├── .dockerignore ├── .github ├── settings.yml └── workflows │ ├── branch.yml │ ├── release.yml │ ├── test-negative.yml │ ├── test-positive-secret-2.yml │ └── test-positive.yml ├── .gitignore ├── Dockerfile ├── LICENSE ├── Makefile ├── README.md ├── README.yaml ├── action.yml ├── docs └── github-action.md ├── entrypoint.sh └── renovate.json /.dockerignore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/cloudposse/github-action-secret-outputs/8b3de629ae43a3a7cc152fff3469c1c4692d5d8a/.dockerignore -------------------------------------------------------------------------------- /.github/settings.yml: -------------------------------------------------------------------------------- 1 | # Upstream changes from _extends are only recognized when modifications are made to this file in the default branch. 2 | _extends: .github 3 | repository: 4 | name: github-action-secret-outputs 5 | description: Allow to pass a secret or masked variable between jobs in GitHub Actions using outputs. 6 | homepage: https://cloudposse.com/accelerate 7 | topics: "" 8 | 9 | -------------------------------------------------------------------------------- /.github/workflows/branch.yml: -------------------------------------------------------------------------------- 1 | name: Branch 2 | on: 3 | pull_request: 4 | branches: 5 | - main 6 | - release/** 7 | types: [opened, synchronize, reopened] 8 | push: 9 | branches: 10 | - main 11 | - release/v* 12 | paths-ignore: 13 | - '.github/**' 14 | - 'docs/**' 15 | - 'examples/**' 16 | - 'test/**' 17 | - 'README.md' 18 | 19 | permissions: 20 | contents: write 21 | actions: write 22 | 23 | jobs: 24 | github-action: 25 | uses: cloudposse/.github/.github/workflows/shared-github-action.yml@main 26 | secrets: inherit 27 | -------------------------------------------------------------------------------- /.github/workflows/release.yml: -------------------------------------------------------------------------------- 1 | name: Release 2 | on: 3 | release: 4 | types: [published] 5 | 6 | permissions: 7 | id-token: write 8 | contents: write 9 | pull-requests: write 10 | 11 | jobs: 12 | github-action: 13 | uses: cloudposse/.github/.github/workflows/shared-release-branches.yml@main 14 | secrets: inherit 15 | -------------------------------------------------------------------------------- /.github/workflows/test-negative.yml: -------------------------------------------------------------------------------- 1 | name: Test mask output 2 | on: 3 | # # Uncomment when test added first time to register workflow and comment it back after workflow would be registered 4 | # # 5 | # # Added pull_request to register workflow from the PR. 6 | # # Read more https://stackoverflow.com/questions/63362126/github-actions-how-to-run-a-workflow-created-on-a-non-master-branch-from-the-wo 7 | # pull_request: {} 8 | workflow_dispatch: {} 9 | 10 | jobs: 11 | setup: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - name: Setup 15 | run: echo "Do setup" 16 | 17 | test: 18 | runs-on: ubuntu-latest 19 | needs: [setup] 20 | continue-on-error: true 21 | steps: 22 | - name: Checkout 23 | uses: actions/checkout@v4 24 | 25 | - name: Set outputs 26 | id: masked 27 | run: | 28 | echo '::add-mask::test' 29 | echo This is a test 30 | echo "masked-result=test" >> $GITHUB_OUTPUT 31 | echo "non-masked-result=example" >> $GITHUB_OUTPUT 32 | 33 | outputs: 34 | masked-result: "${{ steps.masked.outputs.masked-result }}" 35 | non-masked-result: "${{ steps.masked.outputs.non-masked-result }}" 36 | 37 | assert: 38 | runs-on: ubuntu-latest 39 | needs: [test] 40 | steps: 41 | - uses: nick-fields/assert-action@v2 42 | with: 43 | expected: '' 44 | actual: "${{ needs.test.outputs.masked-result }}" 45 | 46 | - uses: nick-fields/assert-action@v2 47 | with: 48 | expected: 'example' 49 | actual: "${{ needs.test.outputs.non-masked-result }}" 50 | 51 | teardown: 52 | runs-on: ubuntu-latest 53 | needs: [assert] 54 | if: ${{ always() }} 55 | steps: 56 | - name: Tear down 57 | run: echo "Do Tear down" 58 | -------------------------------------------------------------------------------- /.github/workflows/test-positive-secret-2.yml: -------------------------------------------------------------------------------- 1 | name: Test that encryption keys used 2 | on: 3 | # # Uncomment