How to pass an API token as output variable between jobs in GitHub Actions

Question

I'm new to GitHub Actions (and yaml syntax) so I may be misunderstanding something about the ability to pass data between jobs: I've been trying to use a workflow with two jobs:

1. authenticateWithAuth0API asks for a token to be generated
2. triggerNetlifyFunction uses the token to authenticate with a Lambda function

For the first job, I can see that I do get back some kind of response that is saved as an output. The logs show the response is an access token with value ***. I assume the value appears as asterisks in the logs because the runner understands this value to be sensitive (a secret - though not a GitHub Secret).

I was under the impression that I could declare this as an output (which seems to go through ok) and then use it in the next job with the "needs" context. I'm using it as the value to the "Authorization" header for a call triggered in the next job.

However, in the logs I can see that the value of the header is empty showing up as Authorization:"". Am I missing something in terms of the ability to pass sensitive variables between jobs?

jobs:
  authenticateWithAuth0API:
    runs-on: ubuntu-latest
    outputs: 
      token: ${{ steps.getToken.outputs.API_RESPONSE }}
    steps:
      - uses: actions/checkout@v2
      - id: getToken
        uses: fjogeleit/http-request-action@v1.8.0
        with:
          url: <<removed: some token generation endpoint>>
          data: '{"client_id":"${{ secrets.... }}","client_secret":"${{ secrets....}}","audience":"${{ secrets.... }}","grant_type":"client_credentials"}'
      - id: saveResponse
        run: echo "::set-output name=API_RESPONSE"

  triggerNetlifyFunction:
    runs-on: ubuntu-latest
    needs: authenticateWithAuth0API
    steps:
      - id: callFunction
        uses: fjogeleit/http-request-action@v1.8.0
        with:
          url: <<removed: netlify function url>>
          customHeaders: '{"Authorization":"${{ needs.authenticateWithAuth0API.outputs.token }}"}'
      - id: ShowFunctionResponse
        run: echo ${{ steps.callFunction.outputs.response }}

DEBUG LOGS FROM JOB1:

##[debug]..Evaluating String:
##[debug]..=> 'token'
##[debug]=> '***'
##[debug]Result: '***'

DEBUG LOGS FROM JOB2:

##[debug]Evaluating: format('{{"Authorization":"{0}"}}', needs.authenticateWithAuth0API.outputs.token)
##[debug]Evaluating format:
##[debug]..Evaluating String:
##[debug]..=> '{{"Authorization":"{0}"}}'
##[debug]..Evaluating Index:
##[debug]....Evaluating Index:
##[debug]......Evaluating Index:
##[debug]........Evaluating needs:
##[debug]........=> Object
##[debug]........Evaluating String:
##[debug]........=> 'authenticateWithAuth0API'
##[debug]......=> Object
##[debug]......Evaluating String:
##[debug]......=> 'outputs'
##[debug]....=> Object
##[debug]....Evaluating String:
##[debug]....=> 'token'
##[debug]..=> null

...
##[debug]....Evaluating String:
##[debug]....=> 'token'
##[debug]..=> null
##[debug]=> '{"Authorization":""}'
##[debug]Result: '{"Authorization":""}'
##[debug]Loading env

Answer 1

Added debug logs... if i'm reading this correctly it seems that my output variable token is not a string, it's an object {access_token: *** }? But even so, why would it come up as "" (empty string in the authorization header)? Should it not have added an object at least?

I believe this is an expected behaviour as Github Actions runner probably can't check the output value, and ensure the secret isn't exposed through the workflow afterwards.

A workaround to your issue could be to save the output (API_RESPONSE) as a secret on the first job, and then access it as any other secret on the second job.

This GH secrets action could help you do it (it would even update the secret if it is already set).

Note: There may be other actions available providing a similar result.