Hi, I’m not sure if I can help or not but do you mean passing the name of a secret, or passing the value and treating it as a secret and masking it?

For the former, maybe there’s a way you can build an expression to fetch the secret based on the input. I don’t know the exact syntax at the moment. Maybe like:

inputs:
  myVarSecretName:
    description: 'name of the secret'
    required: true
[...]
    env:
      MY_ENV_VAR: ${{ secrets.$INPUT_MYVARSECRETNAME }}

Again, I don’t know if this exact syntax will work, I am new to workflow coding.

Edit: This syntax doesn’t work. Trying other versions

For the latter, there’s this https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#masking-a-value-in-log

Alright I think I got you. Assuming you meant the first interpretation from my other post.

I can’t fully test since I can’t seem to run any manual workflows, but I tested this using an env variable.

Do this on each step that you need the secret, as apparently you can’t access the “env” context from the workflow-wide “env” block at the top of the file.

        env:
          MY_ENV_VAR: ${{secrets[env.INPUT_MYSECRETNAME]}} # use auto-generated env var for input

or possibly:

        env:
          MY_ENV_VAR: ${{secrets[inputs.mySecretName]}} # use the ID for the input to access its value

Hi @gderaco,

It’s possible to pass a secret(for example: PAT) as input to the manual workflow.
Please check my workflow for your reference. I passed a PAT and use it to push the change to the repository, it’s successful.

weide-zhou/ticket14

Contribute to weide-zhou/ticket14 development by creating an account on GitHub.

Note: check the log, the secret value is not protected, could cause data leaking.

Thanks.

With secrets, it's better if you either explicitly pass them or inherit all of them.
Ref:

1. Explicitly pass secrets
2. Inherit all of the calling workflow's secrets