when test added first time to register workflow and comment it back after workflow would be registered 4 | # # 5 | # # Added pull_request to register workflow from the PR. 6 | # # Read more https://stackoverflow.com/questions/63362126/github-actions-how-to-run-a-workflow-created-on-a-non-master-branch-from-the-wo 7 | # pull_request: {} 8 | workflow_dispatch: {} 9 | 10 | jobs: 11 | setup: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - name: Setup 15 | run: echo "Do setup" 16 | outputs: 17 | secret: kdsafh847382492 18 | 19 | test: 20 | runs-on: ubuntu-latest 21 | continue-on-error: true 22 | needs: [setup] 23 | steps: 24 | - name: Checkout 25 | uses: actions/checkout@v4 26 | 27 | - name: Set outputs 28 | id: masked 29 | run: | 30 | echo '::add-mask::test' 31 | echo This is a test 32 | echo "masked-result=test" >> $GITHUB_OUTPUT 33 | echo "non-masked-result=example" >> $GITHUB_OUTPUT 34 | 35 | - uses: ./ 36 | id: current 37 | with: 38 | secret: ${{ needs.setup.outputs.secret }} 39 | op: encode 40 | in: ${{ steps.masked.outputs.masked-result }} 41 | 42 | outputs: 43 | masked-result: "${{ steps.current.outputs.out }}" 44 | non-masked-result: "${{ steps.masked.outputs.non-masked-result }}" 45 | 46 | assert: 47 | runs-on: ubuntu-latest 48 | needs: [setup, test] 49 | steps: 50 | - name: Checkout 51 | uses: actions/checkout@v4 52 | 53 | - uses: ./ 54 | id: masked-result 55 | with: 56 | secret: ${{ needs.setup.outputs.secret }} 57 | op: decode 58 | in: ${{ needs.test.outputs.masked-result }} 59 | 60 | - uses: nick-fields/assert-action@v2 61 | with: 62 | expected: 'test' 63 | actual: "${{ steps. masked-result.outputs.out }}" 64 | 65 | teardown: 66 | runs-on: ubuntu-latest 67 | needs: [assert] 68 | if: ${{ always() }} 69 | steps: 70 | - name: Tear down 71 | run: echo "Do Tear down" 72 | -------------------------------------------------------------------------------- /.github/workflows/test-positive.yml: -------------------------------------------------------------------------------- 1 | name: Test successfuly encryption secret outputs 2 | on: 3 | # # Uncomment when test added first time to register workflow and comment it back after workflow would be registered 4 | # # 5 | # # Added pull_request to register workflow from the PR. 6 | # # Read more https://stackoverflow.com/questions/63362126/github-actions-how-to-run-a-workflow-created-on-a-non-master-branch-from-the-wo 7 | # pull_request: {} 8 | workflow_dispatch: {} 9 | 10 | jobs: 11 | setup: 12 | runs-on: ubuntu-latest 13 | steps: 14 | - name: Setup 15 | run: echo "Do setup" 16 | outputs: 17 | secret: test123 18 | 19 | test: 20 | runs-on: ubuntu-latest 21 | continue-on-error: true 22 | needs: [setup] 23 | steps: 24 | - name: Checkout 25 | uses: actions/checkout@v4 26 | 27 | - name: Set outputs 28 | id: masked 29 | run: | 30 | echo '::add-mask::test' 31 | echo This is a test 32 | echo "masked-result=test" >> $GITHUB_OUTPUT 33 | echo "non-masked-result=example" >> $GITHUB_OUTPUT 34 | 35 | - uses: ./ 36 | id: current 37 | with: 38 | secret: ${{ needs.setup.outputs.secret }} 39 | op: encode 40 | in: ${{ steps.masked.outputs.masked-result }} 41 | 42 | outputs: 43 | masked-result: "${{ steps.current.outputs.out }}" 44 | non-masked-result: "${{ steps.masked.outputs.non-masked-result }}" 45 | 46 | assert: 47 | runs-on: ubuntu-latest 48 | needs: [setup, test] 49 | steps: 50 | - name: Checkout 51 | uses: actions/checkout@v4 52 | 53 | - uses: ./ 54 | id: masked-result 55 | with: 56 | secret: ${{ needs.setup.outputs.secret }} 57 | op: decode 58 | in: ${{ needs.test.outputs.masked-result }} 59 | 60 | - uses: nick-fields/assert-action@v2 61 | with: 62 | expected: 'test' 63 | actual: "${{ steps. masked-result.outputs.out }}" 64 | 65 | teardown: 66 | runs-on: ubuntu-latest 67 | needs: [assert] 68 | if: ${{ always() }} 69 | steps: 70 | - name: Tear down 71 | run: echo "Do Tear down" 72 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .build-harness 2 | build-harness -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM public.ecr.aws/docker/library/alpine:3.19.1 2 | 3 | RUN apk add --no-cache gnupg bash 4 | 5 | ENTRYPOINT ["/bin/bash"] 6 | 7 | COPY entrypoint.sh /usr/local/bin/entrypoint 8 | 9 | CMD [ "-c", "entrypoint" ] 10 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | SHELL := /bin/bash 2 | 3 | # List of targets the `readme` target should call before generating the readme 4 | export README_DEPS ?