actions
Not only secrets, but anything, if masked, cannot be referenced into another job:
Not only secrets, but anything, if masked, cannot be referenced into another job:
e.g. when I use amazon-ecr-login get a registry in outputs,
https://github.com/marketplace/actions/amazon-ecr-login-action-for-github-actions
REGISTRY: ${{ steps.login-ecr.outputs.registry }}
outputs:
registry: ${{ steps.login-ecr.outputs.registry }}
but if I define the registry into output for another job to use, the full registry string is masked like this:
Logging into registry ***.dkr.ecr.ap-southeast-1.amazonaws.com
in another job, use it with jobs.job_id.outputs.registry it got empty
this is a BUG, not only enhancement request in community/community#13082
Originally posted by @tx0c in https://github.com/actions/runner/issues/1498#issuecomment-1353544464
Surprisingly, for me it passes through the ECR address between two jobs, but not a short git hash and only when using workflow_dispatch. For pull_request and push branches works perfectly fine.
Any progress on this yet? Have a very specific task that requires passing stuff between jobs.
I was able to overcome this problem by just encoding the value, e.g.
# job1
echo "string_enc=$(echo $STRING | base64 -w 0)" >> $GITHUB_OUTPUT
# job2
echo ${{ needs.job1.outputs.string_enc }} | base64 -d
It took me a quite sometime of debugging because warning message was super hard to notice. Hopefully, someone could improve at least that aspect of this behavior.
@tx0c I think you need mask-aws-account-id: 'false' in your aws-actions/configure-aws-credentials step
@tx0c I think you need
mask-aws-account-id: 'false'in youraws-actions/configure-aws-credentialsstep
@rupertbg I don't think unmasking secrets is a solution to the problem. GitHub Actions should support passing sensitive values between jobs while still allowing them to be masked. Options like mask-password: 'false' which have been added to actions like aws-actions/amazon-ecr-login weaken security.
The solution for passing sensitive values between jobs seems to be using a secret store, according to these docs: https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#example-masking-and-passing-a-secret-between-jobs-or-workflows
However the default GitHub Actions secrets store only allows adding secrets from the web UI, and reading those secrets from workflows, so it doesn't seem possible to programmatically write a secret like a generated AWS ECR password and then use it in another job within the same workflow. https://docs.github.com/en/actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow
The only options users have are A) potentially expose the password, or B) use a hard coded permanent password stored as a secret, as opposed to a temporary 12 hour password generated using OIDC and AWS AssumeRole (recommended).
This issue has been open since 2022 though 😕
I guess option C is to use a third party secret store (like AWS Secrets Manager) for handling secrets within a workflow, but I feel that GitHub Actions should support passing data securely between jobs of the same workflow. Edit: using AWS Secrets Manager doesn't solve the problem either because services containers need to know which ECR image to pull as they are starting. Therefore the password needs to be available before steps for the job (such as retrieving secrets within that subsequent job of the workflow) are run.
Coupled with the fact that services containers do not support specifying the startup command for an image, only options, it seems like GitHub Actions has been missing basic functionality for 4+ years without it being properly addressed.
