I have a GitHub Actions workflow template which gets parameters from the GitHub environment secrets.
One of these secrets contains all variables and secrets to build up terraform.
The secret looks something like:
admin_uid="Bob"
admin_pwd="Hello$Bob"
server_url="http://blabla"
Before I can pass this secret to my Terraform step I must resolve the values. Therefore I use the following:
- name: Setup terraform variables
shell: bash
run: |
cat <<'EOF'>terraform.tfvars
${{ inputs.tfvars-content }}
EOF
This just works fine.
The problem is that, before the bash command is executed, GitHub prints the command and the line with the $ in it is also printed. That is bad, because the admin password should not be visible within the GitHub output.
How to prevent GitHub from printing secrets with a $ in it to the output when summarising the command?
Pass the data containing the secret through the environment:
- name: Setup terraform variables
shell: bash
run: |
cat <<'EOF'>terraform.tfvars
$TFVARSCONTENT
EOF
env:
TFVARSCONTENT: ${{ inputs.tfvars-content }}
You could add a step before to register the secret correctly:
- name: Setup terraform variables
shell: bash
run: |
echo ::add-mask::$ADMIN_PWD
env:
ADMIN_PWD: ${{ inputs.admin-pwd }}
Ideally the secret itself is passed as a separate value to the template and marked as a secret there, or in the calling workflow:
on:
workflow_call:
secrets:
admin-pwd:
description: 'A token passed from the caller workflow'
required: true
That way any value passed to that parameter is automatically masked in log output in the future.
You'd then need to change the syntaxt from inputs.admin-pwd to secrets.admin-pwd.