Keep It Secret, Keep It Safe: How To Use GitHub Actions Secrets To Hide Sensitive Data
Kinsta
Posted on June 26, 2023
GitHub Actions is GitHub’s built-in continuous integration and continuous delivery (CI/CD) platform that enables development teams to automate their workflow, including the build, test, and deployment pipeline.
One disadvantage of using GitHub Actions is that your logs are public, and anyone can access them with the necessary permissions.
To prevent sensitive data from being exposed in GitHub Actions logs, you should use encrypted environment variables to store sensitive data safely. These encrypted environmental variables are known as GitHub Actions Secrets.
This post will show you how to use GitHub Actions Secrets to prevent sensitive information from appearing in your GitHub Actions logs.
Prerequisites:
To follow this tutorial:
Make sure you have a GitHub account.
Have an existing GitHub repository. For this tutorial, you can clone this demo repository.
Follow these instructions to clone the demo repository.
How To Keep Your GitHub Action Logs Secure
When you build workflows using GitHub Actions, any visitor to your repository can view the logs, so they shouldn’t include sensitive information. However, you can’t just delete your tokens, passwords, and other sensitive information — you need them for testing and for your app to function correctly.
The solution is to hide them with the ::add-mask::
workflow command, which puts an asterisk (*) in place of the sensitive data it’s applied to.
The following section shows you how to mask a log.
How To Mask Logs
First, open the cloned repository in your text editor.
Create the .github/workflows/ directory in the root of your repository to store your workflow files. Then, create a new file named hide-secrets.yml in the .github/workflows directory and add the following code to it:
name: Hide Sensitive Information
on: push
jobs:
print-secret-token:
runs-on: ubuntu-latest
steps:
- name: echo a secret
run: echo "your secret token is verySecretToken"
Commit the changes and push them to your GitHub repository. The updated GitHub Actions workflow is active and will be triggered whenever you push a new change.
Open your repository on GitHub and select the Actions tab to view the logs. Your workflow should appear as follows:
Examining the workflow logs, you’ll find the verySecretToken
string printed on the logs. Click on your workflow, and then the task name (print-secret-token) to view the log. It should look like this:
To hide it, use the ::add-mask::
command, edit the hide-secrets.yml file, and add a new step to the print-secret-token
job:
name: Hide Sensitive Information
on: push
jobs:
print-secret-token:
runs-on: ubuntu-latest
steps:
- name: Add Mask
run: echo "::add-mask::verySecretToken"
- name: echo a secret
run: echo "your secret token is verySecretToken"
You should add the Add Mask
step at the top, since masking only applies after ::add-mask::
has run. If you put the secret verySecretToken
before the Add Mask
step, it will still appear unmasked. So, to ensure the value is masked, it’s essential to use ::add-mask::
as soon as possible.
Once you commit and publish your modifications to your GitHub repository, the string verySecretToken
will be replaced by asterisks (*) wherever it appears in your logs:
While this fixes the masking problem, it introduces a new one. Your verySecretToken
is still in the workflow file, so anyone with access to the source code can see it.
Another downside of masking plain text is that masking just part of a word will hide all instances of it. For example, take the following sentence: “Programming is great, but my most productive days are those when I do not write a program.” If you mask the word “program,” it won’t only mask the word at the end of the sentence but also anywhere else it appears, such as in “programming.”
If you try to mask plain text, you’ll end up with something like this:
A better approach to hiding sensitive data in GitHub Actions logs is to use GitHub Actions Secrets, as demonstrated in the following section.
How To Use GitHub Actions Secrets?
You can use GitHub Actions Secrets to store any private data you want to use in your GitHub actions workflow. Secrets are created as key/value pairs at the repository or organizational level.
While that repository may only access secrets created at the repository level, secrets created at the organization level are shared by all repositories within an organization.
Secrets created at the repository level are available for use in actions by anyone who has collaborator role permissions. You can change the value of your secrets at any time. However, secrets cannot be used with workflows from a forked repository.
The following guidelines apply for naming secrets:
Secret names can’t contain spaces.
Secret names are not case-sensitive.
Secret names cannot begin with a number.
Secret names must not begin with the prefix
GITHUB_
.Secret names must be unique — secrets with the same name can’t exist at the same level.
You can use these secrets within the GitHub actions workflow by simply adding secrets
before your secret name as a YML variable, as shown below:
${{ secrets.MY_SECRET_TOKEN }}
You can also mask secrets for more security, as shown in the following section.
How To Mask Secrets
First, create a GitHub secret. In your repository on GitHub, click the Settings tab, select Secrets > Actions from the left sidebar, and then click New repository secret to add a new secret:
Give your secret a name and a secret value, then click Add secret:
Now that you’ve created your secret and given it the verySecretToken
value, you can use it in your workflow file. Open your hide-secrets.yml file and make the following changes:
name: Hide Sensitive Information
on: push
jobs:
print-secret-token:
runs-on: ubuntu-latest
steps:
- name: Add Mask
run: echo "::add-mask::${{ secrets.MY_SECRET_TOKEN }}"
- name: Echo a secret
run: echo "your secret token is ${{ secrets.MY_SECRET_TOKEN }}"
The only difference between this and the previous code is that you replaced the secret token with your newly created GitHub secret “${{
secrets.MY
_SECRET_TOKEN }}
.”
Once you commit the code and push the changes to your GitHub repository, your secrets are masked:
Summary
You mustn’t reveal any sensitive information in your GitHub Action logs. Plain text masking is one way to hide data, but anyone accessing your workflow files can see the information you’re trying to hide.
As this tutorial demonstrates, GitHub Actions Secret is a much more secure approach to safeguard your sensitive data, and then mask it.
Read our documentation to learn more about using Git at Kinsta. Try our Application Hosting for free now.
Posted on June 26, 2023
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.