Is it safe to pass GitHub Secrets as an argument to a python code?

Question

I have my Telegram API key stored in GitHub secrets and I pass them to my code in workflow like

python3 main.py ${{ secrets.API_KEY }

and use it on my code

import sys 
KEY = sys.argv[1]

While running, it does filter out (***) the secrets but is this really safe or should I be looking at another way to pass my Keys, is there any way someone could see the API if passed as arg?

Answer 1

GitHub uses a libsodium sealed box to help ensure that secrets are encrypted before they reach GitHub and remain encrypted until you use them in a workflow.

That's the reason why they return * * * in the workflow run. And it is safe. However, as you can see on the link shared by chepner above, there is this suggestion:

Avoid passing secrets between processes from the command line, whenever possible. Command-line processes may be visible to other users (using the ps command) or captured by security audit events. To help protect secrets, consider using environment variables, STDIN, or other mechanisms supported by the target process.

Therefore, in your case, instead of sending the variable like this directly on the command line, you should add it as an env variable to the step:

  steps:
    - run: python3 main.py
      env:
        API_KEY: ${{ secrets.API_KEY }

And then extract the variable using KEY = os.environ.get("API_KEY") in your python script.