How to mask a environment set in GitHub Workflow - github

I am using the following to set a env variable:
- name: get root token
run: |
echo "ROOT_TOKEN=$(some command | base64 --decode)" >> $GITHUB_ENV
Then I use it in another run within a Python script:
- name: init
run: |
python3 scripts/create_entries.py
Actually this works great, but the value of ROOT_TOKEN is printed in the Workflow console:
Run python3 scripts/create_entries.py
python3 scripts/create_entries.py
shell: /usr/bin/bash -e ***0***
env:
DATA: ***
CONFIG: /home/debian/runner/_work/_temp/config_1646400032032
ROOT_TOKEN: <this is shown>
I tried to mask it using ::add-mask:: like this (but unfortunately that does not work):
- name: get root token
run: |
echo "::add-mask::ROOT_TOKEN=$(some command | base64 --decode)" >> $GITHUB_ENV
Does anyone know how to mask the value of ROOT_TOKEN in the Workflow console?

Related

Using external action output in outer git action step

I have this git action for my build
...
- name: Building S3 Instance
uses: charlie87041/s3-actions#main
id: s3
env:
AWS_S3_BUCKET: 'xxx'
AWS_ACCESS_KEY_ID: 'xxx'
AWS_SECRET_ACCESS_KEY: 'xxxxx'
AWS_REGION: 'xxx'
- name: Updating EC2 [Develop] instance
uses: appleboy/ssh-action#master
with:
host: ${{secrets.EC2HOST}}
key: ${{secrets.EC2KEY}}
username: xxx
envs: TESTING
script: |
cd ~/devdir
export BUCKET_USER=${{steps.s3.outputs.user_id}}
export BUCKET_USER_KEY=${{steps.s3.outputs.user_key}}
docker login
docker-compose down --remove-orphans
docker system prune -a -f
docker pull yyyy
docker-compose up -d
And this is the important function in charlie87041/s3-actions#main
generate_keys () {
RSP=$(aws iam create-access-key --user-name $USER);
BUCKET_ACCESS_ID=$(echo $RSP | jq -r '.AccessKey.AccessKeyId');
BUCKET_ACCESS_KEY=$(echo $RSP | jq -r '.AccessKey.SecretAccessKey');
echo "user_id=$BUCKET_ACCESS_ID" >> $GITHUB_OUTPUT
echo "user_key=$BUCKET_ACCESS_KEY" >> $GITHUB_OUTPUT
echo "::set-output name=BUCKET_ACCESS_KEY::$BUCKET_ACCESS_KEY"
echo "::set-output name=BUCKET_ACCESS_ID::$BUCKET_ACCESS_ID"
}
I need to update env variables in container with BUCKET_USER and BUCKET_USER_KEY, but these always return null when echo the container. How do I do this?
Not that set-output was deprecated recently (oct. 2022)
If you are using self-hosted runners make sure they are updated to version 2.297.0 or greater.
If you are using runner on github.com directly, you would need to change
echo "::set-output name=BUCKET_ACCESS_KEY::$BUCKET_ACCESS_KEY"
with
echo "BUCKET_ACCESS_KEY=$BUCKET_ACCESS_KEY" >> $GITHUB_OUTPUT
I am not sure an export within the script would work.
Using with directives, as in issue 154 might be more effective
with:
BUCKET_USER: ${{steps.s3.outputs.user_id}}
...
script: |
...

