I created a github workflow that runs a python script with a cron schedule. On every run of the workflow an access_token is generated, that is required during the next run.
To save the token the python script writes the token to the GITHUB_ENV file. In the next step I use the hmanzur/[email protected] action to save the token to a github secret. All works fine.
My only problem is, that the token gets displayed in the logs of the second step as environment variable.
Here is a minimal version of the workflow file:
name: Tests
on:
schedule:
- cron: "0 1 * * *"
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
python: ['3.9']
steps:
- uses: actions/checkout@v1
- uses: actions/setup-python@v1
with:
python-version: ${{ matrix.python }}
- name: Install dependencies
run: pip install -r requirements.txt
- name: Run tests
working-directory: ./src
run: python -m unittest
env:
ACCESS_TOKEN: ${{secrets.ACCESS_TOKEN}}
- uses: hmanzur/[email protected]
with:
name: 'ACCESS_TOKEN'
value: ${{env.ACCESS_TOKEN}}
repository: Me/MyRepository
token: ${{ secrets.REPO_ACCESS_TOKEN }}
I tried applying ::add-mask::. Adding echo "ACCESS_TOKEN=::add-mask::$ACCESS_TOKEN" >> $GITHUB_ENV only added ::add-mask:: to the string.
Is there a way of masking all environment variables in the GITHUB_ENV file I can apply in the first step? Can I apply the masking to the variable while writing to the GITHUB_ENV file in python? Or is there a way to disable the display of the environment variables during the workflow?
CodePudding user response:
My solution, if someone is having the same problem.
There seems to be no direct solution. As a workaround I use the cryptocode library to encode and decode the access token in the python script. Only the encrypted token is send to the workflow environment and saved in the repos secret.
Example workflow: https://github.com/Der-Henning/test-workflows/blob/main/.github/workflows/encrypt-secret.yml