use steps output to read secret

Problem: On push, given a branch’s name, an environment variable (or output variable) are assigned a stage code (dev or prod). That is step 1. Step 2 now runs a script with some environment variable that we read from secrets. The issue is that I am not able to use the result of step 1 (the stage code) to read the required secrets in step 2.

Example:

- name: Set env to production
      if: endsWith(github.ref, '/prod')
      run: |
        echo "::set-env name=ENVIRONMENT::prod"
    - name: Generate configuration
      run: npm run generate:config
      env:
        db_name: ${{ secrets.XXXX_db_name' }}

The goal is to use ENVIRONMENT var in step 1 to replace the XXXX in step 2.

It’s not supported to set variables in encrypted secrets, you can directly set db_name in step1.

Code as below:

- name: Set env to production
        if: endsWith(github.ref, '/prod')
        run: |
          echo "::set-env name=db_name::${{ secrets.prod_db_name }}"
      - name: Generate configuration
        run: npm run generate:config
1 Like

The point is to not replicate the commands for every secret for every stage. The point is to use the stage code to read the relevant secret in 1 command. Still, if this is not yet supported, I would rather do the following, to prevent exposing the secrets to the subsequent jobs:

- name: Set env to production
        if: endsWith(github.ref, '/prod')
        run: npm run generate:config
        env:
          db_name: ${{ secrets.prod_db_name }}