Workflow_dispatch - Is it possible to pass a secret as parameter?

Hi and thanks for the new feature, it was really important to have it as part of GitHub Actions.
I would like to know if it is possible to pass a secret as a parameter (inputs).

Thanks.

Hi, I’m not sure if I can help or not but do you mean passing the name of a secret, or passing the value and treating it as a secret and masking it?

For the former, maybe there’s a way you can build an expression to fetch the secret based on the input. I don’t know the exact syntax at the moment. Maybe like:

inputs:
  myVarSecretName:
    description: 'name of the secret'
    required: true
[...]
    env:
      MY_ENV_VAR: ${{ secrets.$INPUT_MYVARSECRETNAME }}

Again, I don’t know if this exact syntax will work, I am new to workflow coding.

Edit: This syntax doesn’t work. Trying other versions

For the latter, there’s this https://docs.github.com/en/actions/reference/workflow-commands-for-github-actions#masking-a-value-in-log

Alright I think I got you. Assuming you meant the first interpretation from my other post.

I can’t fully test since I can’t seem to run any manual workflows, but I tested this using an env variable.

Do this on each step that you need the secret, as apparently you can’t access the “env” context from the workflow-wide “env” block at the top of the file.

        env:
          MY_ENV_VAR: ${{secrets[env.INPUT_MYSECRETNAME]}} # use auto-generated env var for input

or possibly:

        env:
          MY_ENV_VAR: ${{secrets[inputs.mySecretName]}} # use the ID for the input to access its value

Hi @gderaco,

It’s possible to pass a secret(for example: PAT) as input to the manual workflow.
Please check my workflow for your reference. I passed a PAT and use it to push the change to the repository, it’s successful.

Note: check the log, the secret value is not protected, could cause data leaking.

Thanks.

1 Like

Thanks.
This is what worked for me

INJECTED_ENV_VAR: ${{secrets[github.event.inputs.injectedEnvVar]}}

3 Likes