Is there a way to dynamically make github actions secrets available at runtime without explicitly defining each variable in your yaml?

Question

In its current format, you can define git hub secrets in the repository UI, and add them to your github actions CI like the following:

- name: test secrets
  shell: bash
  run: 
  env:
     SECRET_1: ${{ secrets.secret_1 }}
     SECRET_2: ${{ secrets.secret_2 }}

However this approach is cumbersome if you want to dynamically add all secrets attached to that environment, especially if you secrets change regularly. With the above methodology each alteration would require a code deploy which is inconvenient. Has anyone come up with a solution? Or is there any built in syntax which will load all secrets? Or secrets that follow a certain pattern?

Answer 1

It is possible to interpolate secret ID so say you are conditioning your secret based on input upon triggering the workflow, here is how I implemented:

  workflow_dispatch:
    inputs:
      environment:
        type: choice
        description: Deployment environment
        required: true
        options:
          - staging
          - production

  jobs:
    steps:
      # this is because the secrets in my GH is on uppercase so I need to manipulate the whole string based on the input
      - id: AWSAccessKeyId
        run: export AWSAKI=${{ format('AWS_ACCESS_KEY_ID_GREEN_{0}', github.event.inputs.environment) }} && echo "::set-output name=AWSAccessKeyIdValue::${AWSAKI^^}"
      - id: AWSSecretAccessKey
        run: export AWSSAK=${{ format('AWS_SECRET_ACCESS_KEY_GREEN_{0}', github.event.inputs.environment) }} && echo "::set-output name=AWSSecretAccessKeyValue::${AWSSAK^^}"
          - run : npm run deploy-${{ github.event.inputs.environment }}
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets[steps.AWSAccessKeyId.outputs.AWSAccessKeyIdValue] }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets[steps.AWSSecretAccessKey.outputs.AWSSecretAccessKeyValue] }}
          AWS_DEFAULT_REGION: ${{ github.event.inputs.aws_region }}

Answer 2

No this is not possible (and rather won't be in the future). As it is written here you have to clearly show what secret you want to use in your workflow like here:

steps:
  - name: Hello world action
    with: # Set the secret as an input
      super_secret: ${{ secrets.SuperSecret }}
    env: # Or as an environment variable
      super_secret: ${{ secrets.SuperSecret }}

This is done by purpose. As authors wanted to force developers to use exactly secrets what are needed. This just address security concern.