Value not set using $GITHUB_OUTPUT

I have been previously using set-output for setting values, but we now get thee "deprecated feature" messages and I'm using $GITHUB_OUTPUT as prescribed.
I replace all instances of
run: echo ::set-output name=Key::Value
with
run: "Key=Value" >> $GITHUB_OUTPUT
but Key does not appear to be set.
My runner is on Windows, version 2.299.1 and the workflow is using CMD.
All calls to set-output work, and all using $GITHUB_OUTPUT do not.
Simplified action code
defaults:
run:
shell: cmd
jobs:
EnvSetup:
name: Publish Base Environment Vars
runs-on: [self-hosted, Windows, myLabel]
outputs:
var_Project: ${{ steps.set-Project.outputs.Project }}
var_Val1: ${{ steps.set-Val1.outputs.Val1 }}
var_Val2: ${{ steps.set-Val2.outputs.Val2 }}
steps:
- name: Project
id: set-Project
run: echo ::set-output name=Project::Larry
- name: Val1
id: set-Val1
run: echo "Val1=Curly" >> $GITHUB_OUTPUT
- name: Val2
id: set-Val2
run: echo "Val2=Moe" >> $GITHUB_OUTPUT
...
Testing:
name: ShowStuff
runs-on: [self-hosted, Windows, myLabel]
needs: [EnvSetup]
env:
MyProject: ${{ needs.EnvSetup.outputs.var_Project }}_ABC
steps:
- name: Print environment variables
run: |
echo "Project: ${{ needs.EnvSetup.outputs.var_Project }}" ^
echo "MyProject: ${{ env.MyProject }}" ^
echo "Val1: ${{ needs.EnvSetup.outputs.var_Val1 }}" ^
echo "Val2: ${{ needs.EnvSetup.outputs.var_Val2 }}"
The output:
echo "Project: Larry"
echo "MyProject: Larry_ABC"
echo "Val1: "
echo "Val2: "
From everything I've seen, the way to reference the values hasn't changed, just the set.
Has anyone else tried it using CMD? I'll go to PowerShell if I have to, but that's not a small change if I can avoid it.
Windows run the script task using PowerShell Core by default, not bash. So you need to use PowerShell syntax, or set the shell: bash property on the script action.
- name: Val2
id: set-Val2
run: echo "Val2=Moe" >> $GITHUB_OUTPUT
shell: bash
When using these commands with PowerShell, make sure you redirect to $env:GITHUB_OUTPUT:
- name: Val2
id: set-Val2
run: echo "Val2=Moe" >> $env:GITHUB_OUTPUT
shell: pwsh
I also explicitly added shell: pwsh above, as the "old PowerShell" needs to be told to write UTF-8:
- shell: powershell
run: |
"mypath" | Out-File -FilePath $env:GITHUB_PATH -Encoding utf8 -Append
When using shell: cmd you'd need to use %GITHUB_OUTPUT%, and change the codepage to Unicode:
#chcp 65001>nul
echo Val2=Moe >> %GITHUB_OUTPUT%

How to Set Gihub Secret with a Binary File for Github Workflow?

I would like to add one of my API configuration file (binary.file) to the Github secret (MY_BINARY_SECRET). Then it will be read and wrote to binary.file again in the workflow:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- name: Install System
run: |
sudo apt-get update
sudo apt-get install -y pip python3.8-venv libcurl4-openssl-dev
- name: Set up configurations
shell: bash
run: |
echo "${{ secrets.MY_BINARY_SECRET }}" > binary.file
python3 .... # the python script will need binary.file to complete authentication
However, I tried many hours with different ways to copy the binary content to the Github Secret, but all failed. I tried pbcopy, less, cat. Does anyone know how to write a binary file via Github Secret in the github actions? Or a better solution?
Thank you!
(Extending my comment):
Use base64 to encode binary string to text and decode it back to binary. This is pretty standard trick.
First, encode at home:
echo "$MY_BINARY_SECRET" | base64 --wrap=0 > secret.b64
--wrap=0 to make the output text one long line; useful for echo below.
Upload text file secret.b64 as the secret to GitHub. Decode it using
echo -n "${{ secrets.MY_BINARY_SECRET }}" | base64 --decode > binary.file
Advice: first try decoding locally and compare with the original string. Must be the same.

How to replace .env file placeholders with deployment variables in bitbucket pipeline

