jbct
commented
1 year ago Thanks for the feedback, we'll note this as an enhancement request.
Open Danny-Smart opened 1 year ago
jbct
commented
1 year ago Thanks for the feedback, we'll note this as an enhancement request.
Olfi01
commented
1 year ago PR #36 or #37 implements this (they are equivalent, one contains the compiled files in dist and one doesn't)
int128
commented
8 months ago I really need this feature.
For using a composite action, it would be nice if we can use outputs instead.
When this action is called twice, it causes the following error:
Error: The environment name 'KEY' is already in use. Please use an alias to ensure that each secret has a unique environment name.
Hi
In the readme, you mention that environment variables are available to all steps within a job and that we should work to prevent them from being exploited or misused by malicious actions.
Would this issue be negated if the
get-secretsaction wrote the secrets as outputs rather than environment variables? The secrets wouldn't be automatically available to other steps, but could be passed into them explicitly as required, by the job itself.From a security point of view, this feels to me like the more secure option; is there another advantage that environment variables have over outputs that would prevent this from being done?