Secret with special/escape characters fails when used

I am using a macos-latest executor to build a React Native app for iOS. The build itself works fine but deploying to TestFlight (via Fastlane) fails due to incorrect formatting of the Apple ID session token. I am generating the token locally and then saving it as a secret in the GitHub repo per this documentation. The Fastlane script expects the token to be available via environment variable FASTLANE_SESSION so I am exporting the value of the secret as the environment variable per the GitHub actions documentation. It should be noted that the token string has special and escaped characters and Apple expects it to be formatted exactly as it is generated. I have tested locally and the session tokens I have generated are valid - they only fail when being read from the secret store in GitHub Actions. The Fastlane step fails with the following error:

Normal login (username and password) fails because 2FA is required - hence the use of the session token.

Relevant Actions yaml:

deply-ios-qa:
    runs-on: macos-latest
    env:
      MATCH_PASSWORD: ${{ secrets.MATCH_PASSWORD }}
      FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD: $${{ secrets.FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD }}
      FASTLANE_PASSWORD: $${{ secrets.FASTLANE_PASSWORD }}
      FASTLANE_SESSION: $${{ secrets.FASTLANE_SESSION }}
    steps:
      - name: Checkout
        uses: actions/checkout@v1

      - name: Install gems
        run: |
          bundle install

      - name: Build iOS app
        run: bundle exec fastlane ios deploy_testflight_qa

Is there a way to confirm that the secret is coming out in the incorrect format? Is GitHub actions doing anything during the saving/reading of the secret that could affect the formatting? Again, Apple expects this string to be formatted exactly as their API gives it to you including spaces, special characters and escaped characters. Also of note: an identical Fastlane script with a similarly accessed secret works on another project in CircleCI so I know the workflow should succeed if the session token is correct.

1 Like

Hey @derek-ef ,

Are you intending to prepend the FASTLANE_PASSWORD and FASTLANE_SESSION with a $, 

FASTLANE_PASSWORD: ${{ secrets.FASTLANE_PASSWORD }}
      FASTLANE_SESSION: ${{ secrets.FASTLANE_SESSION }}

Would be the way to set those environmental variables to the value of those secrets.

Edit:  FASTLANE_APPLE_APPLICATION_SPECIFIC_PASSWORD looks like it is getting prepended as well.

1 Like

Well, I suppose the string would be different if it had a $ at the beginning… yesterday was a long day.

Thanks for your response @thboop, your suggestion worked with one addition. I had to add single quotes around the string to make sure the format was kept exactly so my env var looks like this:

FASTLANE_SESSION: '${{ secrets.FASTLANE_SESSION }}'

On that topic, is there a good way to debug something like this? Obviously printing secrets to the console is masked in Actions which makes a lot of sense but having a way to run the action locally in CLI with local secrets defined would be a great improvement to developer experience. Is anything like this on the roadmap for Actions?

2 Likes