Write Secrets to File #24928

destinybonavita · 2020-05-02T19:02:57Z

destinybonavita
May 2, 2020

I’m trying to write an enviromental variable file that was stored in a secret in my repository, however, I can’t confirm it’s being written correctly. I know there’s an error when loading it but I can’t tell if it’s not formatted correctly, or what it is.

Here is how I’m trying to write the file:

- run: printf $DEV_ENV_FILE >> src/.env
   - run: printf $DEV_ENV_FILE
   - run: cat src/.env

Answered by destinybonavita

May 5, 2020

Turns out my problem was that I wasn’t wrapping the env variable in quotes when running printf. That fixed it

View full answer

Yanjingzhu · 2020-05-04T06:25:23Z

Yanjingzhu
May 4, 2020

Hi @destinybonavita ,

You could upload the env file as an artifact , then you could see the secret variable value after downloading the artifact.

Also, you need to use ${{secrets.variablename }} syntax to get secret variable value, please see my example:

name: get secrets on: push: jobs: build: runs-on: ubuntu-latest steps: - name: print secrets run: | echo $DEV_ENV_FILE >> src/.env cat src/.env shell: bash env: DEV_ENV_FILE : ${{secrets.SECRET1}} - name: Upload a Build Artifact uses: actions/upload-artifact@v2 with: name: DEV_ENV_FILE path: src/.env

0 replies

destinybonavita · 2020-05-05T03:51:29Z

destinybonavita
May 5, 2020
Author

Hi @yanjingzhu! Sorry for the late response. When I run echo it removes all the linebreaks in the secret I stored. However, when I run printf in replacement of echo it’s only printing the first line to the file.

0 replies

destinybonavita · 2020-05-05T04:03:56Z

destinybonavita
May 5, 2020
Author

Turns out my problem was that I wasn’t wrapping the env variable in quotes when running printf. That fixed it

0 replies

streamnsight · 2020-12-14T18:40:35Z

streamnsight
Dec 14, 2020

@destinybonavita
Do you mind posting a full example on how you get the secret, because I tried this and it still prints “***” within the file.

0 replies

otter-computer · 2020-12-15T14:24:11Z

otter-computer
Dec 15, 2020

Hi @streamnsight , welcome to the GitHub Support Community! Secrets are automatically masked in the log output to prevent the secrets leaking—that’s why you’re seeing *** in place of where your actual secret would output. If you’re outputting the file contents and are seeing this it’s likely that your secret is set correctly inside the file but is just not visible in the logs, otherwise it wouldn’t be masked!

0 replies

streamnsight · 2020-12-15T22:58:43Z

streamnsight
Dec 15, 2020

That makes it very difficult to debug issues…
whether my secret is saved properly to file or not, i can’t tell.
I tried base64 encoding the output of the file and it seems like it’s there, but when I go about using the creds file with the tool that needs them, I get parsing errors, so not sure how I can debug this.

0 replies

damian-t · 2021-03-12T13:01:10Z

damian-t
Mar 12, 2021

Had the same issue just now. I debugged it by writing and committing a small script that would read the .env file and raise an error if the secret was not correctly saved. Turned out it’s correct in the file and only masked in the github output

0 replies

natereprogle · 2023-02-20T04:03:43Z

natereprogle
Feb 20, 2023

Sorry to revive a dead thread, but I figure if anyone else is looking for this solution (Which, by the way, worked for me, so thanks!), they may want to know this info.

The question above specifically asked about how to verify a file was being written properly. However, if you're using this solution as a way to write files on the fly via secrets, it's good to know that you should not use the upload-artifact action as listed. That was just a way for the OP to be able to download the formatted file for review. If you use that action, it will upload your secrets file to your build artifacts, which are public and anyone can download as long as they are signed into GitHub and have read access to your repo (Which, by default, they do).

Therefore, if you are just needing to write a file, exclude the build-artifact action from your process. Also, something to note, replace the >> with actual >> signs. GitHub Actions runners (At least on ubuntu runners) will error stating that ";&g" is unexpected. Below is a template for retrieving secrets and putting them in a file. I'm using a similar setup to create a test environment file on the fly for my website written in Angular 🥳

name: Your action

# Customize when you want the action to run here. In this case, I have it set to only run on pushes to dev, pull requests to master, and also allow it to be manually ran
on:
  push:
    branches: ["dev"]
  pull_request:
    branches: [ "master" ]
  workflow_dispatch:
    
jobs:
  job-name-here:
    runs-on: ubuntu-22.04
    steps:
        # Checkout the branch
      - name: Checkout
        uses: actions/checkout@v3
        
        # Create the test environment file from Actions Secrets
        # You don't have to cat out your secrets file, but if you do it will just show as *** in the logs. It basically just confirms it actually exists.
      - name: Echo secrets
        run: |
          echo $TEST_ENV_FILE >> src/your_directory_here/your_file_name.here
          cat src/your_directory_here/your_file_name.here
        shell: bash
        env:
          # Feel free to rename this variable, but make sure to update it everywhere. You should paste your entire file in your secrets
          TEST_ENV_FILE : ${{secrets.YOUR_SECRET_NAME}}
          
        # Do whatever you want from here, your secrets file is now available and isn't visible to anyone viewing the actions logs, including you

11 replies

natereprogle Apr 10, 2023

@natereprogle i tried, not to discredit your work at all, but I cannot reproduce for my case, as of today github action.

Definitely sucks. Hopefully you can get it working. From my experience it works fine, I just copy and paste my entire file into a GitHub Action secret. Base64 works as well though and is probably smarter in the long run. May take your idea haha.

My use case is Angular, so the Angular compiler handles this file for me. https://github.com/natereprogle/reprogle.org/blob/334d8d021afef6e05d35e647688715fd4dccd3d4/angular.json#L96. Maybe something specific with my setup

denys-pidlisnyi · 2023-06-01T10:10:22Z

denys-pidlisnyi
Jun 1, 2023

      - name: Configure .env file
        run: |
          python -c "import os; file = open('.env', 'w'); file.write(os.environ['YOUR_SECRET']); file.close()"
        shell: bash
        env:
          YOUR_SECRET : ${{secrets.YOUR_SECRET}}

1 reply

zommerfelds Dec 5, 2023

Thank you for the suggestion, it helped me uset a secret with quotes inside. This setup also works and might be simpler:

     -  name: Write secret to file
        run: |
          cat << EOF > ./bla.json
          ${{ secrets.YOUR_SECRET }}
          EOF

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Write Secrets to File #24928

{{title}}

Replies: 9 comments 12 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Write Secrets to File #24928

Replies: 9 comments · 12 replies

destinybonavita May 5, 2020 Author

destinybonavita May 5, 2020 Author

Replies: 9 comments 12 replies

destinybonavita
May 5, 2020
Author

destinybonavita
May 5, 2020
Author