Output in reusable workflow is incorrectly recognized as secret (Github Actions)

4k Views Asked by At

I am using secrets in my reusable workflow and also have outputs. My output is a path, that has parts of AWS secrets, so I get an error Skip output 'file-url' since it may contain secret.

          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ secrets.AWS_REGION  }}
          aws-bucket: ${{ secrets.S3_BUCKET }}
          bucket-root: ${{ secrets.S3_KEY }}
          file-path: ${{ steps.apk-file-path.outputs.file-path }} 
          output-file-url: 'true'
          output-qr-url: 'true'

I tried to change it so instead of secrets, those would be inputs and then have secrets in caller workflow, but then I get error Unrecognized named-value: 'secrets'.

          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: ${{ inputs.aws_region  }}
          aws-bucket: ${{ inputs.s3_bucket }}
          bucket-root: ${{ inputs.s3_key }}

Caller workflow:

    uses: ./.github/workflows/reusable-test.yml
    secrets: inherit
    with:
      aws_region: ${{ secrets.AWS_REGION }}
      s3_bucket: ${{ secrets.S3_BUCKET }}
      s3_key: ${{ secrets.S3_KEY }}

Is there any way to get around it? Need some help

2

There are 2 best solutions below

0
On

A more general workaround for this issue is to encrypt the output using as password a secret and then decrypting it in the job where it is needed.

Here are examples of how gpg can be used:

Encrypting:

encrypted_value=$(gpg --symmetric --batch --passphrase ${{ secrets.GPG_SECRET }} --output - <(echo "my-secret-string") | base64 -w0)

Decrypting:

decrypted_value=$(gpg --decrypt --quiet --batch --passphrase ${{ secrets.GPG_SECRET }} --output - <(echo "$encrypted_value" | base64 --decode))

This is based on https://nitratine.net/blog/post/how-to-pass-secrets-between-runners-in-github-actions/

3
On

Can be caused by Github inspecting URLs and noticing the same value as within secrets. You might need to use mask-aws-account-id: no.