I have a github action workflow job that has a couple of outputs that github is detecting as secrets by they are not at all. One is the first 7 chars of github.sha and the another is random UUID that I generate using uuidgen.
These outputs are used by multiple other jobs in the same workflow, so I can't just move the steps in the job where I used them because then I have to duplicate the code.
This is the warning I am getting:
How does github assume that it may contain a secret? Is it because of the property name and/or value?
So if I try to read these outputs from another job, they are empty and break the logic of the workflow.
Is there a way to force to not skip these outputs?
EDITS:
I added now the sha_short but the other output was already exported and used before. It was working, now it's detected as secret. I am doing some attempt to fix it and sometime sha_short is exported. It seems quite random.
I tried to change the name of the variables and generate values with a different format using nanoid. At moment it looks like pretty random. Sometime one is skipped and sometime the other is skipped. So yeah, the ideal it would be something that tells the runner to never skip these two outputs.
Output:
**mecho "docker_build_image_trigger=eff63***95-***ef***-***68c-9edb-***6570a8eb79c" >> $GITHUB_OUTPUT
**mecho "sha_short=dba69ba" >> $GITHUB_OUTPUT
Steps:
steps:
- name: Setup AWS
if: env.SHOULD_REBUILD_DOCKER_IMAGES == 'false'
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ${{ env.TF_VAR_AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ env.TF_VAR_AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.TF_VAR_AWS_REGION }}
- name: Write secrets
if: env.SHOULD_REBUILD_DOCKER_IMAGES == 'false'
run: |
aws secretsmanager get-secret-value --secret-id puck-legacy-${{ needs.get-environment-info.outputs.environment }}-secrets --output text --query SecretString >> aws-secrets.json
- name: Get docker build image trigger
id: docker-build-image-trigger
if: env.SHOULD_REBUILD_DOCKER_IMAGES == 'false'
uses: sergeysova/jq-action@v2
with:
cmd: cat aws-secrets.json | jq -r .INFRA_REBUILD_TRIGGER
- name: Get sha short
id: sha-short
if: env.SHOULD_REBUILD_DOCKER_IMAGES == 'false'
uses: sergeysova/jq-action@v2
with:
cmd: cat aws-secrets.json | jq -r .ACTION_CURRENT_COMMIT
- name: nanoid
id: nanoid
if: env.SHOULD_REBUILD_DOCKER_IMAGES == 'true'
run: |
echo "nanoid=$(npx nanoid -s 8 -a 1234567890abcdef)" >> $GITHUB_OUTPUT
- name: Current commit
id: current-commit
if: env.SHOULD_REBUILD_DOCKER_IMAGES == 'true'
run: |
SHA=${{ github.sha }}
echo "hash=${SHA:0:7}" >> $GITHUB_OUTPUT
- name: Get outputs
id: get-outputs
run: |
echo "rebuild_trigger=${{ steps.docker-build-image-trigger.outcome == 'success' && steps.docker-build-image-trigger.outputs.value || steps.nanoid.outputs.nanoid }}" >> $GITHUB_OUTPUT
echo "current_commit=${{ steps.sha-short.outcome == 'success' && steps.sha-short.outputs.value || steps.current-commit.outputs.hash }}" >> $GITHUB_OUTPUT
In the tests that I am running SHOULD_REBUILD_DOCKER_IMAGES is 'true', so many of the steps are skipped and outputs are always new.
Another job in the workflow where I want read those outputs:
infrastructure:
...
needs: [get-environment-info, get-dependent-info]
env:
...
TF_VAR_ACTION_CURRENT_COMMIT: ${{ needs.get-dependent-info.outputs.current_commit }}
TF_VAR_INFRA_REBUILD_TRIGGER: ${{ needs.get-dependent-info.outputs.rebuild_trigger }}
steps:
- name: Job info
run: |
echo "TF_VAR_ACTION_CURRENT_COMMIT=${{ env.TF_VAR_ACTION_CURRENT_COMMIT }}"
echo "TF_VAR_INFRA_REBUILD_TRIGGER=${{ env.TF_VAR_INFRA_REBUILD_TRIGGER }}"
The output is:
TF_VAR_ACTION_CURRENT_COMMIT=
TF_VAR_INFRA_REBUILD_TRIGGER=