Accessing secrets of custom action's repo

[mv185095]

It seems that custom actions do not have access to any secrets when used either from their own repository or from the repository they run in. They need all the secrets to be passed in via parent workflow. I find this limiation rather frustrating. If I have an action that for example uploads to some server using a secret I would like to have that secret stored in the repo of the action. Users of the action should not care that any secrets is even used to perform some internal processing. Yet there is no access to that secret.

So the only option is to either force the user of the action to pass in the secret (they should not care about in the first place or even know it exists) or hard-code the secret in the action’s code which is not very secure…

Is there any other option?

[weide-zhou]

Hi @mv185095,

Glad to see you in Github Community Forum!

To make a secret available to an action, you must set the secret as an input or environment variable in the workflow file. It’s mentioned in the official doc here.

If you’d like the action to perform some internal processing without user input, you have to make it readable to the action, hardcode or can be decrypted in the action, secrets in the action repository is not supported.

Thanks

[mv185095]

I will hardcode encrypted secret in the action repo then. Thanks for the explanation.

[ramiro-flappo-simplisafe]

Is this still the case, two years after ?

[brian-welsh]

I agree with the op. Users outside my action shouldn't now or care I am using a secret inside my action.

This would be especially useful in an internal org action.

[BigSamu]

I think this is a big issue. I am creating a Custom Action for an open-source project and this action - along its entire logic - communicates with an external API that requires an API_KEY. Users in the open-source project should not required to know this API_KEY and I want to avoid pass these as a Action Secret. However is impossible now, unless I use some sort of encryption for the API_KEY and hardcode that in my code or go with an Organization Action Secret, so only one user have to setup the secret at a top level. Both approaches, I don't like it. The first one, because you need to add a new level of security and the second one because you have some sort of bureaucracy and security issue having to go with a top-level maintainer of the organization to setup this secret.

Why it is not possible to have a simple solution to to make an internal secret readable from the custom action itself. This will simplify the problems I mentioned before.

[sglambert]

Does anyone have a workaround for this issue? Trying to do the same thing and really don't want to hardcode a secret into code. Cheers!

[medoni]

Any update on this? I can't use hardcoded secrets or using secrets as readable env variables :(