How can I extract secrets using GitHub Actions?

ssh github-actions secretsmanager

I have a fairly basic scenario. I made a dedicated ssh key for this purpose and added it to my repository secrets.

  1. Code gets pushed to master

  2. GitHub action uploads it to server using ssh by doing echo "${{ secrets.SSH_KEY }}" > key.

  3. After that I can use this key to connect to my server e.g. ssh -i key [email protected] lsb_release -a

The problem is that for some reason GitHub actions cannot write it to file, it writes characters *** instead of the actual secret value into the file. Therefore obviously I cannot connect to my server.

How can I connect with ssh using this secret? Is there a way to connect without using a file? Can someone who did this common scenario using GitHub actions shed some light?


Solution 1:

GitHub Actions should be able to write a secret to a file this way. The reason you see the stars is that the log is filtered, so if a secret would be logged, it's replaced in the log with three asterisks instead. This is a security measure against an accidental disclosure of secrets, since logs are often publicly available.

However, it's a good idea to avoid writing the secret to the log anyway if possible. You can write your command like this so you don't write the secret to the log:

    - run: 'echo "$SSH_KEY" > key'
      shell: bash
      env:
        SSH_KEY: ${{secrets.SSH_KEY}}

All you'll see in the log is echo "$SSH_KEY" > key, not the secret or any asterisks.

Note that you do want quotes here, since the > character is special to YAML.

If this doesn't work to log into your server, there's likely a different issue; this technique does work for writing secrets in the general case.

Solution 2:

I found a way to do this. We used GatsbyJS for a project and it relies on a .env.production file for the env variables. I tried to pass them as env: to the github action, but that didn't work and they were ignored.

Here is what I did. I base 64 encoded the .env.production file:

base64 -i .env.production

Added the output to an env variable in github action. Then in my action I do:

echo ${{ secrets.ENV_PRODUCTION_FILE }} | base64 -d > .env.production

This way the contents of my .env.production file ended being written to the machine that executes the github action.

Solution 3:

The good solution is to use gpg for encrypting the key, adding it to a repo and decrypting it on the server using passphrase. The passprase should be stored as github project secret of course.

More info how I did it here: https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets

Related

Android version release warning message: This App Bundle contains Java/Kotlin code, which might be obfuscated
What alternatives are there to Google App Engine? [closed]
Arithmetic overflow error when summing an INT, how do I cast it as a BIGINT?
Which Python API should be used with Mongo DB and Django
How to launch tests for django reusable app?
How to test ApplicationController method defined also as a helper method?
How do I setup visual studio to register some #defines globally?
Create folder/directory in Objective-C/cocoa
git un-remove before commit?
Test if registry value exists
Using Linq to objects, how to create an empty dictionary of <string, string> easily?
Get currency symbol in PHP