Environment Variables in a JavaScript Github Action

Question

I am writing a javascript github action. Inside my action.yml, I have the following:

runs:
  using: node12
  main: ./index.js

Inside my index.js, I am calling an api which requires a secret key. I want to use my own secret key. I don't want users who use my action to define their own key. How can I add my secret key to the file as a secret ort env variable ?

Answer 1

Secrets need to come from somewhere. Even if you encrypt your token for the external api and host it directly in the action's code, you still need a passphrase to decrypt it and that needs to come from a secrets entry by the user of your action as it would need to be hosted in their own repo or organization.

Example of encrypting a secret if you wanted to, but still requires a passphrase, therefore we are back on the same boat.

gpg --symmetric --cipher-algo AES256 my_secret.json

The reason this situation is not ideal is because from my understanding, you want to use one token for all users of your action. Therefore the secret will need to be public in some way as multiple users will need to have that token, so either you host the token directly in your action or tell users to provide it to you through their secrets setup as an action variable or env. Here is an example of the user sharing the token in two different ways to your action.

steps:
  - name: Hello world action
    with: # Set the secret as an input
      super_secret: ${{ secrets.SuperSecret }}
    env: # Or as an environment variable
      super_secret: ${{ secrets.SuperSecret }}