= docs/github-action.md 5 | 6 | -include $(shell curl -sSL -o .build-harness "https://cloudposse.tools/build-harness"; echo .build-harness) 7 | 8 | ## Lint terraform code 9 | lint: 10 | $(SELF) terraform/install terraform/get-modules terraform/get-plugins terraform/lint terraform/validate -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | 2 | # github-action-secret-outputs 3 | Latest ReleaseSlack Community 4 | 5 | 6 | 26 | 27 | This GitHub Action implement [workaround](https://nitratine.net/blog/post/how-to-pass-secrets-between-runners-in-github-actions/) for the problem 28 | [`Combining job outputs with masking leads to empty output`](https://github.com/actions/runner/issues/1498). 29 | The problem was described in 30 | [`GitHub Action documentation`](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idoutputs) 31 | - `Outputs containing secrets are redacted on the runner and not sent to GitHub Actions`. 32 | 33 | 34 | --- 35 | > [!NOTE] 36 | > This project is part of Cloud Posse's comprehensive ["SweetOps"](https://cpco.io/homepage?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/github-action-secret-outputs&utm_content=) approach towards DevOps. 37 | >
Learn More 38 | > 39 | > It's 100% Open Source and licensed under the [APACHE2](LICENSE). 40 | > 41 | >
42 | 43 | 44 | 45 | 46 | 47 | 48 | ## Usage 49 | 50 | 51 | 52 | ```yaml 53 | name: Pull Request 54 | on: 55 | pull_request: 56 | branches: [ 'main' ] 57 | types: [opened, synchronize, reopened, closed, labeled, unlabeled] 58 | 59 | jobs: 60 | context: 61 | runs-on: ubuntu-latest 62 | steps: 63 | - name: Step with the secret output 64 | id: iam 65 | run: | 66 | echo "role=arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/admin" >> $GITHUB_OUTPUT 67 | 68 | - uses: cloudposse/github-action-secret-outputs@main 69 | id: role 70 | with: 71 | ## PASSWORD is a gpg passphrase stored in Github Secrets. 72 | secret: ${{ secrets.PASSWORD }} 73 | op: encode 74 | in: ${{ steps.iam.outputs.role }} 75 | 76 | outputs: 77 | role: ${{ steps.role.outputs.out }} 78 | 79 | usage: 80 | runs-on: ubuntu-latest 81 | needs: [context] 82 | steps: 83 | - uses: cloudposse/github-action-secret-outputs@main 84 | id: role 85 | with: 86 | ## PASSWORD is a gpg passphrase stored in Github Secrets. 87 | secret: ${{ secrets.PASSWORD }} 88 | op: decode 89 | in: ${{ needs.context.outputs.role }} 90 | 91 | - name: Configure AWS Credentials 92 | uses: aws-actions/configure-aws-credentials@v1 93 | with: 94 | role-to-assume: ${{ steps.role.outputs.out }} 95 | aws-region: us-east-2 96 | ``` 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | ## Inputs 106 | 107 | | Name | Description | Default | Required | 108 | |------|-------------|---------|----------| 109 | | in | Input data | N/A | true | 110 | | op | Operation to perform (encode or decode) | encode | true | 111 | | secret | Secret to encrypt/decrypt data | N/A | true | 112 | 113 | 114 | ## Outputs 115 | 116 | | Name | Description | 117 | |------|-------------| 118 | | out | Result of encryption/decryption | 119 | 120 | 121 | 122 | ## Related Projects 123 | 124 | Check out these related projects. 125 | 126 | - [github-actions-workflows](https://github.com/cloudposse/github-actions-workflows) - Reusable workflows for different types of projects 127 | 128 | 129 | ## References 130 | 131 | For additional context, refer to some of these links. 132 | 133 | - [How to Pass Secrets Between Runners in GitHub Actions](https://nitratine.net/blog/post/how-to-pass-secrets-between-runners-in-github-actions/) - When trying to pass a secret or masked variable between jobs in GitHub Actions using outputs, it will say 'Warning: Skip output since it may contain secrets'. This tutorial aims to provide a reasonable solution for this. 134 | - [Combining job outputs with masking leads to empty output](https://github.com/actions/runner/issues/1498) - When combining job outputs with masking the output is empty when used in another job. 135 | - [Skip output 'AWS_ACCOUNT_ID' since it may contain secret](https://github.com/orgs/community/discussions/26636) - aws-actions/configure-aws-credentials@v1 will addMask for our aws accountid 136 | - [Workflow syntax for GitHub Actions](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idoutputs) - Outputs containing secrets are redacted on the runner and not sent to GitHub Actions 137 | 138 | 139 | ## ✨ Contributing 140 | 141 | This project is under active development, and we encourage contributions from our community. 