GitHub Action: secret-outputs
This GitHub Action implement workaround for the problem
Combining job outputs with masking leads to empty output.
The problem was described in
GitHub Action documentation
Outputs containing secrets are redacted on the runner and not sent to GitHub Actions.
Usage
name: Pull Request
on:
pull_request:
branches: [ 'main' ]
types: [opened, synchronize, reopened, closed, labeled, unlabeled]
jobs:
context:
runs-on: ubuntu-latest
steps:
- name: Step with the secret output
id: iam
run: |
echo "role=arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/admin" >> $GITHUB_OUTPUT
- uses: cloudposse/github-action-secret-outputs@main
id: role
with:
## PASSWORD is a gpg passphrase stored in Github Secrets.
secret: ${{ secrets.PASSWORD }}
op: encode
in: ${{ steps.iam.outputs.role }}
outputs:
role: ${{ steps.role.outputs.out }}
usage:
runs-on: ubuntu-latest
needs: [context]
steps:
- uses: cloudposse/github-action-secret-outputs@main
id: role
with:
## PASSWORD is a gpg passphrase stored in Github Secrets.
secret: ${{ secrets.PASSWORD }}
op: decode
in: ${{ needs.context.outputs.role }}
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v1
with:
role-to-assume: ${{ steps.role.outputs.out }}
aws-region: us-east-2
Inputs
| Name | Description | Default | Required |
|---|---|---|---|
| in | Input data | N/A | true |
| op | Operation to perform (encode or decode) | encode | true |
| secret | Secret to encrypt/decrypt data | N/A | true |
Outputs
| Name | Description |
|---|---|
| out | Result of encryption/decryption |