Why The Action Cannot Access Secrets?

问题

I am trying to create a workflow to deploy Nuget packages to Github Package Repository using Github Actions.

In this case,

• The repository is inside an organization
• I am the owner of that organization
• I have admin access to the repository
• The repository has secrets listed
• The commit is mine
• The commit is a direct commit to a branch

But the action CANNOT access the secrets

Below is the workflow I am trying to execute

name: Build and Publish
on:
push:
  branches:
    - gh-packages
jobs:
build_and_publish:
env:
  ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
name: Publish Packages to NuGet
runs-on: ubuntu-latest
steps:
  - uses: actions/checkout@v2
  - uses: actions/setup-dotnet@v1
    with:
      dotnet-version: "3.0.100"
  - name: Dump Github Context
    env:
      CONTEXT: ${{ toJson(github) }}
      SECRETS: ${{ toJson(secrets) }}
      TOK: ${{ secrets.ACCESS_TOKEN }}
      TEST: ${{ secrets.TEST }
    run: |
      echo $ACCESS_TOKEN
      echo $TOK
      echo $TEST
      echo $GITHUB_TOKEN
      echo "$SECRETS"
      echo "$CONTEXT"
  - name: Setup Config
    run: sed "s/ACCESS_TOKEN/$ACCESS_TOKEN/g" .nuget.config > nuget.config
  - run: cat nuget.config
  - name: Build
    run: dotnet build -c Release
  - name: Publish
    run: chmod +x ./push.sh && ./push.sh

Both GITHUB_TOKEN and custom secrets like ACCESS_TOKEN are not working.

addition 01:

Even when setting the environment variable name as GITHUB_TOKEN doesn't seam to be working

name: Build and Publish
env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
...

回答1:

Update

Yes this is possible, but a very bad practice. If you must you can use the following command, which evades Github's security measures to prevent secrets leaking out logs

run: echo MYSECRET | sed -e 's/\(.\)/\1 /g'
# this will print "M Y S E C R E T"

Simply replace MYSECRET with the secret you're trying to print e.g. $GITHUB_TOKEN.

Old Answer

Checkout this other answer it seems that this is expected behaviour of Github actions.

As you can see, I can get (and use) the value of the environment variables, but the secrets aren't being exposed.

That's because they're secrets. The Actions output is explicitly scrubbed for secrets, and they're not displayed.

The file contents still contain the secret contents.

Updated:

This is the regular convention on how to pass secrets into action steps.

env: 
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

It's how I use it in my actions.

Update2

Check here for detailed instructions on how to print your secrets, it's strongly advised against though.

https://help.github.com/en/actions/configuring-and-managing-workflows/creating-and-storing-encrypted-secrets#limits-for-secrets

回答2:

This problem has occurred because a misunderstanding of mine which is "The Secret Values Should Show in The Logs if They are Passed to the Action".

I am combining the answers of Ben Winding and bk2204 to make it clear.

Secret values are scrubbed in action logs. Don't expect to see the actual values in the action log. Getting the scrubbed text means the value has been passed to the action. you can use the value but you cant see them in the logs. Check Ben's Answer for How you can see the values even though it is not recommended.

来源：https://stackoverflow.com/questions/61308519/why-the-action-cannot-access-secrets