DEV Community

Discussion on: Composite Actions vs Reusable Workflows: what is the difference? [GitHub Actions]

View post
Collapse
 
sergeidyga profile image
sergei

Composite Actions cannot use secrets, not from the workflow nor as parameter

Hi! nice article :) I might be misunderstanding the point but secrets can be used by both passing them as parameter and as env variable:

workflow:

      - uses: actions/my-action
        env:
          SUPER_SECRET: ${{ secrets.SUPER_SECRET }}
        with:
          secret-name: ${{ secrets.SUPER_SECRET }}
Enter fullscreen mode Exit fullscreen mode

action.yaml

inputs:
  secret-name:
    description: 'Your secret'
    required: false
runs:
  using: "composite"
 steps:
    - id: secret-from-inputs
      run: echo ${{ inputs.secret-name }}
      shell: bash
    - id: secret-from-env
      run: echo ${{ env.SUPER_SECRET }}
      shell: bash
Enter fullscreen mode Exit fullscreen mode
Collapse
 
n3wt0n profile image
Davide 'CoderDave' Benvegnù

That is true, but those values are not treated as a secret.

What that means is that it has security implications. In Actions, a "secret" is always masked using *** even if you try to print it out.

If you pass it as a normal parameter, instead, it is treated as plain text and there for it is logged... very easy to be leaked at that point :)

Collapse
 
wheelerlaw profile image
Wheeler Law • Edited

This is incorrect. If a value is passed as a regular input to a composite action (which is the only way to do this), and it is a secret value located in the repository secrets in the repo settings, then GHA will mask the value.