运行 工作流程时如何屏蔽在 Github 中创建的环境变量?
How to mask environment variables created in Github when running a workflow?
我创建了一个 Github 工作流,它 运行 是一个带有 cron 计划的 python 脚本。在工作流的每个 运行 上都会生成一个 access_token,这在下一个 运行.
期间是必需的
为了保存令牌,python 脚本将令牌写入 GITHUB_ENV 文件。在下一步中,我使用 hmanzur/actions-set-secret@v2.0.0 操作将令牌保存到 Github 秘密。一切正常。
我唯一的问题是,令牌作为环境变量显示在第二步的日志中。
这是工作流文件的最小版本:
name: Tests
on:
schedule:
- cron: "0 1 * * *"
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
python: ['3.9']
steps:
- uses: actions/checkout@v1
- uses: actions/setup-python@v1
with:
python-version: ${{ matrix.python }}
- name: Install dependencies
run: pip install -r requirements.txt
- name: Run tests
working-directory: ./src
run: python -m unittest
env:
ACCESS_TOKEN: ${{secrets.ACCESS_TOKEN}}
- uses: hmanzur/actions-set-secret@v2.0.0
with:
name: 'ACCESS_TOKEN'
value: ${{env.ACCESS_TOKEN}}
repository: Me/MyRepository
token: ${{ secrets.REPO_ACCESS_TOKEN }}
我尝试申请 ::add-mask::。添加 echo "ACCESS_TOKEN=::add-mask::$ACCESS_TOKEN" >> $GITHUB_ENV 只会将 ::add-mask:: 添加到字符串中。
有没有办法屏蔽我可以在第一步应用的 GITHUB_ENV 文件中的所有环境变量?我可以在写入 python 中的 GITHUB_ENV 文件时对变量应用掩码吗?或者有没有办法在工作流程中禁用环境变量的显示?
我的解决方案,如果有人遇到同样的问题。
似乎没有直接的解决方案。作为解决方法,我使用 cryptocode 库对 python 脚本中的访问令牌进行编码和解码。只有加密的令牌被发送到工作流环境并保存在 repos 秘密中。
这是一个最小的工作示例:
workflow.yml:
name: Test
on:
push:
branches:
- main
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
python: ['3.9']
steps:
- uses: actions/checkout@v1
- uses: actions/setup-python@v1
with:
python-version: ${{ matrix.python }}
- name: Install dependencies
run: pip install -r requirements.txt
- name: Run tests
working-directory: ./
run: python encrypt-secret.py
env:
ENCRYPTED_ACCESS_TOKEN: ${{secrets.ENCRYPTED_ACCESS_TOKEN}}
INITIAL_ACCESS_TOKEN: ${{secrets.INITIAL_ACCESS_TOKEN}}
PASS_KEY: ${{secrets.REPO_ACCESS_TOKEN}}
- uses: hmanzur/actions-set-secret@v2.0.0
with:
name: 'ENCRYPTED_ACCESS_TOKEN'
value: ${{env.ENCRYPTED_NEW_ACCESS_TOKEN}}
repository: Der-Henning/test-workflows
token: ${{ secrets.REPO_ACCESS_TOKEN }}
encrypt-secret.py:
from os import environ
from random import random
import cryptocode
def main():
## Get Github environment file
## Only run this part when GITHUB_ENV is set -> workflow detection
env_file = environ.get('GITHUB_ENV', None)
if env_file:
## PASS_KEY to encrypt the secret
passkey = environ.get("PASS_KEY", None)
access_token = environ.get("INITIAL_ACCESS_TOKEN")
## get the encrypted token and decrypt with passkey
encrypted_old_access_token = environ.get("ENCRYPTED_ACCESS_TOKEN", None)
if encrypted_old_access_token and passkey:
old_access_token = cryptocode.decrypt(encrypted_old_access_token, passkey)
if old_access_token:
print("Access Token from secret: {}".format(old_access_token))
print("Correct Token: {}".format(old_access_token.startswith('ThisIsASecret')))
access_token = old_access_token
else:
print("No encrypted Access Token provided!")
######
#
# Do stuff here
# Use old_access_token to access an API ...
#
#####
## Encrypt new access token from API for next run
## Save encrypted token to GITHUB_ENV
new_access_token = "ThisIsASecret{}".format(random())
print("New Token: {}".format(new_access_token))
if passkey:
encrypted_new_access_token = cryptocode.encrypt(new_access_token, passkey)
with open(env_file, "a") as file:
file.write("ENCRYPTED_NEW_ACCESS_TOKEN={}\n".format(encrypted_new_access_token))
if __name__ == "__main__":
main()
我创建了一个 Github 工作流,它 运行 是一个带有 cron 计划的 python 脚本。在工作流的每个 运行 上都会生成一个 access_token,这在下一个 运行.
