Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request: option to persist secrets until workflow ends, rather than when job ends #53

Open
FFdhorkin opened this issue Sep 27, 2023 · 0 comments
Open

Request: option to persist secrets until workflow ends, rather than when job ends #53

FFdhorkin opened this issue Sep 27, 2023 · 0 comments

Comments

@FFdhorkin
Copy link

FFdhorkin commented Sep 27, 2023
edited
Loading

I would like there to be an option to defer secrets from expiring at the end of a job, and expire them at the end of a workflow instead, so that I can retrieve secrets in one job, then pass them to another job inside the same workflow file, without having to pull secrets a second time.

Obviously for security reasons the default for this should turned off, but...

I wanted to pass an AWS secret into a reusable workflow. This workflow has two jobs, each of which need to checkout a private repo, so I need the token in order to be able to check it out.

So, I had something like this for my parent workflow:

jobs:
  prep:
    name: This is my job name
    runs-on: self-hosted-runner-name
    outputs:
      github_secret_token: ${{ steps.set_token_output.outputs.github_secret_token }}
    steps:
      - name: Read secrets from AWS Secrets Manager into environment variables
        uses: abhilash1in/[email protected]
        with:
          secrets: |
            github_secret
          parse-json: true
          disable-warnings: true

      # various other steps here, several of which use GITHUB_SECRET_TOKEN without issue

      - name: Set token output
        id: set_token_output
        run: |
          echo github_secret_token=${{ env.GITHUB_SECRET_TOKEN }} >> $GITHUB_OUTPUT

  another_job:
    name: This is another job
    needs: prep
    # this reusable workflow has 2 jobs, each of which needs access to that secret
    uses: my_private_org/my_private_repo/.github/workflows/my_reusable_workflow.yml@v1
    with:
      github_runner: self-hosted-runner-name
      # checkout_token is blank (undefined?) in this action
      checkout_token:  ${{ needs.prep.outputs.github_secret_token }}

Turns out that when it gets to my_reusable_workflow.yml's inputs, checkout_token is suddenly blank. (Same behavior happens with github.token, which wouldn't work for this use case anyway, so I presume this is the result of a post-job-step.)

To get around this, I had to add the aws-secrets-manager-action step to both of the jobs in that reusable workflow - 14 additional lines to that reusable workflow that I'd like to avoid, since I've already pulled the secrets and thus it's effectively noise (21 lines total, across two files, devoted to retrieving secrets... all to make one workflow work).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@FFdhorkin