Variable secret name

I need to get the secret, but the secret name will vary from branch. Some like:

branch=${GITHUB_REF#refs/heads/}
secret-name="secrets.${branch^^}"
secret-value=${{ secrets[$secret-name] }}"

How could it be done?

GitHub automatically redacts secrets printed to the log, but you should avoid printing secrets to the log intentionally.
https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#accessing-your-secrets

Unfortunately, there isn’t a way to echo secrets out in the logs, we’re sorry about that.

We really appreciate feedback on how we can make GitHub even better and the best way to report any feature requests is directly to us through our feedback form: https://support.github.com/contact/feedback

Our roadmap is not publicly visible, so we recommend that you keep an eye on the GitHub Blog for the latest announcements about new features.

2 Likes

I’m not issuing with the echo.

My point is how to get a secret, based on a variable name.

Variable secret name

Like, I want to get a secret like secrets.MASTER, secrets.DEV, secrets.STAGING, that means I will have a variable with branch name from where I will try to get the secret.

I updated the original message to explain it better.

@tiagogouvea,
You want to set the value of a variable as the name of a secret and then access the secret via this variable, right?
I’m afraid it is difficult to achieve this request. Because when using the expression syntax ( ${{ }} ) to access a property of contexts, it does not support to access the property name via a variable in the expression, we need to explicitly provide the property’s full name directly in the expression.

Then it can’t be done. :frowning_face:

Thank you @brightran for you response.

@tiagogouvea something like this should work:

jobs:    
  first:
    runs-on: [ubuntu-latest]
    
    env:
      SECRET_NAME: my_secret_name
    steps:
      - run: echo $SECRET | rev
        env:
          SECRET: ${{ secrets[env.SECRET_NAME] }}
1 Like

@cschleiden , I tried as your suggestion, but get an empty value. It seems does not work.

@tiagogouvea , have you tried it, and does it work on your side?

Could you post your workflow?

@cschleiden ,

  1. The link below is a workflow I set up for test with reference to your suggestion.
    https://github.com/BrightRan/TestOutputs/actions/runs/130674952/workflow

From the output logs of this workflow run, you can see I got empty value,

secrets.MASTER = 

rather than,

secrets.MASTER = ***
  1. I also tried using jq to access the secrets from the JSON-type secrets context. But it also does not work.
    It seems that we can’t pass a variable to be as the key in the jq filter.
- name: access secret
  run: |
    branch=${GITHUB_REF##*/}
    secret_name=${branch^^}

    echo "${{ toJson(secrets) }}" > SECRETS_CONTEXT.json

    secret_value=$(jq -r --arg secret_name $secret_name '.$secret_name' SECRETS_CONTEXT.json)
    echo "secret_value = $secret_value"

Now, I can’t think of any other ways to meet @tiagogouvea’s request.

1 Like

@brightran: env variables are case sensitive, you have a mismatch between SECRET_NAME and secret_name. Changing your first example to this works for me:

When run on master, outputs the value of a secret called MASTER (secrets are case-insensitive):

steps:          
      - name: get secret name
        run: |
          branch=${GITHUB_REF##*/}
          echo "::set-env name=secret_name::${branch^^}"
      - name: pass secret value
        run: echo "::set-env name=secret_value::${{ secrets[env.secret_name] }}"          
      - name: access secret
        run: |
          echo "secrets.$secret_name = ${{ secrets[env.secret_name] }}"
          echo "secrets.$secret_name = $secret_value"            
3 Likes

@cschleiden,

env variables are case sensitive

Aha~, yes, I made a mistake.
After I corrected the case of the env name to be consistent, the workflow works as expected now.
Thanks for your help.

@tiagogouvea,
Please try the workflow below as @cschleiden’s suggestion.

jobs:
  job1:
    name: test access secret
    runs-on: ubuntu-latest
    steps:
      - name: get secret name
        run: |
          branch=${GITHUB_REF##*/}
          echo "::set-env name=secret_name::${branch^^}"

      - name: pass secret value
        run: echo "::set-env name=secret_value::${{ secrets[env.secret_name] }}"

      - name: access secret
        run: |
          echo "secrets.$secret_name = ${{ secrets[env.secret_name] }}"
          echo "secrets.$secret_name = $secret_value"
1 Like

In addition, the ref name is also in the github context. So something like this

- run: echo ${{ secrets[github.ref] }}

could also work.

2 Likes

It’s really simple!

Thanks @cschleiden @brightran for your help! You are amazing!

1 Like