Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEAT] #502

Closed
mneverov opened this issue Nov 8, 2023 · 6 comments
Closed

[FEAT] #502

mneverov opened this issue Nov 8, 2023 · 6 comments
Labels
enhancement New feature or request

Comments

@mneverov
Copy link

mneverov commented Nov 8, 2023

It would be nice to have possibility to share the output from the vault action.
Currently, with the setup below if I reference the output in another job it is empty. My understanding is that the output is only available within same job for subsequent steps.

name: Secrets

on:
  workflow_call:
    outputs:
      TOKEN:
        value: ${{ jobs.secrets.outputs.TOKEN }}

jobs:
  secrets:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    outputs:
      TOKEN: ${{ steps.secrets.outputs.TOKEN }}
    steps:
      - name: Import Secrets
        id: secrets
        uses: hashicorp/vault-action@v2
        with:
            ...
            secrets: |
            somepath VAR | TOKEN
@mneverov mneverov added the enhancement New feature or request label Nov 8, 2023
@fairclothjm
Copy link
Contributor

@mneverov Hello, I am sorry you are having trouble.

To use job outputs in a dependent job, you can use the needs context.
For more information, see "Context and expression syntax for GitHub Actions."

Hopefully that helps! However, I am not sure how this will work with workflow_call.

We reserve github issues for bug reports and feature requests, which this doesn't appear to be. As such, I'm going to close this and suggest that you ask about this at Vault.

@mneverov
Copy link
Author

hi @fairclothjm, the same holds true for the dependent jobs, i.e. the outputs are empty. It only works inside the same job - the secrets are shared between steps.

@fairclothjm
Copy link
Contributor

@mneverov

@fairclothjm fairclothjm reopened this Nov 17, 2023
@fairclothjm
Copy link
Contributor

@mneverov Thanks for the feedback. Could you please provide a minimal config that reproduces the issue?

@mneverov
Copy link
Author

@fairclothjm ptal

name: Test

on:
  pull_request:
    branches:
      - main

jobs:
  get-secrets:
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    outputs:
      TOKEN: ${{ steps.secrets.outputs.TOKEN }}
    steps:
      - name: Import Secrets
        id: secrets
        uses: hashicorp/vault-action@v2
        with:
          url: <some-url>
          method: jwt
          role: some-role
          jwtGithubAudience: sigstore
          exportEnv: true
          secrets: |
            /foo/bar VAR | TOKEN
      - name: print
        id: print
        run: |
          echo ${{ env.TOKEN }} # <--- prints *** 

  print:
    runs-on: ubuntu-latest
    needs: get-secrets
    steps:
      - name: print
        run: |
          echo ${{ env.TOKEN }} # <--- prints nothing
          echo ${{ needs.get-secrets.outputs.TOKEN }} # <--- prints nothing
          echo ${{ needs.get-secrets.result }} # <--- prints "success"

@maxcoulombe
Copy link
Contributor

maxcoulombe commented Dec 22, 2023
edited
Loading

Hey @mneverov thanks for that example this is useful. I tried it on my side and can confirm that secrets pulled by vault-action cannot be transferred to other jobs via outputs. Sample code:

name: Cross-Job-Outputs

on:
  push:

jobs:
  job1:
    runs-on: ubuntu-latest
    outputs:
      VAULT_ACTION: ${{ steps.vault-action.outputs.ACTION }}
      MANUAL_OUTPUT: ${{ steps.manual-output.outputs.MANUAL }}
    steps:
      - name: Vault Action
        id: vault-action
        uses: hashicorp/[email protected]
        with:
          url: ${{ secrets.VAULT_URL }}
          namespace: ${{ secrets.VAULT_NAMESPACE }}
          token: ${{ secrets.VAULT_TOKEN }}
          secrets: |
            secret/data/sample-secret first-secret | ACTION
      - name: Manual Output
        id: manual-output
        run: |
          echo "MANUAL=hello" >> "$GITHUB_OUTPUT"

  job2:
    runs-on: ubuntu-latest
    needs: job1
    steps:
      - name: print
        run: |
          echo Action:
          echo ${{ needs.job1.outputs.VAULT_ACTION }} <--- prints nothing
          echo Manual:
          echo ${{ needs.job1.outputs.MANUAL_OUTPUT }} <--- prints "hello", this method works

Unfortunately, it looks like a built-in behavior for GitHub Actions. Sensitive and masked outputs are skipped and unavailable to downstream jobs. A potential solution would be not to mask Vault secrets as requested in #322, but we feel like not treating Vault secrets as sensitive opens up too many risks even if it'd sometimes be convenient.

We can see in the execution results of the job define above that the vault-action output is explicitly skipped by GitHub:
skipped_output

Let us know if that explanation and reasoning make sense. If that's ok, I'll close this issue so we can consolidate the discussions in #322 as this would be the solution to share outputs across jobs if implemented.

@maxcoulombe maxcoulombe mentioned this issue Dec 22, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mneverov @fairclothjm @maxcoulombe