vscode-github-actions
vscode-github-actions copied to clipboard
cschleiden
Some secrets are marked as "Unknown access context"
Job with a secret as an env var:
process-managers:
needs: start-time
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
...
is shown as
But: https://docs.github.com/en/actions/reference/encrypted-secrets#using-encrypted-secrets-in-a-workflow And it also works just fine.
Via https://github.com/prisma/e2e-tests/blob/dev/.github/workflows/test.yaml
FWIW the weird commonality here is that the error only seems to happen with secrets that begin with S. Very strange indeed.
FWIW the weird commonality here is that the error only seems to happen with secrets that begin with
S. Very strange indeed.
I also get this error with secrets starting with other letters.
Edit: NVM, my token didn't had the correct permissions.
I've been having this issue with Organisation level secrets but not repo level secrets so I guess that may be the commonality... I have only just found the setting to enable org features but that doesn't seem to have resolved it - for the org in question I am not an admin so perhaps my user can't even check that a secret exists?
I have the same problem, is there any solution? Enabling org features didn't help.
I get this for secrets used inside run: clauses.
This is fine:
- name: Checkout the dumps repo
uses: actions/checkout@v2
with:
repository: brickdo/dumps
ssh-key: ${{ secrets.DUMPS_DEPLOY_KEY }}
This isn't:
- name: test
run: |
echo ${{ secrets.DUMPS_DEPLOY_KEY }}
Has anyone figured out how to get rid of these errors? I was working on a GitHub Action and suddenly these errors appeared:
The strange thing is that a few lines above these errors, I use the same env var in exactly the same way, and there are no errors... This is strange behaviour.
@danburonline could you share more of that workflow (job)? Feel free to remove any steps in between but would be good to see the two uses steps with context.
I get this error for env variables which are defined in one step and then used in another step through appending to $GITHUB_ENV
- name: Main version
run: |
cd main
MAIN_VERSION=$(npm exec -c 'node -e "console.log(process.env.npm_package_version)"')
echo "MAIN_VERSION=$MAIN_VERSION" >> $GITHUB_ENV
cd ..
- name: Branch version
run: |
cd branch
BRANCH_VERSION=$(npm exec -c 'node -e "console.log(process.env.npm_package_version)"')
echo "BRANCH_VERSION=$BRANCH_VERSION" >> $GITHUB_ENV
cd ..
- run: |
echo "Main: ${{ env.MAIN_VERSION }}\nBranch: ${{ env.BRANCH_VERSION }}"
- name: Fail if version is not bumped
run: if [ ${{ env.MAIN_VERSION }} == ${{ env.BRANCH_VERSION }} ]; then exit 1; else exit 0; fi
@einarpersson That's currently not supported, created a new enhancement issue here: https://github.com/cschleiden/vscode-github-actions/issues/200
@cschleiden Sure! Here is the entire snippet of where the errors appear:
- name: "Terragrunt init"
uses: the-commons-project/terragrunt-github-actions@master
with:
tf_actions_version: ${{ env.tf_version }}
tg_actions_version: ${{ env.tg_version }}
tf_actions_subcommand: "init -upgrade"
tf_actions_working_dir: ${{ env.WORKING_DIR }}
tf_actions_comment: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ secrets[env.AWS_ACCESS_KEY_ID_VAR] }}
AWS_SECRET_ACCESS_KEY: ${{ secrets[env.AWS_SECRET_ACCESS_KEY_VAR] }}
- name: "Terragrunt validate"
uses: the-commons-project/terragrunt-github-actions@master
with:
tf_actions_version: ${{ env.tf_version }}
tg_actions_version: ${{ env.tg_version }}
tf_actions_binary: "terraform"
tf_actions_subcommand: "validate"
tf_actions_working_dir: ${{ env.WORKING_DIR }}
tf_actions_comment: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
AWS_ACCESS_KEY_ID: ${{ secrets[env.AWS_ACCESS_KEY_ID_VAR] }}
AWS_SECRET_ACCESS_KEY: ${{ secrets[env.AWS_SECRET_ACCESS_KEY_VAR] }}
They do not, however some lines above at this step:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ secrets[env.AWS_ACCESS_KEY_ID_VAR] }}
aws-secret-access-key: ${{ secrets[env.AWS_SECRET_ACCESS_KEY_VAR] }}
aws-region: eu-central-1
I hope this gives you some more information.
FWIW the weird commonality here is that the error only seems to happen with secrets that begin with
S. Very strange indeed.
Seeing this as well.
These secrets being underlined in my case are also not visible in the GitHub Actions VSCode panel under "Repository Secrets". When I try to add them a second time with the + icon, nothing occurs.
I had the same issue until I noticed that my GitHub Action extension wasn't logged into my GitHub account. Then it was fine.
FWIW the weird commonality here is that the error only seems to happen with secrets that begin with
S. Very strange indeed.Seeing this as well.
These secrets being underlined in my case are also not visible in the GitHub Actions VSCode panel under "Repository Secrets". When I try to add them a second time with the + icon, nothing occurs.
Are those organization secrets shared with the repository or repository secrets?
Are those organization secrets shared with the repository or repository secrets?
In my case, repository secrets. Maybe notable that I'm on GitHub Enterprise?
I'm having this issue with not just secrets, but if I access the vars context to read configuration values too
I'm having this issue with not just secrets, but if I access the
varscontext to read configuration values too
Unfortunately, there is no support for vars yet. We're working on improving this but it'll take us a bit longer. It's coming though
Unfortunately, I think that this is a limitation of the Github REST API when this happens with organization level secrets. Per the documentation, you must have the administrator scope for your organization to be able to list secrets:
"Lists all secrets available in an organization without revealing their encrypted values. You must authenticate using an access token with the admin:org scope to use this endpoint. GitHub Apps must have the secrets organization permission to use this endpoint."
So it is not possible to get a list of organization secrets unless you are an administrator of your organization. Only GitHub Apps specifically have the ability to list organization secrets without being an administrator with full access. At least, this is the case for a classic access token. It might be possible to do so with a fine-grained personal access token, but my organization has not given us access to create access tokens with access to organization resources.
I have this for secrets defined only in a certain environment. I have an Android and an iOS build pipeline that only get secrets from their respective appropriate environments injected.
It's understandable that those secrets are not detected, but it I feel it wouldn't be too hard to fix it. The list of available secrets to check should be combined with the available secrets for the job's environment value.
In terms of evaluation, when visiting a secrets node in the AST, go up the tree to the parent job node and then down to the environment node, then get all secrets for [organisation, repository, environment value]. Then see if the key is found in the list.
Yep, this is coming. We are going to support environment secrets, when environments are used. Just have a bit more patience 😄
This is driving me nuts. I am able to add one secret and it is working fine. I add another secret, via VSCode and it doesn't showup on GitHub and vice versa.
What am I doing wrong here? They key is just alphabets with underscores 😭
This is driving me nuts. I am able to add one secret and it is working fine. I add another secret, via VSCode and it doesn't showup on GitHub and vice versa.
What am I doing wrong here? They key is just alphabets with underscores sob
Seems unrelated to this issue.