GitHub Community
Using GitHub Secrets without using GitHub Actions #26659
-
|
I was wondering if it’s at all possible to use GitHub secrets in python code located in the repository without initializing the secrets in the env section of the GitHub Actions yaml file. I have not set up my GitHub Actions workflows yet for the scripts, was just wondering if it was possible to use the GitHub secrets strictly in the python code only to mask data-sensitive information. Thanks! |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments
-
|
Simple answer: No, it’d defeat the point if the secrets were accessible outside workflows.
shayanorellana:
What exactly are you trying to achieve? |
Beta Was this translation helpful? Give feedback.
-
|
I have some sensitive data including usernames and passwords in the repository and was wondering if I could use Secrets to mask these in the script. But your answer makes sense. I was following this article: Accessing GitHub secrets in Python | by Dipam Vasani | DataDrivenInvestor But I have to setup a yaml workflow for the secrets initialized in the yaml ENV and then use os.environ[‘SECRETS_KEY’] in the script for this to work. Is this correct? |
Beta Was this translation helpful? Give feedback.
-
|
What exactly do you mean by “masking”? All the masking the Actions runner does is in the logs, if you provide secrets to your script the script has them in plaintext. To achieve the same thing in your script you can just not include potentially sensitive values in its output. |
Beta Was this translation helpful? Give feedback.
-
|
For example I have a script that requires the mongoDB login credentials and want to mask or hide this information to the script. I was looking for alternatives such as Secrets to be able to store this information and use os.environ[‘MONGODB_PASSWORD’] in the script to do so. mongodb_pass = os.environ[‘MONGODB_PASSWORD’] ex: MongoClient(username: mongodb_pass) instead of having the password in plain sight in the script. But since this information is not in the workflow (because not using Actions) then it wouldn’t work, correct? |
Beta Was this translation helpful? Give feedback.
-
|
shayanorellana:
Not having the credentials directly in the script is good practice, yes. That has nothing to do with masking, though. You can use environment variable just like in the Actions workflow, you’ll just have to set them when you run the script. Just be aware of what else you run in the same environment and of shell history (if you use Bash, An alternative is to use a config file, just read the values from another file instead of coding them into the script. Python has built-in parsers for JSON and INI-style files. I like YAML, but that requires installing PyYAML. Obviously don’t commit that file, I recommend adding it to You can even support both in your script: Read environment variables or config file depending on command line options or simply what’s available. 😺 |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for your help @airtower-luna ! |
Beta Was this translation helpful? Give feedback.
Not having the credentials directly in the script is good practice, yes. That has nothing to do with masking, though.
You can use environment variable just like in the Actions workflow, you’ll just have to set them when you run the script. Just be aware of what else you run in the same environment and of shell history (if you use Bash,
HISTCONTROLis your friend).An alternative is to use a config file, just read the values from another file instead of coding them into the script. Python has built-in parsers for JSON and INI-style files. I like YAML, but that requires i…