In one of my GitHub actions, I want to test if a secret exists before I try to use it so that I can provide the user with a more informative error message. My current strategy for doing this is to add the following step at the beginning of my action:
- name: check if MY_SECRET exists
run: if [ `echo ${{secrets.MY_SECRET}} | wc -c` -lt 2 ]; then echo the secret \"MY_SECRET\" has not been made; echo please go to \"settings \> secrets \> actions\" to create it; exit 1; fi
This is an improvement over not having any error handling as it stops the action from proceeding, and gives the user some helpful advice, however I'd like to know if there is a 'better' solution. In particular, does GitHub have a recommendation for how to handle this kind of situation? Is there some other action from market place for example that I can call? (I checked market place but couldn't find anything to do this, however I may have missed something).
This seems to me like a functionality that I might want to reuse frequently, so assuming there is no marketplace or in built solution, I intend to make my own action which I can call that will do this for me. I have noticed a lot of actions on market place are implemented in node. Is this considered preferable to bash? Is there any reason I should not implement this functionality in bash?
Finally, as I am working with secrets here, I'd like to keep security in mind. Please have that in mind when proposing any solutions. Also please critique my current solution with security in mind.
CodePudding user response:
As mentioned in "Using encrypted secrets in a workflow"
Command-line processes may be visible to other users (using the
ps
command) or captured by security audit events.
To help protect secrets, consider using environment variables, STDIN, or other mechanisms supported by the target process.
And:
Secrets cannot be directly referenced in
if:
conditionals.Instead, consider setting secrets as job-level environment variables, then referencing the environment variables to conditionally run steps in the job.
In your case:
steps:
- name: "check is MY_SECRET exists"
env:
super_secret: ${{ secrets.MY_SECRET }}
if: ${{ env.super_secret == '' }}
run: 'echo "echo the secret \"MY_SECRET\" has not been made; echo please go to \"settings \> secrets \> actions\" to create it"