您的位置: 首页  >  技术问答  >  如何在Github Actions中访问SECRETS的值?

如何在Github Actions中访问SECRETS的值?

分类: 技术问答 2022-05-12 09:30:09
问题描述:

我正在尝试访问发送给GitHub Action的SECRET的值,但是我很挣扎.无论键是什么还是原始值,每次都将这些值作为[FILTERED]返回.

I'm trying to access the value of SECRETs sent to a GitHub Action, but I'm struggling. The values are returned as [FILTERED] every time, no matter what the key or the original value is.

我可以毫无问题地访问ENVIRONMENT VARIABLES,因此我必须在其他地方搞砸.

I can access ENVIRONMENT VARIABLES without a problem, so I must be screwing up somewhere else.

本质上,我想做的是将ssh密钥发送到我的操作/容器,但是在发送其他任何密钥/值作为秘密时,我也会遇到相同的问题.

Essentially, what I'm trying to do is send an ssh key to my action/container, but I get the same issue when sending any other key/value as a secret.

我的(简化的)GitHub动作如下:

My (simplified) GitHub Action is as follows:

action "Test" {
  uses = "./.github/actions/test"
  secrets = [
    "SSH_PRIVATE_KEY",
    "SSH_PUBLIC_KEY",
  ]
  env = {
    SSH_PUBLIC_KEY_TEST = "thisisatestpublickey"
  }
}

Dockerfile:

Dockerfile:

FROM ubuntu:latest

# Args
ARG SSH_PRIVATE_KEY
ARG SSH_PUBLIC_KEY
ARG SSH_PUBLIC_KEY_TEST

# Copy entrypoint
ADD entrypoint.sh /entrypoint.sh
RUN chmod +x /entrypoint.sh
ENTRYPOINT ["/entrypoint.sh"]

entrypoint.sh:

entrypoint.sh:

#! /bin/sh

SSH_PATH="$HOME/.ssh"

mkdir "$SSH_PATH"
touch "$SSH_PATH/known_hosts"

echo "$SSH_PRIVATE_KEY" > "$SSH_PATH/id_rsa"
echo "$SSH_PUBLIC_KEY" > "$SSH_PATH/id_rsa.pub"
echo "$SSH_PUBLIC_KEY_TEST" > "$SSH_PATH/id_rsa_test.pub" 

cat "$SSH_PATH/id_rsa"
cat "$SSH_PATH/id_rsa.pub"
cat "$SSH_PATH/id_rsa_test.pub"

这三个cat命令的输出为:

[FILTERED]
[FILTERED]
thisisatestpublickey

如您所见,我可以获取(并使用)环境变量的值,但是秘密没有被公开.

As you can see, I can get (and use) the value of the environment variables, but the secrets aren't being exposed.

有人知道吗?

只是为了更新此内容,我还只是尝试回显entrypoint.sh中两个不带引号的秘密:

Just to update this, I've also simply tried echoing out both the secrets without quotes in entrypoint.sh:

echo $SSH_PRIVATE_KEY
echo $SSH_PUBLIC_KEY

...并且在日志中,我看到了$SSH_PRIVATE_KEY的完整解密内容(即我的ssh密钥的实际内容),而$SSH_PUBLIC_KEY仍然返回[FILTERED].

...and in the log, I see the full decrypted content of $SSH_PRIVATE_KEY (ie, the actual contents of my ssh key) while $SSH_PUBLIC_KEY still returns [FILTERED].

因此,我可以假定我们能够看到动作内部的秘密内容,但是我不知道为什么我只能看到其中一个,而另一个返回[FILTERED].

So, I can assume that we are able to see the contents of secrets inside of an action, but I don't know why I can see just one of them, while the other returns [FILTERED].

也许是缓存的东西吗?

我只是想找出一种可预测的方式来使用它.

I'm just trying to figure out a predictable way to work with this.

如您所见,我可以获取(并使用)环境变量的值,但是秘密没有被公开.

As you can see, I can get (and use) the value of the environment variables, but the secrets aren't being exposed.

那是因为它们是秘密.明确清除了动作"输出中的秘密,并且不会显示这些秘密.

That's because they're secrets. The Actions output is explicitly scrubbed for secrets, and they're not displayed.

文件内容仍然包含机密内容.

The file contents still contain the secret contents.

相关推荐