Secret created but empty

[samyKhezandji]

Hi, Actually I noticed that when I execute your function that use GitHub API rest in order to create a secret, this creates the secret but it is empty. I'm facing this issue for several weeks and don't know why secrets are just empty when they are created by API rest.

[github-actions[bot]]

Thank you for opening this ISSUE. We'll give you a return ASAP 👍

[GuillaumeFalourd]

Hi @samyKhezandji , how are you doing?

You're executing this formula: https://github.com/GuillaumeFalourd/formulas-github/tree/master/github/add/secret, right?

It may be related to the PAT scope permission you are using. Did you try updating it to check?

[samyKhezandji]

Hi @GuillaumeFalourd I'm trying to do my best :D That's right, this is the formula I tried to use. I created a new PAT with a full access but it still working the same way : the secret name is created but not the secret value. This is the Job that I use :

jobs:
  Test:
    name: Test
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Pip Install
        shell: pwsh
        run : |
          pip install PyGithub
          python -m pip install requests
      - uses: jannekem/run-python-script-action@v1
        id: secret
        with:
          script: |
            #!/usr/bin/python3
            import requests
            import json
            from base64 import b64encode
            from nacl import encoding, public
            def run(token, owner, repository, secret_name, secret_value):
                url_public_key = f"https://api.github.com/repos/{owner}/{repository}/actions/secrets/public-key"
                authorization = f"token {token}"
                headers = {
                    "Accept": "application/vnd.github.v3+json",
                    "Authorization" : authorization,
                    }
                r = requests.get(
                    url = url_public_key,
                    headers = headers
                    )
                if r.status_code == 200:
                    key_datas = r.json()
                    url_secret = f"https://api.github.com/repos/{owner}/{repository}/actions/secrets/{secret_name}"
                    data = {}
                    data["encrypted_value"] = encrypt(key_datas["key"], secret_value)
                    data["key_id"] = key_datas["key_id"]
                    json_data = json.dumps(data)
                    r = requests.put(
                        url = url_secret,
                        data = json_data,
                        headers = headers
                        )
                    if r.status_code == 201 or r.status_code == 204:
                        print(f"✅ Secret \033[36m{secret_name}\033[0m successfully added to {owner}'s \033[36m{repository}\033[0m repository")
                    else:
                        print("❌ Couldn't add the secret to the repository")
                        print (r.status_code, r.reason)
                else:
                    print("❌ Couldn't get the repository public key")
                    print (r.status_code, r.reason)
            def encrypt(public_key: str, secret_value: str) -> str:
                """Encrypt a Unicode string using the public key."""
                public_key = public.PublicKey(public_key.encode("utf-8"), encoding.Base64Encoder())
                sealed_box = public.SealedBox(public_key)
                encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
                return b64encode(encrypted).decode("utf-8")

            run("examplePersonalAccessToken", "MyOrganization", "TestCreateSecretsAPI", "TEST", "MyNameIsGeovaniGeorgio")

      - name: TestShow
        shell: pwsh
        run : |
          echo "secret: ${{secrets.Test}}"

Normally, when the secret is created with it value the echo command show something like *** but in my case it just show an empty space. I'm verry intrigued.

[GuillaumeFalourd]

Ok, thank you for sharing the workflow 👍🏼

For what I observed looking at the Github API documentation for Creating Secrets and Getting a repository public key, the only things that changed since I implemented this code is the header referring to the Github API Version.

---

Solution:

I made it work here adding this Github API Version header to both requests 👍🏼

The workflow I used is quite similar to yours, and can be found here

Could you check it also works in your case @samyKhezandji ?

[samyKhezandji]

Hello @GuillaumeFalourd

Thank you for your answer and your proposed solution. Believe me, it still doesn't work ! :( Your code looks perfectly correct and I clearly saw that it worked for you, so I copied your code and created a PAT with a full access but it still doesn't work.

What kind of PAT token you used ?

Actually I tried with the classic one and the Beta version but the result is the same : not working :(

I'm trying to investigate more.

[GuillaumeFalourd]

Is the repository public so I can have a look at it directly?

[samyKhezandji]

Hi @GuillaumeFalourd

I created a public repository in order to share it with you.

This is the link to the repository

[GuillaumeFalourd]

I made a fork where I added a secret with all permissions, and it doesn't work indeed. I have no idea why 🤔

[GuillaumeFalourd]

After testing a bit more here, it seems the workflow creates the secret with an empty value the first time, but fill the secret with the value as expected the second time it is executed. Could you check?

[samyKhezandji]

Yes I confirm that the second time it is executed the secret is create with its value. I don't understand why but I can eventualy execute the function two times each time I create a secret :/

[GuillaumeFalourd]

I asked the question on StackOverflow, let's see if someone has any idea how to solve this.