Skip to content

Instantly share code, notes, and snippets.

@AlexAtkinson
Last active August 26, 2022 19:01
Show Gist options
  • Save AlexAtkinson/2ecac393e0d4cbd10b53d70fc9e4d91c to your computer and use it in GitHub Desktop.
Save AlexAtkinson/2ecac393e0d4cbd10b53d70fc9e4d91c to your computer and use it in GitHub Desktop.
GH Actions Constructed Secret Name Handling (Useful for handling multiple-envs scenarios)
name: Constructed Secrets
on:
workflow_dispatch:
inputs:
string:
description: "String"
required: true
secret:
description: "Secret"
required: true
type: choice
options:
- FOO
- BAR
jobs:
setup:
name: SETUP
runs-on: ubuntu-latest
outputs: # Needed for extra-runner access
INPUT: ${{ steps.setup.outputs.INPUT }}
FOO_SECRET: ${{ steps.setup.outputs.FOO_SECRET }}
CONSTRUCTED_SECRET: ${{ steps.setup.outputs.CONSTRUCTED_SECRET }}
steps:
- name: Setup Environment Variables
id: setup
run: |
INPUT=${{ github.event.inputs.string }}
echo "::set-output name=INPUT::$(echo $INPUT)"
FOO_SECRET=${{ secrets.FOO_SECRET }}
echo "::set-output name=FOO_SECRET::$(echo $FOO_SECRET)"
CONSTRUCTED_SECRET=${{ secrets[format('{0}_SECRET', github.event.inputs.secret)] }}
echo "::set-output name=CONSTRUCTED_SECRET::$(echo $CONSTRUCTED_SECRET)"
echo:
name: Echo
needs: [setup]
env:
INPUT: ${{ needs.setup.outputs.INPUT }}
FOO_SECRET: ${{ needs.setup.outputs.FOO_SECRET }}
CONSTRUCTED_SECRET: ${{ secrets[format('{0}_SECRET', github.event.inputs.secret)] }}
runs-on: ubuntu-latest
steps:
- name: Echo Input Variable
run: |
echo "Input string directly from input event: ${{ github.event.inputs.string }}"
echo "Input string from setup outputs: ${{ needs.setup.outputs.INPUT }}"
echo "Input string from envar for this runner: ${{ env.INPUT }}"
echo -e "\nSecrets cannot transit the actions backplane (ie: outputs)."
echo "Secret transiting output (no point in this anyhow): ${{ env.FOO_SECRET }}"
echo -e "\nConstructed secret in env block of this runner (preferred, deobfuscated with spaces):"
echo "${{ env.CONSTRUCTED_SECRET }}" | sed 's/./& /g'
echo -e "\nConstructed secret in-place (deobfuscated with spaces):"
echo "${{ secrets[format('{0}_SECRET', github.event.inputs.secret)] }}" | sed 's/./& /g'
@AlexAtkinson
Copy link
Author

AlexAtkinson commented Aug 26, 2022

Requires two repo secrets to be set:

FOO_SECRET : FOOsecret90210
BAR_SECRET : BARsecret90210

Format ref: https://docs.github.com/en/actions/learn-github-actions/expressions#format

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment