Updating a repo secret and accessing it's new value in the same job and workflow

Hello

I have a job in a workflow that generates an installation token and then creates or updates a repository level secret called APP_TOKE with the installation token as the value. This happens in 1 job.

However it seems ${{ secrets.APP_TOKEN }} is actually referring to the previous value of APP_TOKEN, and not the new value which was updated in the step before hand.

Is this because secrets are loaded at the start of a workflow run and therefore you can’t update them and refer to their new value during a workflow run?

Is there are way to refresh the secrets mid workflow? Or does anyone have a better idea? Essentially I just need to pass the installation token generated in 1 job with other jobs. I’ve tried setting it as an output of the job and using needs in subsequent jobs, but it doesn’t work - presumably because passing secrets this way isn’t a good idea? But on a self-hosted runner as I’m using I’m not sure there is much concern.

Many thanks in advance.

:wave: Hey @biatwc,

Secrets are loaded at the start of a workflow run as you suggested, so you won’t be able to update it in the middle of a job and then use that new value later in the run.

If you’re using the same self-hosted runner for both jobs, you could save the token to a file on disk and then pass that location between jobs with a job output.

2 Likes

Just came across this information in the docs:

Organization and repository secrets are read when a workflow run is queued, and environment secrets are read when a job referencing the environment starts.

Accessing your secrets

Thanks, I’ve resorted to using a cronjob that posts a refreshed token as a repo secret every hour, in lieu of being able to do it from within a workflow.