I am using secrets in my reusable workflow and also have outputs. My output is a path, that has parts of AWS secrets, so I get an error Skip output 'file-url' since it may contain secret.
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ secrets.AWS_REGION }}
aws-bucket: ${{ secrets.S3_BUCKET }}
bucket-root: ${{ secrets.S3_KEY }}
file-path: ${{ steps.apk-file-path.outputs.file-path }}
output-file-url: 'true'
output-qr-url: 'true'
I tried to change it so instead of secrets, those would be inputs and then have secrets in caller workflow, but then I get error Unrecognized named-value: 'secrets'.
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ inputs.aws_region }}
aws-bucket: ${{ inputs.s3_bucket }}
bucket-root: ${{ inputs.s3_key }}
Caller workflow:
uses: ./.github/workflows/reusable-test.yml
secrets: inherit
with:
aws_region: ${{ secrets.AWS_REGION }}
s3_bucket: ${{ secrets.S3_BUCKET }}
s3_key: ${{ secrets.S3_KEY }}
Is there any way to get around it? Need some help
A more general workaround for this issue is to encrypt the output using as password a secret and then decrypting it in the job where it is needed.
Here are examples of how
gpg
can be used:Encrypting:
Decrypting:
This is based on https://nitratine.net/blog/post/how-to-pass-secrets-between-runners-in-github-actions/