期间是必需的为了保存令牌,python 脚本将令牌写入 GITHUB_ENV 文件。在下一步中,我使用 hmanzur/actions-set-secret@v2.0.0 操作将令牌保存到 Github 秘密。一切正常。
我唯一的问题是,令牌作为环境变量显示在第二步的日志中。
这是工作流文件的最小版本:
name: Tests
on:
schedule:
- cron: "0 1 * * *"
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
python: ['3.9']
steps:
- uses: actions/checkout@v1
- uses: actions/setup-python@v1
with:
python-version: ${{ matrix.python }}
- name: Install dependencies
run: pip install -r requirements.txt
- name: Run tests
working-directory: ./src
run: python -m unittest
env:
ACCESS_TOKEN: ${{secrets.ACCESS_TOKEN}}
- uses: hmanzur/actions-set-secret@v2.0.0
with:
name: 'ACCESS_TOKEN'
value: ${{env.ACCESS_TOKEN}}
repository: Me/MyRepository
token: ${{ secrets.REPO_ACCESS_TOKEN }}
我尝试申请 ::add-mask::。添加 echo "ACCESS_TOKEN=::add-mask::$ACCESS_TOKEN" >> $GITHUB_ENV 只会将 ::add-mask:: 添加到字符串中。
有没有办法屏蔽我可以在第一步应用的 GITHUB_ENV 文件中的所有环境变量?我可以在写入 python 中的 GITHUB_ENV 文件时对变量应用掩码吗?或者有没有办法在工作流程中禁用环境变量的显示?
我的解决方案,如果有人遇到同样的问题。
似乎没有直接的解决方案。作为解决方法,我使用 cryptocode 库对 python 脚本中的访问令牌进行编码和解码。只有加密的令牌被发送到工作流环境并保存在 repos 秘密中。
这是一个最小的工作示例:
workflow.yml:
name: Test
on:
push:
branches:
- main
jobs:
test:
runs-on: ubuntu-latest
strategy:
matrix:
python: ['3.9']
steps:
- uses: actions/checkout@v1
- uses: actions/setup-python@v1
with:
python-version: ${{ matrix.python }}
- name: Install dependencies
run: pip install -r requirements.txt
- name: Run tests
working-directory: ./
run: python encrypt-secret.py
env:
ENCRYPTED_ACCESS_TOKEN: ${{secrets.ENCRYPTED_ACCESS_TOKEN}}
INITIAL_ACCESS_TOKEN: ${{secrets.INITIAL_ACCESS_TOKEN}}
PASS_KEY: ${{secrets.REPO_ACCESS_TOKEN}}
- uses: hmanzur/actions-set-secret@v2.0.0
with:
name: 'ENCRYPTED_ACCESS_TOKEN'
value: ${{env.ENCRYPTED_NEW_ACCESS_TOKEN}}
repository: Der-Henning/test-workflows
token: ${{ secrets.REPO_ACCESS_TOKEN }}
encrypt-secret.py:
from os import environ
from random import random
import cryptocode
def main():
## Get Github environment file
## Only run this part when GITHUB_ENV is set -> workflow detection
env_file = environ.get('GITHUB_ENV', None)
if env_file:
## PASS_KEY to encrypt the secret
passkey = environ.get("PASS_KEY", None)
access_token = environ.get("INITIAL_ACCESS_TOKEN")
## get the encrypted token and decrypt with passkey
encrypted_old_access_token = environ.get("ENCRYPTED_ACCESS_TOKEN", None)
if encrypted_old_access_token and passkey:
old_access_token = cryptocode.decrypt(encrypted_old_access_token, passkey)
if old_access_token:
print("Access Token from secret: {}".format(old_access_token))
print("Correct Token: {}".format(old_access_token.startswith('ThisIsASecret')))
access_token = old_access_token
else:
print("No encrypted Access Token provided!")
######
#
# Do stuff here
# Use old_access_token to access an API ...
#
#####
## Encrypt new access token from API for next run
## Save encrypted token to GITHUB_ENV
new_access_token = "ThisIsASecret{}".format(random())
print("New Token: {}".format(new_access_token))
if passkey:
encrypted_new_access_token = cryptocode.encrypt(new_access_token, passkey)
with open(env_file, "a") as file:
file.write("ENCRYPTED_NEW_ACCESS_TOKEN={}\n".format(encrypted_new_access_token))
if __name__ == "__main__":
main()