Is it safe to pass GitHub Secrets as an argument to a python code?
Question
I have my Telegram API key stored in GitHub secrets and I pass them to my code in workflow like
python3 main.py ${{ secrets.API_KEY }
and use it on my code
import sys
KEY = sys.argv[1]
While running, it does filter out (***) the secrets but is this really safe or should I be looking at another way to pass my Keys, is there any way someone could see the API if passed as arg?
1 answers
solution1
0 ACCPTED 2021-07-19 16:37:35
GitHub uses a libsodium sealed box to help ensure that secrets are encrypted before they reach GitHub and remain encrypted until you use them in a workflow.
That's the reason why they return * * * in the workflow run. And it is safe. However, as you can see on the link shared by chepner above, there is this suggestion:
Avoid passing secrets between processes from the command line, whenever possible. Command-line processes may be visible to other users (using the ps command) or captured by security audit events. To help protect secrets, consider using environment variables, STDIN, or other mechanisms supported by the target process.
Therefore, in your case, instead of sending the variable like this directly on the command line, you should add it as an env variable to the step:
steps:
- run: python3 main.py
env:
API_KEY: ${{ secrets.API_KEY }
And then extract the variable using KEY = os.environ.get("API_KEY") in your python script.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.