I have a bitbucket repository.
I have Deployment environment variables in bitbucket:
BITBUCKET_VARIABLE_PORT : 8080
In my bitbucket-pipelines.yaml script I can Write the variable into the .env file like this:
<...>
step: &deploy-to-environment
name: Deploy to environment
deployment: environment
caches:
- node
script:
- echo Create .env file
- echo "PORT=$BITBUCKET_VARIABLE_PORT" > .env
- cat .env
<...>
But I would like to avoid rewriting the whole lines of .env file.
Is it possible to implement the following?
I would like to have .env file with placeholders (.env file content):
<...>
PORT=<BITBUCKET_VARIABLE_PORT>
HOST=<BITBUCKET_VARIABLE_HOST>
<...>
Replace these placeholders in yaml script section:
<...>
step: &deploy-to-environment
name: Deploy to environment
deployment: environment
caches:
- node
script:
- <replace_placeholders_here_in_script>
<...>
You can use sed to replace string in .env file
sed -i "s/BITBUCKET_VARIABLE_PORT/...xxxx.../" .env
sed -i "s/BITBUCKET_VARIABLE_HOST/...hostname.../" .env
You can use also variables for replacement
MYPORT=XXX
sed -i "s/BITBUCKET_VARIABLE_PORT/$MYPORT/" .env
I had the same issue lately and didn't want to include 1 by 1 the env variable, what I ended up doing:
#1 Create in repository a .env.example file (This file will hold variable that required for this repository without values or default values that are not sensitive)
APP_NAME=MyApp
APP_ENV=
APP_KEY=
APP_DEBUG=true
Then I created a pipeline.sh
echo "[+] Building enviroment variables"
# Get contents of example file
ENV_CONTENT=$(cat ./.env.example)
# Output the content into sh script
echo "#! /bin/bash
echo \"
${ENV_CONTENT}
\"" > ./env.sh
# sed replace as key=${BITBUCKET_ENV_VARIABLE:-default_value_from_example}
sed -i -E "s/^([A-Z_]+)=(.*)$/\1=\${\1:-\2}/g" ./env.sh
chmod +x ./build/env.sh
# Exec the env sh script and output content to .env file
./build/env.sh > ./build/.env
So in case you have defined in .env.example APP_NAME and also defined it in bitbucket Repository Variables the final .env will have key APP_NAME=value_of_bitbucket_variable
Here is the way I found to do it, you just have to be careful with those echo commands (here I'm making env for firebase but you can swap your bitbucket variables in how you like)
definitions:
steps:
- step: &Env
name: Create .env file
trigger: manual
script:
- echo VITE_FIREBASE_API_KEY="${VITE_FIREBASE_API_KEY}" >> .env
- echo VITE_FIREBASE_AUTH_DOMAIN="${VITE_FIREBASE_AUTH_DOMAIN}" >> .env
- echo VITE_FIREBASE_PROJECT_ID="${VITE_FIREBASE_PROJECT_ID}" >> .env
- echo VITE_FIREBASE_STORAGE_BUCKET="${VITE_FIREBASE_STORAGE_BUCKET}" >> .env
- echo VITE_FIREBASE_MESSAGING_SENDER_ID="${VITE_FIREBASE_MESSAGING_SENDER_ID}" >> .env
- echo VITE_FIREBASE_APP_ID="${VITE_FIREBASE_APP_ID}" >> .env
- more .env
artifacts:
- .env
pipelines:
default:
- step: *Env

Ansible vars inventory

I'm learning Ansible. And I was following the official docs:
https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html
https://docs.ansible.com/ansible/2.3/intro_inventory.html
But I have a little question. How use the vars in the inventories?
I have try to use some of the default parameters like self_destruct_countdown.
[pruebascomandos]
MY-SERVER-IP self_destruct_countdown=60
OTHER-MY-SERVER-IP
And using the apply variables to all group. With a own var.
[pruebascomandos:vars]
example=true
But my problem is that in both cases I try to check the var with:
$ ansible pruebascomandos -m shell -a "echo $self_destruct_countdown"
$ ansible pruebascomandos -m shell -a "echo $example"
And in both cases I get a blank response. I don't sure why.
If someone can explain why or tell me where to read it it would be great. Thank to everyone!
Double braces {{ }} are needed to evaluate the variable. Try this
shell> ansible pruebascomandos -i hosts -m shell -a "echo {{ example }}"
test_01 | CHANGED | rc=0 >>
true
test_02 | CHANGED | rc=0 >>
true
shell> ansible pruebascomandos -i hosts -m shell -a "echo {{ self_destruct_countdown }}"
test_02 | FAILED | rc=-1 >>
The task includes an option with an undefined variable. The error was: self_destruct_countdown is undefined
test_01 | CHANGED | rc=0 >>
60
The host test_02 failed because the variable self_destruct_countdown had been defined for test_01 only.
shell> cat hosts
[pruebascomandos]
test_01 self_destruct_countdown=60
test_02
[pruebascomandos:vars]
example=true