Secure GitHub Action Inputs

This a follow up from Stack Overflow post.

If I use these action inputs, will these context variables be visible if I print using echo them during the runtime of my action? Is there a way to consume GitHub action inputs securely?

  • ${{github.event.inputs.login_server}}
  • ${{github.event.inputs.username}}
  • ${{github.event.inputs.password}}

Currently, there is not a way to input secure variables. Would you mind storing your password in secrets instead of input it when trigger the workflow? You could use the secret variable in step inputs or step env.

steps:
  - name: Hello world action
    with: # Set the secret as an input
      super_secret: ${{ secrets.password}}
    env: # Or as an environment variable
      super_secret: ${{ secrets.password}}

You could refer to this article for more detail information. https://docs.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets

Also, you could share your idea “support secure GitHub Action inputs” in the Feedback form for GitHub Actions.

Thank you Yan, I am now using this workaround to input and update secrets automatically using Terraform.

Manage Repository Secrets using the GitHub Terraform provider

Based on this blog you can create repo secrets from Terraform outputs. This will allow you to create the ${{ secrets.AZURE_ACR_LOGIN_SERVER }} using Terraform. Based on the GitHub provider argument reference you may need to provide some credentials in the GitHub provider object or in the GitHub action .yml as I have using export ARM_TENANT_ID=${{ secrets.AZURE_TENANT_ID }}, export GITHUB_TOKEN=${{ secrets.MY_PAT }} and if you’re a part of an organization you may also need to export GITHUB_ORGANIZATION=My-Org.

Let’s use Azure Container registry as an example:

provider "azurerm" {
  version = "2.5.0"
  features {}
}

locals {
  ts = "${timestamp()}"
  timestamp = "${replace("${local.ts}", "/[ TZ:]/", "")}"
  timestamp_no_hyphen = "${replace("${local.timestamp}", "-", "")}"
  my_container_registry = "mycontainerregistry"
}

resource "azurerm_resource_group" "my_resource_group" {
  name = "terraform-test-rg-${local.timestamp}"
  location = "centralus"
}

resource "azurerm_container_registry" "mycontainerregistry" {
  name                     = "${local.my_container_registry}${local.timestamp_no_hyphen}"
  resource_group_name      = azurerm_resource_group.my_resource_group.name
  location                 = azurerm_resource_group.my_resource_group.location
  sku                      = "Basic"
  admin_enabled            = true
}

data "azurerm_container_registry" "mycontainerregistry" {
  name                     = azurerm_container_registry.mycontainerregistry.name
  resource_group_name      = azurerm_resource_group.my_resource_group.name
}

output "login_server" {
  sensitive = true
  value = data.azurerm_container_registry.mycontainerregistry.login_server
}

provider "github" { }

resource "github_actions_secret" "github-action-terraform-access-key" {
  repository       = "my_repo"
  secret_name      = "AZURE_ACR_LOGIN_SERVER"
  plaintext_value  = data.azurerm_container_registry.mycontainerregistry.login_server
}
1 Like