Skip to content

Instantly share code, notes, and snippets.

@mfulgo
Created July 30, 2021 17:53
Show Gist options
  • Save mfulgo/8732bd2b432963a77f53d1e6eca71120 to your computer and use it in GitHub Desktop.
Save mfulgo/8732bd2b432963a77f53d1e6eca71120 to your computer and use it in GitHub Desktop.
Pass Sensitive Outputs between Jobs in GitHub Actions
name: Encrypted Job Output Example
# In order to do this, you need to create a passphrase
# in GitHub Secrets so that it can be accessed from
# both Jobs. This example calls it GPG_PASSPHRASE.
# The GITHUB_TOKEN cannot be used in lieu of this
# because it refreshes for each job.
on:
push:
paths:
- ".github/workflows/encrypted_job_output_example.yml"
jobs:
create_value:
runs-on: ubuntu-latest
outputs:
enc_secret: ${{ steps.create.outputs.enc_secret }}
steps:
- name: Create Encrypted Output
id: create
# Assumes secrets.json a previous step creates secrets.json.
run: |
ENC_SECRET=$(
cat secrets.json \
| gpg \
--batch \
--quiet \
--passphrase ${{ secrets.GPG_PASSPHRASE }} \
--symmetric \
--cipher-algo AES256 \
| base64 -w0
)
echo "::set-output name=enc_secret::$ENC_SECRET"
use_value:
runs-on: ubuntu-latest
needs: create_value
steps:
- name: Decrypt Sensitive Output
run: |
MY_SECRET=$(
echo "${{ needs.create_value.outputs.enc_secret }}" \
| base64 -d \
| gpg \
--batch \
--quiet \
--passphrase ${{ secrets.GPG_PASSPHRASE }} \
--decrypt
)
echo "::add-mask::$MY_SECRET"
echo "MY_SECRET=$MY_SECRET" >> $GITHUB_ENV
- name: Attempt to Show Sensitive Value
run: |
echo "Shh! The secret is $MY_SECRET"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment