0

I want to access my secret from a yml file. I am saving secrets like this:

USER_NAME: secrets.AZURE_ID
password: secrets.pass_SECRET

Then I am loading them in a step like this:

  - name: read yml file python
    run: |
      pip install pyyaml
      ENV_VAR=$(python3 -c "import yaml; from yaml import Loader; print(yaml.load(open('./config.yml', 'r'), Loader=Loader))")
      echo "ENV_VAR=$ENV_VAR" >> $GITHUB_ENV

I try to access the value of secrets but unfortunately, it's not working. It says it can not read the username.

Here is how I access the secrets:

  - name: Login to Azure Registry
    uses: azure/docker-login@v1
    env:
      INTERM_username: ${{ secrets[ fromJSON(env.ENV_VAR).USER_NAME ] }}
      INTERM_password: ${{ secrets[ fromJSON(env.ENV_VAR).password ] }}
    with:
      username: ${{ env.INTERM_username }}
      password: ${{ env.INTERM_password }}

I also tried fromJSON(env.ENV_VAR).USER_NAME:

  - name: Login to Azure Registry
    uses: azure/docker-login@v1
    env:
      INTERM_username: ${{ fromJSON(env.ENV_VAR).USER_NAME }}
      INTERM_password: ${{ fromJSON(env.ENV_VAR).password }}
    with:
      username: ${{ env.INTERM_username }}
      password: ${{ env.INTERM_password }}

But it's not getting the value from secret. Both INTERM_username and INTERM_password are giving empty strings. I guess they cannot read the secret. Is there any other way? I need to save the name of the secret as I want to access them based on the branch it triggered on.

Azeem
  • 11,148
  • 4
  • 27
  • 40
Hasib Ul Alam
  • 1
  • Are those steps part of the same job? Did you try printing those right after setting them to the env var? – Azeem Mar 16 '23 at 10:20

1 Answers1

0

You can set larger secrets (or even files) as environment action variables as described here.

Github proposes also a way to encrypt files using GPG and a symetric encryption scheme.

Personally, I've found that you can improve this flow by using RSA with public / private keys and you do not have to have a password saved in your scripts, or being asked the password over and over again. For example, you can create a local script to encrypt all your secret local files containing secrets (which are also referenced in .gitignore):

gpg --yes --recipient 8_CHAR_KEY_ID -e secret_file1.yaml

# If you have more files to encrypt
gpg --yes --recipient 8_CHAR_KEY_ID -e secret_file2.yaml
gpg --yes --recipient 8_CHAR_KEY_ID -e secret_file3.yaml
...

This will create new files secret_file1.yaml.gpg, secret_file2.yaml.gpg that are not in your .gitignore and will be committed to Github. In a Github Action, you may have following YAML:

name: Validator

...

jobs:
  validator:
    name: Validator
    runs-on: ubuntu-latest
    env:
      YAML_KEY: ${{ secrets.YAML_KEY }}
    steps:
      - uses: actions/checkout@v3
      - run: |
          echo "$YAML_KEY" > key.asc
          gpg --import key.asc
          gpg --yes -o secret_file1.yaml -d secret_file1.yaml.gpg 
          
          # If you have more files to decrypt ...
          gpg --yes -o secret_file2.yaml -d secret_file2.yaml.gpg 
          gpg --yes -o secret_file3.yaml -d secret_file3.yaml.gpg 
          ...
          
      - name: Run Validation
        run: |

          # Run your usual validation. The file `secret_file.yaml` will be temporarily available in a decrypted form to the rest of your code.

Export the private key and save it into an Action Environment variable YAML_KEY.

This way, you can easily share the Github repository with other people. If they create the secret YAML configuration files from scratch, they only need the public key, that you can also upload on a public server, such as https://keys.openpgp.org/.

Christophe Vidal
  • 1,894
  • 1
  • 19
  • 13