GitHub Action Secrets environment can't be retrieved-CodePudding

I have a problem with a workflow GitHub Action. Secrets environment is the hardest and the most puzzling thing that GitHub invented. I'm using the following code and I realized that I can't retrieve my environment secrets as environment variable.

deploy-snowflake-changes-dev:
    name: deploy schemas changes to dev
    needs: ShitTest 
    if: needs.ShitTest.outputs.output == 'true'
    environment:
      name: ${{inputs.devEnv}}
    runs-on: ubuntu-latest
    env:
          SF_ACCOUNT: ${{ secrets.SF_ACCOUNT }}
          SF_USERNAME: ${{ secrets.SF_USERNAME }}
          SF_ROLE: ${{ secrets.SF_ROLE }}
          SF_WAREHOUSE: ${{ secrets.SF_WAREHOUSE }}
          SF_DATABASE: ${{ secrets.SF_DATABASE }}
          SNOWFLAKE_PASSWORD: ${{ secrets.SF_PASSWORD }}
          SF_SCHEMA: ${{secrets.SF_SCHEMA}}
          SF_HISTORY_TABLE: ${{secrets.SF_HISTORY_TABLE}}

When I'm trying to use the previous environnment variables in the code that follow, its doesn't work and it's like the secrets doesn't exist but they are. All these secrets are stored as the ${{inputs.devEnv}} environnment secrets.

My question is : what happen ? How to make it work ? I'm out of solutions.

That the complete code and I have an other workflow from where I call tje below workflow with its parameters.

Here is the whole workflow implementation:

name: snowflake Devops
 
on:
  workflow_call:
    inputs:
      Organization:
        required: true
        type: string
      Repository:
        required: true
        type: string
      devEnv:
        required: true
        type: string
      uatEnv: 
        required: true
        type: string
      prodEnv:
        required: true
        type: string
      devBranch:
        required: true
        type: string
      uatBranch:
        required: true
        type: string
      prodBranch:
        required: true
        type: string
      rootFolder:
        required: true
        type: string

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

jobs:
  ShitTest:
    name: This is a shit test to get around the if condition
    runs-on: ubuntu-latest
    outputs:
      output: ${{ steps.condition.outputs.test }}
    steps:
      - name: shit test
        id: condition
        shell: pwsh
        run: |  
          $branch = '${{ github.ref }}' 
          $event = '${{ github.event_name }}'
          if($branch -eq 'refs/heads/${{ inputs.uatBranch }}' -AND $event -eq 'push' ) {
            $isTrigger = $true
            echo "::set-output name=test::$isTrigger"
            Write-Host "Deployment will be triggered" -ForegroundColor Cyan
          }else {
            $isTrigger = $false
            echo "::set-output name=test::$isTrigger"
            Write-Host "Deployment will not be triggered" -ForegroundColor Cyan
          }

  deploy-snowflake-changes-dev:
    name: deploy schamas changes to dev
    needs: ShitTest 
    if: needs.ShitTest.outputs.output == 'true'
    environment:
      name: ${{inputs.devEnv}}
    runs-on: ubuntu-latest
    env:
          SF_ACCOUNT: ${{ secrets.SF_ACCOUNT }}
          SF_USERNAME: ${{ secrets.SF_USERNAME }}
          SF_ROLE: ${{ secrets.SF_ROLE }}
          SF_WAREHOUSE: ${{ secrets.SF_WAREHOUSE }}
          SF_DATABASE: ${{ secrets.SF_DATABASE }}
          SNOWFLAKE_PASSWORD: ${{ secrets.SF_PASSWORD }}
          SF_SCHEMA: ${{secrets.SF_SCHEMA}}
          SF_HISTORY_TABLE: ${{secrets.SF_HISTORY_TABLE}}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Use Python 3.8.x
        uses: actions/[email protected]
        with:
          python-version: 3.8.x

      - name: Run schemachange
        shell: pwsh
        run: |
          echo "SF_ACCOUT"
          echo "${{env.SF_ACCOUNT}}"
          echo "GITHUB_WORKSPACE: $GITHUB_WORKSPACE"
          python --version
          echo "Step 1: Installing schemachange"
          pip install schemachange
          
          echo "Step 2: Getting variables"
          $schemachangeconfigPath = "./configurations/${{inputs.devBranch}}/schemachange-config.json"
          $variables = Get-Content $schemachangeconfigPath | Out-String | ConvertFrom-Json
          
          ## Need something like that in input of schemachange cmdline deploy : '{\"database\":\"DB_DEMO_PPROD\", \"schema\":\"DEMO\", \"table\":\"DEMO_TABLE\"}'
          $count=0
          $varsString = "{"
          foreach ($p in $variables.psobject.Properties) {
            $count =1
            $name = $p.name 
            $value = $p.value
            if($count -ne $variables.psobject.Properties.name.Length) {
              $varsString = [System.String]::Concat($varsString,"\","`"$name","\","`"",":","\","`"$value","\","`"",",")
            }else {
              $varsString = [System.String]::Concat($varsString,"\","`"$name","\","`"",":","\","`"$value","\","`"","}")
            }
          }

          echo "Step 3: Running schemachange"
          schemachange deploy -f ./${{inputs.rootFolder}} -a ${{env.SF_ACCOUNT}} -u ${{env.SF_USERNAME}} -r ${{env.SF_ROLE}} -w ${{env.SF_WAREHOUSE}} -d ${{env.SF_DATABASE}} -c ${{env.SF_DATABASE}}.${{env.SF_SCHEMA}}.${{env.SF_HISTORY_TABLE}} --vars $varsString --create-change-history-table -v

Thank you for any help.

CodePudding user response：

I finally found a way to make it work. It was necessary to add a secrets section in both the caller workflow and the called workflow as the following :

sample of the called workflow

secrets:
      TOKEN:
        required: true
      SF_DATABASE:
        required: true
      SF_SCHEMA:
        required: true
      SF_HISTORY_TABLE:
        required: true

sample of the caller workflow :

secrets:
      TOKEN: ${{ secrets.TOKEN }}
      SF_DATABASE: ${{ secrets.SF_DATABASE }}
      SF_SCHEMA: ${{secrets.SF_SCHEMA}}
      SF_HISTORY_TABLE: ${{secrets.SF_HISTORY_TABLE}}

And then, secrets in the called workflow can be used as the following : ${{ secrets.SF_DATABASE }}