Passing secrets as output between jobs in a Github workflow

Question

I am trying to pass a JWT token in between jobs but something prevents it to be passed correctly. According to the docs, if I want to pass variables between jobs I need to use outputs as explained here . What I am doing is the following:

name: CI
on:
  pull_request:
    branches:
      - main
jobs:
  get-service-url:
    ...does something not interesting to us...
  get-auth-token:
    runs-on: ubuntu-latest
    outputs:
      API_TOKEN: ${{ steps.getauthtoken.outputs.API_TOKEN }}
    steps:
      - name: Get Token
        id: getauthtoken
        run: |
          API_TOKEN:<there is a full JWT token here>
          echo -n "API_TOKEN=$API_TOKEN" >> $GITHUB_OUTPUT
  use-token:
    runs-on: ubuntu-latest
    needs: [get-service-url,get-auth-token]
    name: Run Tests
    steps:
      - uses: actions/checkout@v3
      - name: Run tests
        run: |
          newman run ${{ github.workspace }}/tests/collections/my_collection.json --env-var "service_url=${{needs.get-service-url.outputs.service_URL}}" --env-var "auth_token=${{needs.get-auth-token.outputs.API_TOKEN}}"

So, during a run, in my output I see:

Run newman run /home/runner/work/my-repo/my-repo/tests/collections/my_collection.json  --env-var "service_url=https://test.net" --env-var "auth_token="

At first I thought there was something wrong in passing the token itself between jobs. Hence I tried to put a dummy token an export it in the output. In my get-auth-token job, the call to output it became:

echo -n "API_TOKEN=test" >> $GITHUB_OUTPUT

and in the log I saw it there:

--env-var "auth_token=test"

so the way I am passing it intra jobs is fine. Moreover, the token is there and is correct because I hard coded one to simplify my tests. Indeed if in my get-auth-token job I try to echo $API_TOKEN I see in the logs *** which makes me understand Github is correctly obfuscating it. I then tried not to pass it in between jobs. So I created the same token, hardcoded, right before the newman run command and referenced it in the newman run directly and tada: The log now is:

Run newman run /home/runner/work/my-repo/my-repo/tests/collections/my_collection.json  --env-var "service_url=https://test.net" --env-var "auth_token=***"

So the token is there. But I need it to be coming from another job. There is something preventing the token to be passed in between jobs and I don't know how to achieve that.

Answer 1

Found out a trick to make this happen. Consists on temporarily "obfuscating" the secret to the eyes of Github.

In the job where I retrieve the secret I encode it and export it to GITHUB_OUTPUT :

API_TOKEN_BASE64=`echo -n <my_secret> | base64 -w 0`
echo -n "API_TOKEN=$API_TOKEN_BASE64" >> $GITHUB_OUTPUT

In the job where I need the secret I decode it (and use where needed):

API_TOKEN=`echo -n ${{needs.get-auth-token.outputs.API_TOKEN}} | base64 --decode`