142 | Many thanks to our outstanding contributors: 143 | 144 | 145 | 146 | 147 | 148 | ### 🐛 Bug Reports & Feature Requests 149 | 150 | Please use the [issue tracker](https://github.com/cloudposse/github-action-secret-outputs/issues) to report any bugs or file feature requests. 151 | 152 | ### 💻 Developing 153 | 154 | If you are interested in being a contributor and want to get involved in developing this project or help out with Cloud Posse's other projects, we would love to hear from you! 155 | Hit us up in [Slack](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/github-action-secret-outputs&utm_content=slack), in the `#cloudposse` channel. 156 | 157 | In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow. 158 | 1. Review our [Code of Conduct](https://github.com/cloudposse/github-action-secret-outputs/?tab=coc-ov-file#code-of-conduct) and [Contributor Guidelines](https://github.com/cloudposse/.github/blob/main/CONTRIBUTING.md). 159 | 2. **Fork** the repo on GitHub 160 | 3. **Clone** the project to your own machine 161 | 4. **Commit** changes to your own branch 162 | 5. **Push** your work back up to your fork 163 | 6. Submit a **Pull Request** so that we can review your changes 164 | 165 | **NOTE:** Be sure to merge the latest changes from "upstream" before making a pull request! 166 | 167 | ### 🌎 Slack Community 168 | 169 | Join our [Open Source Community](https://cpco.io/slack?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/github-action-secret-outputs&utm_content=slack) on Slack. It's **FREE** for everyone! Our "SweetOps" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally *sweet* infrastructure. 170 | 171 | ### 📰 Newsletter 172 | 173 | Sign up for [our newsletter](https://cpco.io/newsletter?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/github-action-secret-outputs&utm_content=newsletter) and join 3,000+ DevOps engineers, CTOs, and founders who get insider access to the latest DevOps trends, so you can always stay in the know. 174 | Dropped straight into your Inbox every week — and usually a 5-minute read. 175 | 176 | ### 📆 Office Hours 177 | 178 | [Join us every Wednesday via Zoom](https://cloudposse.com/office-hours?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/github-action-secret-outputs&utm_content=office_hours) for your weekly dose of insider DevOps trends, AWS news and Terraform insights, all sourced from our SweetOps community, plus a _live Q&A_ that you can’t find anywhere else. 179 | It's **FREE** for everyone! 180 | 181 | ## About 182 | 183 | This project is maintained by Cloud Posse, LLC. 184 | 185 | 186 | We are a [**DevOps Accelerator**](https://cpco.io/commercial-support?utm_source=github&utm_medium=readme&utm_campaign=cloudposse/github-action-secret-outputs&utm_content=commercial_support) for funded startups and enterprises. 187 | Use our ready-to-go terraform architecture blueprints for AWS to get up and running quickly. 188 | We build it with you. You own everything. Your team wins. Plus, we stick around until you succeed. 189 | 190 | Learn More 191 | 192 | *Your team can operate like a pro today.* 193 | 194 | Ensure that your team succeeds by using our proven process and turnkey blueprints. Plus, we stick around until you succeed. 195 | 196 |
197 | 📚 See What's Included 198 | 199 | - **Reference Architecture.** You'll get everything you need from the ground up built using 100% infrastructure as code. 200 | - **Deployment Strategy.** You'll have a battle-tested deployment strategy using GitHub Actions that's automated and repeatable. 201 | - **Site Reliability Engineering.** You'll have total visibility into your apps and microservices. 202 | - **Security Baseline.** You'll have built-in governance with accountability and audit logs for all changes. 203 | - **GitOps.** You'll be able to operate your infrastructure via Pull Requests. 204 | - **Training.** You'll receive hands-on training so your team can operate what we build. 205 | - **Questions.** You'll have a direct line of communication between our teams via a Shared Slack channel. 206 | - **Troubleshooting.** You'll get help to triage when things aren't working. 207 | - **Code Reviews.** You'll receive constructive feedback on Pull Requests. 208 | - **Bug Fixes.** We'll rapidly work with you to fix any bugs in our projects. 209 |
