I have this workflow
name: my-workflow
on:
push:
pull_request:
branches: ["_.//"]
workflow_dispatch:
jobs:
set-var:
runs-on: [ self-hosted, linux, enterprise ]
name: set-var
steps:
- name: Import Secrets
id: import-secrets
uses: hashicorp/[email protected]
with:
url: https://vault-enterprise.my-company.com
method: approle
path: approle-busapp
roleId: ${{ vars.VAULT_ROLEID }}
secretID: ${{ secrets.VAULT_SECRET_ID }}
namespace: abc/efg
secrets: |
DEV/data/SECRETS a | A ;
DEV/data/SECRETS b | B ;
DEV/data/SECRETS c | C ;
- id: set-var
run: |
A="${{ env.A }}"
B="${{ env.B }}"
C="${{ env.C }}"
echo "A=$A" >> $GITHUB_OUTPUT
echo "B=$B" >> $GITHUB_OUTPUT
echo "C=$C" >> $GITHUB_OUTPUT
outputs:
A: ${{ steps.set-var.outputs.A }}
B: ${{ steps.set-var.outputs.B }}
C: ${{ steps.set-var.outputs.C }}
job-1:
needs: [set-var]
name: job-1
runs-on: [ self-hosted, linux, enterprise ]
container:
image: company-artifactory/my-actions-runner-image:latest
credentials:
username: ${{ needs.set-var.outputs.A }}
password: ${{ needs.set-var.outputs.B }}
env:
C: ${{ needs.set-var.outputs.C }}
steps:
- name: echo
run: |
echo $C
job-2:
needs: [set-var]
name: job-2
runs-on: [ self-hosted, linux, enterprise ]
container:
image: company-artifactory/my-actions-runner-image:latest
credentials:
username: ${{ needs.set-var.outputs.A }}
password: ${{ needs.set-var.outputs.B }}
env:
C: ${{ needs.set-var.outputs.C }}
steps:
- name: echo
run: |
echo $C
As you see I am using a custom image name company-artifactory/my-actions-runner-image:latest as the runner image to run job-1 and job-2 in a container and it needs credentials to pull the image.
I am trying to us needs.set-var.outputs.A and needs.set-var.outputs.B to pull the secret form vault but it seems like GitHub Actions do not support this. I don't have access to needs.outputs in the container.credentials.
How can I make it work?
Another concern that I have is sharing secrets between jobs. How do I do this securely? Because right now I am seeing a warning that the secret shared as output is not secure.
UPDATE
I am adding a new version of the question here to clarify one part of the question.
name: my-workflow
on:
push:
pull_request:
branches: ["_.//"]
workflow_dispatch:
jobs:
job-0:
runs-on: [ self-hosted, linux, enterprise ]
name: job-0
steps:
- name: Import Secrets
id: import-secrets
uses: hashicorp/[email protected]
with:
url: https://vault-enterprise.my-company.com
method: approle
path: approle-busapp
roleId: ${{ vars.VAULT_ROLEID }}
secretID: ${{ secrets.VAULT_SECRET_ID }}
namespace: abc/efg
secrets: |
DEV/data/SECRETS a | A ;
- id: print-secret
run: |
echo $A
echo "${{ env.A }}"
- id: set-env
run: |
AAA="${{ env.A }}"
echo "AAA=$AAA" >> $GITHUB_OUTPUT
- id: test-set-env-step
run: |
echo "this is a test"
echo ${{ steps.set-env.outputs.AAA }}
outputs:
AAA: ${{ steps.set-env.outputs.AAA }}
job-1:
needs: [job-0]
name: job-1
runs-on: [ self-hosted, linux, enterprise ]
container:
image: company-artifactory/my-actions-runner-image:latest
credentials:
username: ${{ needs.set-var.outputs.A }}
password: ${{ needs.set-var.outputs.B }}
env:
B: ${{ needs.job-0.outputs.AAA }}
steps:
- name: echo
run: |
echo $A
echo $AA
echo $AAA
echo $B
echo ${{env.B}}
echo ${{env.A}}
echo ${{env.AA}}
echo ${{env.AAA}}
- in job-0 in the step "print-secret" the value of "a" from Vault is successfully printed twice.
- in job-0 the "test-set-env-step" is not printing the value of a.
- in job-1 the value of "a" from Vault is not printed at all.
and based on this question, I then did this
.
.
.
- id: set-env
run: |
AAA=${{ env.A }}
AAA=`echo -n $AAA | base64 -w 0`
echo "AAA=$AAA" >> $GITHUB_OUTPUT
outputs:
AAA: ${{ steps.set-env.outputs.AAA }}
.
.
.
steps:
- name: echo
run: |
C=`echo -n ${{needs.job-0.outputs.AAA}} | base64 --decode`
.
.
.
but nothing got printed in the second job