英文:
GitHub Actions repository secret not passed correctly to re-usable workflow
问题
这是要翻译的部分:
"我有一个 GitHub Actions 仓库秘钥,可以用来进行 GCP 认证。当我在同一仓库中的工作流程中使用这个秘钥时,它按预期工作。例如,以下工作流成功运行:
name: Auth to Google Cloud
on:
push:
branches: [master]
jobs:
build:
env:
SERVICE_ACCOUNT: 'some-account.iam.gserviceaccount.com'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
service_account: $SERVICE_ACCOUNT
credentials_json: ${{ secrets.GCP_SA_KEY }}
然而,当我尝试通过文档中描述的可重用工作流程来完成相同的操作时,可重用工作流程中的 auth 步骤失败,错误信息如下:
Error: google-github-actions/auth failed with: retry function failed after 1 attempt: failed to parse service account key JSON credentials: unexpected token in JSON at position 0
这是我的调用工作流程:
name: Re-usable Demo
on:
push:
branches: [master]
workflow_dispatch:
jobs:
call-reusable-workflow:
uses: my-organization/reusable-workflows/.github/workflows/reusable-workflow.yml@master
with:
service-account: 'some-account.iam.gserviceaccount.com'
secrets:
gcp-sa-key: ${{ secrets.GCP_SA_KEY }}
这是可重用工作流程本身(位于不同的仓库中):
name: Re-usable Workflow
on:
workflow_call:
inputs:
service-account:
required: true
type: string
secrets:
gcp-sa-key:
required: true
jobs:
build:
env:
SERVICE_ACCOUNT: ${{ inputs.service-account }}
GCP_SA_KEY: ${{ secrets.gcp-sa-key }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
service_account: $SERVICE_ACCOUNT
credentials_json: $GCP_SA_KEY
请注意,服务帐户已正确传递。我在可重用工作流程中将其打印出来。只有秘钥不起作用。我尝试将其作为输入传递,也尝试直接使用它而不创建变量,但都没有成功。
英文:
I have a GitHub Actions repository secret that I am able to use to authenticate into GCP. This works as expected when I use the secret within a workflow in the same repository as the secret. For example this workflow runs successfully:
name: Auth to Google Cloud
on:
push:
branches: [ master ]
jobs:
build:
env:
SERVICE_ACCOUNT: 'some-account.iam.gserviceaccount.com'
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
service_account: $SERVICE_ACCOUNT
credentials_json: ${{ secrets.GCP_SA_KEY }}
However, when I try to accomplish the same via a re-usable workflow as described in the documentation, the auth step within the re-usable workflow fails with the following:
Error: google-github-actions/auth failed with: retry function failed after 1 attempt: failed to parse service account key JSON credentials: unexpected token in JSON at position 0
Here is my caller workflow:
name: Re-usable Demo
on:
push:
branches: [ master ]
workflow_dispatch:
jobs:
call-reusable-workflow:
uses: my-organization/reusable-workflows/.github/workflows/reusable-workflow.yml@master
with:
service-account: 'some-account.iam.gserviceaccount.com'
secrets:
gcp-sa-key: ${{ secrets.GCP_SA_KEY }}
Here is the re-usable workflow itself (in a different repo):
name: Re-usable Workflow
on:
workflow_call:
inputs:
service-account:
required: true
type: string
secrets:
gcp-sa-key:
required: true
jobs:
build:
env:
SERVICE_ACCOUNT: ${{ inputs.service-account }}
GCP_SA_KEY: ${{ secrets.gcp-sa-key }}
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- id: auth
name: Authenticate to Google Cloud
uses: google-github-actions/auth@v1
with:
service_account: $SERVICE_ACCOUNT
credentials_json: $GCP_SA_KEY
Note that the service account is passed correctly. I printed it in the re-usable workflow. Only the secret is not working. How can I fix this?
I have tried passing it as input, as well as using it directly without creating a variable for it, both to no avail.
答案1
得分: 2
当您使用
```yaml
env:
GCP_SA_KEY: ${{ secrets.gcp-sa-key }}
with:
credentials_json: $GCP_SA_KEY
GitHub Actions不会展开任何内容,而是将字面字符串$GCP_SA_KEY分配给credentials_json输入。
现在,如果以后在shell脚本中使用它,它可能会被展开,并暗示变量始终会被展开,但我们不知道(也不应该依赖它)。<sup>1</sup>
您可以使用访问环境中值的表达式:
env:
GCP_SA_KEY: ${{ secrets.gcp-sa-key }}
with:
credentials_json: ${{ env.GCP_SA_KEY }}
现在,Actions运行程序在操作看到该值之前执行展开。
在这一点上,甚至没有必要先将其分配给环境变量(除非操作依赖于环境中的特定值,当然),所以您可以简化为
with:
credentials_json: ${{ secrets.gcp-sa-key }}
<sup>1</sup> 更准确地说,如果它起作用,实际上是操作容易受到shell注入的迹象。
<details>
<summary>英文:</summary>
When you use
```yaml
env:
GCP_SA_KEY: ${{ secrets.gcp-sa-key }}
with:
credentials_json: $GCP_SA_KEY
then GitHub Actions doesn't expand anything for you, but assigns the literal string $GCP_SA_KEY to the credentials_json input.
Now, if this is later used in a shell script, it might be expanded and imply that variables are always expanded – but we just don't know (and shouldn't rely on it).<sup>1</sup>
You could use an expression that accesses the value in the environment:
env:
GCP_SA_KEY: ${{ secrets.gcp-sa-key }}
with:
credentials_json: ${{ env.GCP_SA_KEY }}
Now, the Actions runner does the expansion before the action ever gets to see the value.
At this point, there's no value in even assigning it to an environment variable first (unless the action relies on it specific values in the environment, of course), so you can simplify to
with:
credentials_json: ${{ secrets.gcp-sa-key }}
<sup>1</sup> More precisely, if it works, it's actually a sign that the action is vulnerable to shell injection.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论