AlexAtkinson/constructed-secrets.yml

## constructed-secrets.yml
name: Constructed Secrets

on:
  workflow_dispatch:
    inputs:
      string:
        description: "String"
        required: true
      secret:
        description: "Secret"
        required: true
        type: choice
        options:
          - FOO
          - BAR

jobs:
  setup:
    name: SETUP
    runs-on: ubuntu-latest
    outputs: # Needed for extra-runner access
      INPUT: ${{ steps.setup.outputs.INPUT }}
      FOO_SECRET: ${{ steps.setup.outputs.FOO_SECRET }}
      CONSTRUCTED_SECRET: ${{ steps.setup.outputs.CONSTRUCTED_SECRET }}
    steps:
      - name: Setup Environment Variables
        id: setup
        run: |
          INPUT=${{ github.event.inputs.string }}
          echo "::set-output name=INPUT::$(echo $INPUT)"
          FOO_SECRET=${{ secrets.FOO_SECRET }}
          echo "::set-output name=FOO_SECRET::$(echo $FOO_SECRET)"
          CONSTRUCTED_SECRET=${{ secrets[format('{0}_SECRET', github.event.inputs.secret)] }}
          echo "::set-output name=CONSTRUCTED_SECRET::$(echo $CONSTRUCTED_SECRET)"
  echo:
    name: Echo
    needs: [setup]
    env:
      INPUT: ${{ needs.setup.outputs.INPUT }}
      FOO_SECRET: ${{ needs.setup.outputs.FOO_SECRET }}
      CONSTRUCTED_SECRET: ${{ secrets[format('{0}_SECRET', github.event.inputs.secret)] }}
    runs-on: ubuntu-latest
    steps:
      - name: Echo Input Variable
        run: |
          echo "Input string directly from input event: ${{ github.event.inputs.string }}"
          echo "Input string from setup outputs: ${{ needs.setup.outputs.INPUT }}"
          echo "Input string from envar for this runner: ${{ env.INPUT }}"
          echo -e "\nSecrets cannot transit the actions backplane (ie: outputs)."
          echo "Secret transiting output (no point in this anyhow): ${{ env.FOO_SECRET }}"
          echo -e "\nConstructed secret in env block of this runner (preferred, deobfuscated with spaces):"
          echo "${{ env.CONSTRUCTED_SECRET }}" | sed 's/./& /g'
          echo -e "\nConstructed secret in-place (deobfuscated with spaces):"
          echo "${{ secrets[format('{0}_SECRET', github.event.inputs.secret)] }}" | sed 's/./& /g'
	name: Constructed Secrets

	on:
	workflow_dispatch:
	inputs:
	string:
	description: "String"
	required: true
	secret:
	description: "Secret"
	required: true
	type: choice
	options:
	- FOO
	- BAR

	jobs:
	setup:
	name: SETUP
	runs-on: ubuntu-latest
	outputs: # Needed for extra-runner access
	INPUT: ${{ steps.setup.outputs.INPUT }}
	FOO_SECRET: ${{ steps.setup.outputs.FOO_SECRET }}
	CONSTRUCTED_SECRET: ${{ steps.setup.outputs.CONSTRUCTED_SECRET }}
	steps:
	- name: Setup Environment Variables
	id: setup
	run: \|
	INPUT=${{ github.event.inputs.string }}
	echo "::set-output name=INPUT::$(echo $INPUT)"
	FOO_SECRET=${{ secrets.FOO_SECRET }}
	echo "::set-output name=FOO_SECRET::$(echo $FOO_SECRET)"
	CONSTRUCTED_SECRET=${{ secrets[format('{0}_SECRET', github.event.inputs.secret)] }}
	echo "::set-output name=CONSTRUCTED_SECRET::$(echo $CONSTRUCTED_SECRET)"
	echo:
	name: Echo
	needs: [setup]
	env:
	INPUT: ${{ needs.setup.outputs.INPUT }}
	FOO_SECRET: ${{ needs.setup.outputs.FOO_SECRET }}
	CONSTRUCTED_SECRET: ${{ secrets[format('{0}_SECRET', github.event.inputs.secret)] }}
	runs-on: ubuntu-latest
	steps:
	- name: Echo Input Variable
	run: \|
	echo "Input string directly from input event: ${{ github.event.inputs.string }}"
	echo "Input string from setup outputs: ${{ needs.setup.outputs.INPUT }}"
	echo "Input string from envar for this runner: ${{ env.INPUT }}"
	echo -e "\nSecrets cannot transit the actions backplane (ie: outputs)."
	echo "Secret transiting output (no point in this anyhow): ${{ env.FOO_SECRET }}"
	echo -e "\nConstructed secret in env block of this runner (preferred, deobfuscated with spaces):"
	echo "${{ env.CONSTRUCTED_SECRET }}" \| sed 's/./& /g'
	echo -e "\nConstructed secret in-place (deobfuscated with spaces):"
	echo "${{ secrets[format('{0}_SECRET', github.event.inputs.secret)] }}" \| sed 's/./& /g'