210 | 211 | 212 | ## License 213 | 214 | License 215 | 216 |
217 | Preamble to the Apache License, Version 2.0 218 |
219 |
220 | 221 | Complete license is available in the [`LICENSE`](LICENSE) file. 222 | 223 | ```text 224 | Licensed to the Apache Software Foundation (ASF) under one 225 | or more contributor license agreements. See the NOTICE file 226 | distributed with this work for additional information 227 | regarding copyright ownership. The ASF licenses this file 228 | to you under the Apache License, Version 2.0 (the 229 | "License"); you may not use this file except in compliance 230 | with the License. You may obtain a copy of the License at 231 | 232 | https://www.apache.org/licenses/LICENSE-2.0 233 | 234 | Unless required by applicable law or agreed to in writing, 235 | software distributed under the License is distributed on an 236 | "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 237 | KIND, either express or implied. See the License for the 238 | specific language governing permissions and limitations 239 | under the License. 240 | ``` 241 |
242 | 243 | ## Trademarks 244 | 245 | All other trademarks referenced herein are the property of their respective owners. 246 | --- 247 | Copyright © 2017-2024 [Cloud Posse, LLC](https://cpco.io/copyright) 248 | 249 | 250 | README footer 251 | 252 | Beacon 253 | -------------------------------------------------------------------------------- /README.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # 3 | # This is the canonical configuration for the `README.md` 4 | # Run `make readme` to rebuild the `README.md` 5 | # 6 | 7 | # Name of this project 8 | name: github-action-secret-outputs 9 | 10 | # Tags of this project 11 | tags: 12 | - github-action 13 | 14 | # Logo for this project 15 | #logo: docs/logo.png 16 | 17 | # License of this project 18 | license: "APACHE2" 19 | 20 | # Canonical GitHub repo 21 | github_repo: cloudposse/github-action-secret-outputs 22 | 23 | # Badges to display 24 | badges: 25 | - name: "Latest Release" 26 | image: "https://img.shields.io/github/release/cloudposse/github-action-secret-outputs.svg" 27 | url: "https://github.com/cloudposse/github-action-secret-outputs/releases/latest" 28 | - name: "Slack Community" 29 | image: "https://slack.cloudposse.com/badge.svg" 30 | url: "https://slack.cloudposse.com" 31 | 32 | related: 33 | - name: "github-actions-workflows" 34 | description: "Reusable workflows for different types of projects" 35 | url: "https://github.com/cloudposse/github-actions-workflows" 36 | 37 | # Short description of this project 38 | description: |- 39 | This GitHub Action implement [workaround](https://nitratine.net/blog/post/how-to-pass-secrets-between-runners-in-github-actions/) for the problem 40 | [`Combining job outputs with masking leads to empty output`](https://github.com/actions/runner/issues/1498). 41 | The problem was described in 42 | [`GitHub Action documentation`](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idoutputs) 43 | - `Outputs containing secrets are redacted on the runner and not sent to GitHub Actions`. 44 | 45 | references: 46 | - name: "How to Pass Secrets Between Runners in GitHub Actions" 47 | description: "When trying to pass a secret or masked variable between jobs in GitHub Actions using outputs, it will say 'Warning: Skip output since it may contain secrets'. This tutorial aims to provide a reasonable solution for this." 48 | url: "https://nitratine.net/blog/post/how-to-pass-secrets-between-runners-in-github-actions/" 49 | - name: "Combining job outputs with masking leads to empty output" 50 | description: "When combining job outputs with masking the output is empty when used in another job." 51 | url: "https://github.com/actions/runner/issues/1498" 52 | - name: "Skip output 'AWS_ACCOUNT_ID' since it may contain secret" 53 | description: "aws-actions/configure-aws-credentials@v1 