问题
I am trying to create a workflow to deploy Nuget packages to Github Package Repository using Github Actions.
In this case,
- The repository is inside an organization
- I am the owner of that organization
- I have admin access to the repository
- The repository has secrets listed
- The commit is mine
- The commit is a direct commit to a branch
But the action CANNOT access the secrets
Below is the workflow I am trying to execute
name: Build and Publish
on:
push:
branches:
- gh-packages
jobs:
build_and_publish:
env:
ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
name: Publish Packages to NuGet
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-dotnet@v1
with:
dotnet-version: "3.0.100"
- name: Dump Github Context
env:
CONTEXT: ${{ toJson(github) }}
SECRETS: ${{ toJson(secrets) }}
TOK: ${{ secrets.ACCESS_TOKEN }}
TEST: ${{ secrets.TEST }
run: |
echo $ACCESS_TOKEN
echo $TOK
echo $TEST
echo $GITHUB_TOKEN
echo "$SECRETS"
echo "$CONTEXT"
- name: Setup Config
run: sed "s/ACCESS_TOKEN/$ACCESS_TOKEN/g" .nuget.config > nuget.config
- run: cat nuget.config
- name: Build
run: dotnet build -c Release
- name: Publish
run: chmod +x ./push.sh && ./push.sh
Both GITHUB_TOKEN and custom secrets like ACCESS_TOKEN are not working.
addition 01:
Even when setting the environment variable name as GITHUB_TOKEN doesn't seam to be working
name: Build and Publish
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
...
回答1:
Update
Yes this is possible, but a very bad practice. If you must you can use the following command, which evades Github's security measures to prevent secrets leaking out logs
run: echo MYSECRET | sed -e 's/\(.\)/\1 /g'
# this will print "M Y S E C R E T"
Simply replace MYSECRET
with the secret you're trying to print e.g. $GITHUB_TOKEN
.
Old Answer
Checkout this other answer it seems that this is expected behaviour of Github actions.
As you can see, I can get (and use) the value of the environment variables, but the secrets aren't being exposed.
That's because they're secrets. The Actions output is explicitly scrubbed for secrets, and they're not displayed.
The file contents still contain the secret contents.
Updated:
This is the regular convention on how to pass secrets into action steps.
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
It's how I use it in my actions.
Update2
Check here for detailed instructions on how to print your secrets, it's strongly advised against though.
https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#limits-for-secrets
回答2:
This problem has occurred because a misunderstanding of mine which is "The Secret Values Should Show in The Logs if They are Passed to the Action".
I am combining the answers of Ben Winding and bk2204 to make it clear.
Secret values are scrubbed in action logs. Don't expect to see the actual values in the action log. Getting the scrubbed text means the value has been passed to the action. you can use the value but you cant see them in the logs. Check Ben's Answer for How you can see the values even though it is not recommended.
来源:https://stackoverflow.com/questions/61308519/why-the-action-cannot-access-secrets