I would like there to be an option to defer secrets from expiring at the end of a job, and expire them at the end of a workflow instead, so that I can retrieve secrets in one job, then pass them to another job inside the same workflow file, without having to pull secrets a second time.
Obviously for security reasons the default for this should turned off, but...
I wanted to pass an AWS secret into a reusable workflow. This workflow has two jobs, each of which need to checkout a private repo, so I need the token in order to be able to check it out.
So, I had something like this for my parent workflow:
jobs:
prep:
name: This is my job name
runs-on: self-hosted-runner-name
outputs:
github_secret_token: ${{ steps.set_token_output.outputs.github_secret_token }}
steps:
- name: Read secrets from AWS Secrets Manager into environment variables
uses: abhilash1in/aws-secrets-manager-action@v2.1.0
with:
secrets: |
github_secret
parse-json: true
disable-warnings: true
# various other steps here, several of which use GITHUB_SECRET_TOKEN without issue
- name: Set token output
id: set_token_output
run: |
echo github_secret_token=${{ env.GITHUB_SECRET_TOKEN }} >> $GITHUB_OUTPUT
another_job:
name: This is another job
needs: prep
# this reusable workflow has 2 jobs, each of which needs access to that secret
uses: my_private_org/my_private_repo/.github/workflows/my_reusable_workflow.yml@v1
with:
github_runner: self-hosted-runner-name
# checkout_token is blank (undefined?) in this action
checkout_token: ${{ needs.prep.outputs.github_secret_token }}
Turns out that when it gets to my_reusable_workflow.yml's inputs, checkout_token is suddenly blank. (Same behavior happens with github.token, which wouldn't work for this use case anyway, so I presume this is the result of a post-job-step.)
To get around this, I had to add the aws-secrets-manager-action step to both of the jobs in that reusable workflow - 14additional lines to that reusable workflow that I'd like to avoid, since I've already pulled the secrets and thus it's effectively noise (21 lines total, across two files, devoted to retrieving secrets... all to make one workflow work).
I would like there to be an option to defer secrets from expiring at the end of a job, and expire them at the end of a workflow instead, so that I can retrieve secrets in one job, then pass them to another job inside the same workflow file, without having to pull secrets a second time.
Obviously for security reasons the default for this should turned off, but...
I wanted to pass an AWS secret into a reusable workflow. This workflow has two jobs, each of which need to checkout a private repo, so I need the token in order to be able to check it out.
So, I had something like this for my parent workflow:
Turns out that when it gets to
my_reusable_workflow.yml'sinputs,checkout_tokenis suddenly blank. (Same behavior happens withgithub.token, which wouldn't work for this use case anyway, so I presume this is the result of a post-job-step.)To get around this, I had to add the
aws-secrets-manager-actionstep to both of the jobs in that reusable workflow - 14 additional lines to that reusable workflow that I'd like to avoid, since I've already pulled the secrets and thus it's effectively noise (21 lines total, across two files, devoted to retrieving secrets... all to make one workflow work).