Created
September 5, 2025 16:52
-
-
Save bfrancom/76a89d4a7bf2e24144da4bc4ebcfaf5c to your computer and use it in GitHub Desktop.
Retrieve GitHub Action Secrets Securely
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #From this website: https://meirg.co.il/2022/07/01/how-to-recover-secrets-from-github-actions/ | |
| name: Recovering secrets | |
| # Assumption: | |
| # You've created the following GitHub secrets in your repository: | |
| # MY_CLIENT_SECRET - encrypt/decrypt with openssl - useful for public and public repositories | |
| # MY_OPENSSL_PASSWORD - used to protect secrets | |
| # MY_OPENSSL_ITER - Use a number of iterations on the password to derive the encryption key. | |
| # High values increase the time required to brute-force the resulting file. | |
| # This option enables the use of PBKDF2 algorithm to derive the key. | |
| on: | |
| push: | |
| workflow_dispatch: | |
| jobs: | |
| openssl: | |
| name: Recover With OpenSSL | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/checkout@v3 | |
| - env: | |
| MY_CLIENT_SECRET: ${{ secrets.MY_CLIENT_SECRET }} | |
| MY_OPENSSL_PASSWORD: ${{ secrets.MY_OPENSSL_PASSWORD }} | |
| MY_OPENSSL_ITER: ${{ secrets.MY_OPENSSL_ITER }} | |
| run: | | |
| echo "MY_CLIENT_SECRET (***) = ${MY_CLIENT_SECRET}" | |
| echo "MY_CLIENT_SECRET (openssl) = $(echo "${MY_CLIENT_SECRET}" | openssl enc -e -aes-256-cbc -a -pbkdf2 -iter ${MY_OPENSSL_ITER} -k "${MY_OPENSSL_PASSWORD}")" | |
| echo "Copy the above value, and then execute locally:" | |
| echo "echo PASTE_HERE | openssl base64 -d | openssl enc -d -pbkdf2 -iter \$MY_OPENSSL_ITER -aes-256-cbc -k \$MY_OPENSSL_PASSWORD" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment