GitHub - itisopen/github-action-secret-outputs: Allow to pass a secret or masked variable between jobs in GitHub Actions using outputs.

This GitHub Action implement workaround for the problem Combining job outputs with masking leads to empty output. The problem was described in GitHub Action documentation

Outputs containing secrets are redacted on the runner and not sent to GitHub Actions.

Usage

  name: Pull Request
  on:
    pull_request:
      branches: [ 'main' ]
      types: [opened, synchronize, reopened, closed, labeled, unlabeled]

  jobs:
    context:
      runs-on: ubuntu-latest
      steps:
        - name: Step with the secret output
          id: iam
          run: |
            echo "role=arn:aws:iam::${{ secrets.AWS_ACCOUNT_ID }}:role/admin" >> $GITHUB_OUTPUT

        - uses: itisopen/github-action-secret-outputs@itisopen
          id: role
          with:
            ## PASSWORD is a gpg passphrase stored in Github Secrets.
            secret: ${{ secrets.PASSWORD }}
            op: encode
            in: ${{ steps.iam.outputs.role }}
        
      outputs:
        role: ${{ steps.role.outputs.out }}

    usage:
      runs-on: ubuntu-latest
      needs: [context]
      steps:
        - uses: itisopen/github-action-secret-outputs@itisopen
          id: role
          with:
            ## PASSWORD is a gpg passphrase stored in Github Secrets.          
            secret: ${{ secrets.PASSWORD }}
            op: decode
            in: ${{ needs.context.outputs.role }}

        - name: Configure AWS Credentials
          uses: aws-actions/configure-aws-credentials@v1
          with:
            role-to-assume: ${{ steps.role.outputs.out }}
            aws-region: us-east-2

Inputs

Name	Description	Default	Required
in	Input data	N/A	true
op	Operation to perform (encode or decode)	encode	true
secret	Secret to encrypt/decrypt data	N/A	true

Name	Description
out	Result of encryption/decryption

Related Projects

Check out these related projects.

github-actions-workflows - Reusable workflows for different types of projects

References

For additional context, refer to some of these links.

How to Pass Secrets Between Runners in GitHub Actions - When trying to pass a secret or masked variable between jobs in GitHub Actions using outputs, it will say 'Warning: Skip output since it may contain secrets'. This tutorial aims to provide a reasonable solution for this.
Combining job outputs with masking leads to empty output - When combining job outputs with masking the output is empty when used in another job.
Skip output 'AWS_ACCOUNT_ID' since it may contain secret - aws-actions/configure-aws-credentials@v1 will addMask for our aws accountid
Workflow syntax for GitHub Actions - Outputs containing secrets are redacted on the runner and not sent to GitHub Actions

✨ Contributing

This project is under active development, and we encourage contributions from our community.

Many thanks to the outstanding contributors to the Cloud Posse upstream contents. We appreciate your hard work and dedication to building scalable enterprise grade solutions.
Many thanks also to the contributors to the ITisOpen upstream contents. We appreciate your hard work and dedication to extending the work of Cloud Posse to other cloud providers.

For 🐛 bug reports & feature requests, please use the issue tracker.

In general, PRs are welcome. We follow the typical "fork-and-pull" Git workflow.

Review our Code of Conduct and Contributor Guidelines.
Fork the repo on GitHub
Clone the project to your own machine
Commit changes to your own branch
Push your work back up to your fork
Submit a Pull Request so that we can review your changes

NOTE: Be sure to merge the latest changes from "upstream" before making a pull request!

🌎 Slack Community

Join our Open Source Community on Slack. It's FREE for everyone! Our "ITisOpen" community is where you get to talk with others who share a similar vision for how to rollout and manage infrastructure. This is the best place to talk shop, ask questions, solicit feedback, and work together as a community to build totally open infrastructure.

Note: ITisOpen is leverages open-source projects from Cloud Posse. We encourage you to also join the Cloud Posse Slack community for even more collaboration and support: slack.cloudposse.com

📰 Newsletter

Sign up for our newsletter and join other DevOps & Platform Engineers, CTOs, and founders who get insider access to the latest DevOps & Platform Engineering trends, so you can always stay in the know. Dropped straight into your Inbox every week — and usually a 5-minute read.

License

Preamble to the Apache License, Version 2.0

Complete license is available in the LICENSE file.

Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements.  See the NOTICE file
distributed with this work for additional information
regarding copyright ownership.  The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License.  You may obtain a copy of the License at

  https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing,
software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
KIND, either express or implied.  See the License for the
specific language governing permissions and limitations
under the License.

Trademarks

All other trademarks referenced herein are the property of their respective owners.