Created
July 30, 2021 17:53
-
-
Save mfulgo/8732bd2b432963a77f53d1e6eca71120 to your computer and use it in GitHub Desktop.
Pass Sensitive Outputs between Jobs in GitHub Actions
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Encrypted Job Output Example | |
| # In order to do this, you need to create a passphrase | |
| # in GitHub Secrets so that it can be accessed from | |
| # both Jobs. This example calls it GPG_PASSPHRASE. | |
| # The GITHUB_TOKEN cannot be used in lieu of this | |
| # because it refreshes for each job. | |
| on: | |
| push: | |
| paths: | |
| - ".github/workflows/encrypted_job_output_example.yml" | |
| jobs: | |
| create_value: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| enc_secret: ${{ steps.create.outputs.enc_secret }} | |
| steps: | |
| - name: Create Encrypted Output | |
| id: create | |
| # Assumes secrets.json a previous step creates secrets.json. | |
| run: | | |
| ENC_SECRET=$( | |
| cat secrets.json \ | |
| | gpg \ | |
| --batch \ | |
| --quiet \ | |
| --passphrase ${{ secrets.GPG_PASSPHRASE }} \ | |
| --symmetric \ | |
| --cipher-algo AES256 \ | |
| | base64 -w0 | |
| ) | |
| echo "::set-output name=enc_secret::$ENC_SECRET" | |
| use_value: | |
| runs-on: ubuntu-latest | |
| needs: create_value | |
| steps: | |
| - name: Decrypt Sensitive Output | |
| run: | | |
| MY_SECRET=$( | |
| echo "${{ needs.create_value.outputs.enc_secret }}" \ | |
| | base64 -d \ | |
| | gpg \ | |
| --batch \ | |
| --quiet \ | |
| --passphrase ${{ secrets.GPG_PASSPHRASE }} \ | |
| --decrypt | |
| ) | |
| echo "::add-mask::$MY_SECRET" | |
| echo "MY_SECRET=$MY_SECRET" >> $GITHUB_ENV | |
| - name: Attempt to Show Sensitive Value | |
| run: | | |
| echo "Shh! The secret is $MY_SECRET" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment