GitHub 操作 - 空环境机密
[英]GitHub Actions - empty env secrets
问题描述
I've started playing with GitHub actions, but I'm struggling with accessing repository secrets which I pass as env's.
我已经开始使用 GitHub 操作,但我在努力访问我作为 env 传递的存储库机密。
My workflow file:我的工作流程文件:
name: Invite
on:
pull_request:
branches: [master]
types: [closed]
jobs:
invite:
runs-on: ubuntu-latest
steps:
- name: Hello world action
uses: lekterable/inclusive-organization-action@master
env:
SECRET_TOKEN: ${{ secrets.SECRET_TOKEN }}
organization: string
SUPER_SECRET: ${{ secrets.SUPER_SECRET }}
action index file动作索引文件
const core = require('@actions/core')
const github = require('@actions/github')
const run = async () => {
try {
...
console.log('env', process.env)
const token = process.env.SECRET_TOKEN
const secret = process.env.SUPER_SECRET
const organization = process.env.organization
console.log('organization', organization)
console.log('token?', !!token)
console.log('secret?', !!secret)
console.log('token length', token.length)
...
} catch (error) {
core.setFailed(error.message)
}
}
run()
as you can see I'm passing 3 env's, the organization which has a value of 'string' exists as expected, but SECRET_TOKEN and SUPER_SECRET are empty.如您所见,我正在传递 3 个 env,具有“字符串”值的组织按预期存在,但 SECRET_TOKEN 和 SUPER_SECRET 为空。
And yes, I do have the secrets set in the repo which runs the action:是的,我确实在运行该操作的存储库中设置了秘密:
Is there something that I'm doing wrong?有什么我做错了吗?
3 个解决方案
解决方案1
7 2019-11-07 01:55:53
Update更新
While the original answer below does still apply to public repositories, there are a couple of new updates that may help for some use cases.虽然下面的原始答案仍然适用于公共存储库,但有一些新的更新可能对某些用例有所帮助。
If your repository is private, you can now enable workflows from forks.
如果您的存储库是私有的,您现在可以从复刻启用工作流。If your repository is public, there is a new
pull_request_targetevent that is not subject to any token restrictions.如果您的存储库是公共的,则有一个不受任何令牌限制的新pull_request_target事件。
Original Answer原始答案
The reason you are experiencing this behaviour is because the Invite workflow is being triggered by a pull request from a forked repository.您遇到此行为的原因是Invite工作流是由来自分叉存储库的拉取请求触发的。
With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository.
When this happens, the actor of the workflow is the user that opened the pull request.发生这种情况时,工作流的actor是打开拉取请求的用户。 If that user doesn't have write access to your repository then they cannot use secrets (other than GITHUB_TOKEN ).如果该用户没有对您的存储库的写入权限,则他们不能使用机密(除GITHUB_TOKEN )。
Anyone with write access to a repository can create, read, and use secrets.
ref: https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets#using-encrypted-secrets-in-a-workflow参考: https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets#using-encrypted-secrets-in-a-workflow
If you run this step in your workflow you will see that it has nothing to do with your action.如果您在工作流程中运行此步骤,您会发现它与您的操作无关。 The TEST_SECRET secret won't be available in the workflow either. TEST_SECRET秘密在工作流中也将不可用。
- name: Test
env:
TEST_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
TEST_SECRET: ${{ secrets.TEST_SECRET }}
run: |
echo ${#TEST_GITHUB_TOKEN}
echo ${#TEST_SECRET}
Checking the event data in the GitHub context you'll see that actor is the user that forked the repository and opened the pull request.检查 GitHub 上下文中的事件数据,您会看到actor是派生存储库并打开拉取请求的用户。
- name: Dump GitHub context
env:
GITHUB_CONTEXT: ${{ toJson(github) }}
run: echo "$GITHUB_CONTEXT"
This is a different but related issue answered by a GitHub staff member where it's explained that these limitations on forked repositories exist to "prevent malicious actors from using actions to poison upstream or downstream repos." 这是 GitHub 工作人员回答的一个不同但相关的问题,其中解释说存在对分叉存储库的这些限制是为了“防止恶意行为者使用操作来毒害上游或下游存储库”。
解决方案2
1 已采纳 2020-03-26 11:52:08
I've found a solution, what I did to work around it is instead of running the action on closing the PR I'm running it on a new commit on master, this has to be triggered by someone with 'write rights' to the repo, therefore, it has access to the repo secrets.我找到了一个解决方案,我解决它的方法不是在关闭 PR 时运行操作,而是在 master 上的新提交上运行它,这必须由具有“写权限”的人触发因此,repo 可以访问 repo 机密。
It's a bit harder to check if the commit is a merge commit and we have to explicitly fetch more info about the PR, but it works.检查提交是否是合并提交有点困难,我们必须明确获取有关 PR 的更多信息,但它有效。 Source code of an action I was trying to build if someone is interested: https://github.com/lekterable/inclusive-organization-action如果有人感兴趣,我尝试构建的操作的源代码: https://github.com/lekterable/inclusive-organization-action
解决方案3
1 2020-04-27 06:17:34
I have implemented a workaround documented in https://stackoverflow.com/a/61450807/177275 to solve these types of problems.我已经实施了https://stackoverflow.com/a/61450807/177275中记录的解决方法来解决这些类型的问题。 Essentially an action that runs on PR creates some artifacts, and later a cron job that runs every 5 minutes scans for those artifacts and acts on them.本质上,在 PR 上运行的操作会创建一些工件,然后每 5 分钟运行一次的 cron 作业会扫描这些工件并对其进行操作。 I use it to post build results to the pull request page as comments, but you can adapt the same approach for other use cases.我使用它将构建结果作为评论发布到拉取请求页面,但您可以将相同的方法应用于其他用例。
解决方案4
0 2019-11-06 20:37:08
To achieve expected result, use Github action toolkit packages ie @actions/core要达到预期的效果,请使用 Github 操作工具包,即 @actions/core
const core = require('@actions/core');
//myToken: ${{ secrets.GITHUB_TOKEN }
const myToken = core.getInput('myToken');
Please refer this links for more details https://github.com/actions/toolkit/pull/131/commits/87bfae207900deafa6d0f4013761df37835c433f https://github.com/actions/toolkit有关更多详细信息,请参阅此链接https://github.com/actions/toolkit/pull/131/commits/87bfae207900deafa6d0f4013761df37835c433f Z5E056C500A1C4B6A7110B50Dsaction/7BADE.com
https://github.com/actions/toolkit/blob/master/packages/corehttps://github.com/actions/toolkit/blob/master/packages/core
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.