CODEWITHSUNDEEP
bashgithub-actions
crockpotveggies
crockpotveggies

Reputation: 13300

How can I reference multi-line secrets in Github Actions?

I've been directed to "handle this programmatically" and I don't have the ability to change or add the credentials file.

Using Github Actions, I've created a workflow that needs GCloud authenticated. Unfortunately, it seems that the variable is replaced prior to the run commands being executed, resulting in a multi-line YAML file that produces a bunch of errors.

Here's a snippet of the YAML:

   # Setup gcloud CLI
    - name: Use Google Cloud Platform
      uses: GoogleCloudPlatform/github-actions/setup-gcloud@master
      with:
        version: '270.0.0'
        service_account_email: ${{ secrets.SA_EMAIL }}
        service_account_key: ${{ secrets.GOOGLE_APPLICATION_CREDENTIALS }}

    - run: cd ui/ && pwd && npm install && npm run test
      env:
        CI: true
    - run: |
        echo ${{ secrets.GCP_AUTH_STAGING }} | gcloud auth activate-service-account --key-file=-
        gcloud container clusters get-credentials staging --region northamerica-northeast1 --project example-staging
        cd ui/ && pwd && npm run build && cd build/ && gsutil cp -r . gs://test.example.com/

I've tried escaping the credentials with something like CREDS=$( ${{ secrets.GCP_AUTH_STAGING }} ) but this just results in another multi-line problem. I believe the YAML variable is replaced prior to being executed, instead of being passed as an env.

If anyone has a command-line solution it would be much appreciated!

Please note I'm aware that there's a service account/key in the YAML as well but I cannot access it.

Upvotes: 13

Views: 8660

Answers (2)

Chris Stryczynski
Chris Stryczynski

Reputation: 33881

You need to ensure it's handled correctly either at the YAML level (can be done using |):

  - env:
      SSH_KEY: |
        ${{ secrets.SSH_KEY }}

Or if a command in bash ensure it's correctly interpreted. For example if you are doing:

echo ${{ secret.SSH_KEY }}

this should instead be quoted so it becomes:

echo "${{ secret.SSH_KEY }}"

Upvotes: 10

SANN3
SANN3

Reputation: 10069

Using base64 we encode the service account JSON and pass it via environment variable. Then before calling the activate-service-account decode using the shell script.

Sample code:

echo "$GCP_CREDENTIALS" > gcp_credentials_enc.json
cat gcp_credentials_enc.json | base64 -d > gcp_credentials.json

Upvotes: 12

Related Questions