Secrets created by this lib are not readable by other github action workflows

[lakshmajee]

trafficstars

Describe the bug

• secrets are a way to manage and use them in workflows when required.
• When we tried to add secrets from the GitHub user interface (browser - webpage), they are accessible by any dependent workflows that use the newly created secrets.
• As part of automation, I have delegated the responsibility of creating and updating secrets to actions/github-script.
  • using github.rest.actions.createOrUpdateRepoSecret we are adding secrets to github
  • When tried to print to the output (stdout) in some dummy GitHub action using a workaround, we see the original secret value (with some spaces)
  • But when we tried to consume it, it is not readable or recognized by external scripts.

To Reproduce Steps to reproduce the behavior: Repository to reproduce the issue : here

1. Create a new workflow file test_secret_access.yml with the following content

   name: Verify
   on: [workflow_dispatch]
   
   env:
   AWS_REGION: "us-east-1"
   
   jobs:
   verify-secrets-access:
       runs-on: ubuntu-latest
       steps:
       - uses: actions/checkout@v2
       - uses: aws-actions/configure-aws-credentials@v1
           with:
           role-to-assume: ${{ secrets.DUMMY_AWS_IAM_ROLE_ASSUME  }}
           aws-region: ${{ env.AWS_REGION }}
   

2. Go to repository secrets
3. Add a secret with DUMMY_AWS_IAM_ROLE_ASSUME with a value, hello github
4. Run workflow test_secret_access.yml
5. Here aws-actions/configure-aws-credentials will be able to access secrets created manually.
6. Add create-secret.yml workflow with following contents

   name: Create
   on: [workflow_dispatch]
   
   
   jobs:
   create-secret-test:
       runs-on: ubuntu-latest
       steps:
       - uses: actions/github-script@v6
           with:
           script: |
               const publicKey = await github.rest.actions.getRepoPublicKey({
                   owner: context.repo.owner,
                   repo: context.repo.repo,
               })
               // assuming you will be actual secret from some API
               // encrypt the value using instructions here https://docs.github.com/en/rest/actions/secrets#create-or-update-an-organization-secret  
               const encryptedSecret = "dummy iam role with no access to zero resources"
               await github.rest.actions.createOrUpdateRepoSecret({
                   owner: context.repo.owner,
                   repo: context.repo.repo,
                   secret_name: "DUMMY_AWS_IAM_ROLE_ASSUME",
                   encrypted_value: encryptedSecret,
                   key_id: publicKey.data.key_id,
               })
   

7. After running the above workflow it will create a secret in the GitHub repo
8. Now try to run test_secret_access.yml, it will throw an error stating that It is unable to identify or access role-to-assume

Expected behavior The secrets created using github.rest.actions.createOrUpdateRepoSecret should be accessible or readable to other github workflows.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

• OS: ubuntu 20.04
• Browser: chrome
• Version: 95.0.4638.69 (Official Build) (64-bit)

Smartphone (please complete the following information):

• Device: [e.g. iPhone6]
• OS: [e.g. iOS8.1]
• Browser [e.g. stock browser, safari]
• Version [e.g. 22]

Additional context Add any other context about the problem here. This is not only happening with https://github.com/aws-actions/configure-aws-credentials. This issue occurs to me when I tried to create secrets using github secrets API

[lakshmajee]

Repository to reproduce this issue https://github.com/awkward-minion/issue-gh-actions-rest-secets

[joshmgross]

@awkward-minion could you share how you're encrypting the secret?