Skip to content

Request: option to persist secrets until workflow ends, rather than when job ends #53

New issue
New issue
Open
Open
Request: option to persist secrets until workflow ends, rather than when job ends#53
@dhorkin

Description

@dhorkin
dhorkin
opened on Sep 27, 2023

I would like there to be an option to defer secrets from expiring at the end of a job, and expire them at the end of a workflow instead, so that I can retrieve secrets in one job, then pass them to another job inside the same workflow file, without having to pull secrets a second time.

Obviously for security reasons the default for this should turned off, but...

I wanted to pass an AWS secret into a reusable workflow. This workflow has two jobs, each of which need to checkout a private repo, so I need the token in order to be able to check it out.

So, I had something like this for my parent workflow:

jobs:
  prep:
    name: This is my job name
    runs-on: self-hosted-runner-name
    outputs:
      github_secret_token: ${{ steps.set_token_output.outputs.github_secret_token }}
    steps:
      - name: Read secrets from AWS Secrets Manager into environment variables
        uses: abhilash1in/aws-secrets-manager-action@v2.1.0
        with:
          secrets: |
            github_secret
          parse-json: true
          disable-warnings: true

      # various other steps here, several of which use GITHUB_SECRET_TOKEN without issue

      - name: Set token output
        id: set_token_output
        run: |
          echo github_secret_token=${{ env.GITHUB_SECRET_TOKEN }} >> $GITHUB_OUTPUT

  another_job:
    name: This is another job
    needs: prep
    # this reusable workflow has 2 jobs, each of which needs access to that secret
    uses: my_private_org/my_private_repo/.github/workflows/my_reusable_workflow.yml@v1
    with:
      github_runner: self-hosted-runner-name
      # checkout_token is blank (undefined?) in this action
      checkout_token:  ${{ needs.prep.outputs.github_secret_token }}

Turns out that when it gets to my_reusable_workflow.yml's inputs, checkout_token is suddenly blank. (Same behavior happens with github.token, which wouldn't work for this use case anyway, so I presume this is the result of a post-job-step.)

To get around this, I had to add the aws-secrets-manager-action step to both of the jobs in that reusable workflow - 14 additional lines to that reusable workflow that I'd like to avoid, since I've already pulled the secrets and thus it's effectively noise (21 lines total, across two files, devoted to retrieving secrets... all to make one workflow work).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions