted_role $PASS TESTSECRET $TESTSECRET

Try echo out env in the using echo $(env) to make sure it contains everything you want.

And you have to have $ before variables otherwise they are not interpolated.

Okay, I solved this. It looks like secrets are not passed at all through arguments. They are only exposed as environment variables. So to use my secrets, I had to slurp them in the bash script not pass them as arguments to the script from actions. For those who come after me and beat their head against the wall, this is what I did per secret


PASS=printf '%s\n' "${PASS}"
SLACK_TOKEN=printf '%s\n' "${TOKEN}"

doing_something_username password $PASS

post_in_slack $TOKEN