docs icon indicating copy to clipboard operation
docs copied to clipboard

Published 20 hours ago verified publisher icon github

Add section with special characters that need to be escaped when used in GitHub secret value

Open GuillaumeFalourd opened this issue 2 years ago • 2 comments

Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/actions/security-guides/encrypted-secrets

What part(s) of the article would you like to see updated?

It could be interesting to add a section to the Encrypted Secrets page (like the "Naming your secrets" section) informing what rules have to be followed, such as which special characters need to be escaped when used in a GitHub secret value (e.g: use \$ instead of $).

Additional information

Question about this behavior on StackOverflow (There are others).

GuillaumeFalourd avatar Oct 26 '22 11:10 GuillaumeFalourd

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

welcome[bot] avatar Oct 26 '22 11:10 welcome[bot]

@GuillaumeFalourd Thanks so much for opening an issue! I'll triage this for the team to take a look :eyes:

cmwilson21 avatar Oct 26 '22 14:10 cmwilson21

Hi, @GuillaumeFalourd thanks for opening this issue. GitHub Actions secrets should store as whatever you provide as-is, with no escaping necessary.

However, when you use secret values, you will need to handle any special characters that might be in the secret, as with any other string.

For example, if you had the value $thisisasecret and may have $special%characters that could be interpreted as shell stuff as a secret, and then attempted to use the secret like:

echo ${{ secrets.MY_SECRET}} > tempfile.txt

the file would not include the whole secret string, because it would be the like trying to run:

echo $thisisasecret and may have $special%characters that could be interpreted as shell stuff > tempfile.txt

which most shells would try to do interpolations and substitutions for environment variables and alike. The file would contain something like and may have %characters that could be interpreted as shell stuff.

If you wanted the value literally as-is, you would need to single-quote the secret value, for example:

echo '${{ secrets.MY_SECRET}}' > tempfile.txt

Which is the same as handling any other string, environment variable, or context in GitHub Actions 🙂

lucascosti avatar Oct 27 '22 05:10 lucascosti