will addMask for our aws accountid" 54 | url: "https://github.com/orgs/community/discussions/26636" 55 | - name: "Workflow syntax for GitHub Actions" 56 | description: "Outputs containing secrets are redacted on the runner and not sent to GitHub Actions" 57 | url: "https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idoutputs" 58 | 59 | # How to use this project 60 | usage: |- 61 | ```yaml 62 | name: Pull Request 63 | on: 64 | pull_request: 65 | branches: [ 'main' ] 66 | types: [opened, synchronize, reopened, closed, labeled, unlabeled] 67 | 68 | jobs: 69 | context: 70 | runs-on: ubuntu-latest 71 | steps: 72 | - name: Step with the secret output 73 | id: iam 74 | run: | 75 | echo "role=arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/admin" >> $GITHUB_OUTPUT 76 | 77 | - uses: cloudposse/github-action-secret-outputs@main 78 | id: role 79 | with: 80 | ## PASSWORD is a gpg passphrase stored in Github Secrets. 81 | secret: ${{ secrets.PASSWORD }} 82 | op: encode 83 | in: ${{ steps.iam.outputs.role }} 84 | 85 | outputs: 86 | role: ${{ steps.role.outputs.out }} 87 | 88 | usage: 89 | runs-on: ubuntu-latest 90 | needs: [context] 91 | steps: 92 | - uses: cloudposse/github-action-secret-outputs@main 93 | id: role 94 | with: 95 | ## PASSWORD is a gpg passphrase stored in Github Secrets. 96 | secret: ${{ secrets.PASSWORD }} 97 | op: decode 98 | in: ${{ needs.context.outputs.role }} 99 | 100 | - name: Configure AWS Credentials 101 | uses: aws-actions/configure-aws-credentials@v1 102 | with: 103 | role-to-assume: ${{ steps.role.outputs.out }} 104 | aws-region: us-east-2 105 | ``` 106 | 107 | include: 108 | - "docs/github-action.md" 109 | 110 | # Contributors to this project 111 | contributors: 112 | - name: "Igor Rodionov" 113 | github: "goruha" 114 | -------------------------------------------------------------------------------- /action.yml: -------------------------------------------------------------------------------- 1 | name: 'Secret output' 2 | description: 'Allow outputs that contains secrets to be passed between jobs by encrypting them.' 3 | author: hello@cloudposse.com 4 | branding: 5 | icon: 'shield' 6 | color: 'white' 7 | inputs: 8 | op: 9 | required: true 10 | description: "Operation to perform (encode or decode)" 11 | default: "encode" 12 | in: 13 | required: true 14 | description: "Input data" 15 | secret: 16 | required: true 17 | description: "Secret to encrypt/decrypt data" 18 | outputs: 19 | out: 20 | description: "Result of encryption/decryption" 21 | runs: 22 | using: 'docker' 23 | image: 'Dockerfile' 24 | env: 25 | OPERATION: ${{ inputs.op }} 26 | IN: ${{ inputs.in }} 27 | SECRET: ${{ inputs.secret }} 28 | -------------------------------------------------------------------------------- /docs/github-action.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Inputs 4 | 5 | | Name | Description | Default | Required | 6 | |------|-------------|---------|----------| 7 | | in | Input data | N/A | true | 8 | | op | Operation to perform (encode or decode) | encode | true | 9 | | secret | Secret to encrypt/decrypt data | N/A | true | 10 | 11 | 12 | ## Outputs 13 | 14 | | Name | Description | 15 | |------|-------------| 16 | | out | Result of encryption/decryption | 17 | 18 | -------------------------------------------------------------------------------- /entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash -l 2 | 3 | set -e 4 | 5 | case "${OPERATION}" in 6 | encode) 7 | result=$(gpg --symmetric --batch --passphrase "${SECRET}" --output - <(echo "${IN}") | base64 -w0) 8 | echo "out=${result}" >> $GITHUB_OUTPUT 9 | ;; 10 | 11 | decode) 12 | result=$(gpg --decrypt --quiet --batch --passphrase "${SECRET}" --output - <(echo "${IN}" | base64 -d)) 13 | echo "::add-mask::${result}" 14 | echo "out=${result}" >> $GITHUB_OUTPUT 15 | ;; 16 | 17 | *) 18 | echo $"op input can be only {encode|decode}" 19 | exit 1 20 | esac 21 | -------------------------------------------------------------------------------- /renovate.json: -------------------------------------------------------------------------------- 1 | { 2 | "$schema": "https://docs.renovatebot.com/renovate-schema.json", 3 | "extends": [ 4 | "config:base" 5 | ] 6 | } 7 | --------------------------------------------------------------------------------