Skip to content
/ wait-for-secrets Public
forked from step-security/wait-for-secrets

Waits for secrets to be entered during a GitHub Actions workflow run. The secrets can be entered using a web browser

License

Apache-2.0 license
1 star 16 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

classicvalues/wait-for-secrets

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

60 Commits

.github/workflows

.github/workflows

 
 

dist

dist

 
 

images

images

 
 

src

src

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

action.yml

action.yml

 
 

package-lock.json

package-lock.json

 
 

package.json

package.json

 
 

tsconfig.json

tsconfig.json

 
 

Repository files navigation

wait-for-secrets

GitHub Action that waits for secrets to be entered during a workflow run. The secrets can be entered using a web browser.

Why?

  • To enable using one-time password (OTPs) for a release workflow.
  • To remove need to persist secrets in GitHub Secrets.
  • You have more control over when secrets get used in your workflows.
  • Even if someone has write access to the repository, they do not get access to the secrets

How?

  1. Add the wait-for-secrets GitHub Action to your workflow and specify the secrets you need.
  2. The Action will print a URL in the build log every 10 seconds.
  3. Click on the URL and enter the secrets that the workflow needs.
  4. The Action will get the secrets you entered in the browser and continue execution.
  5. Use the retreived secrets in future steps.

AWS Secrets

Example on how to provide AWS credentials during the workflow.

It needs the id-token: write permission to authenticate to the StepSecurity API. This is to ensure only the authorized workflow can retreive the secrets.

jobs:
  release:
    permissions:
      contents: read
      id-token: write
    runs-on: ubuntu-latest
    steps:
      - uses: step-security/wait-for-secrets@v1
        id: wait-for-secrets
        with:
          secrets: |
            AWS_ACCESS_KEY_ID
            AWS_SECRET_ACCESS_KEY

      - name: Configure AWS Credentials
        uses: aws-actions/configure-aws-credentials@v1
        with:
          aws-access-key-id: ${{ steps.wait-for-secrets.outputs.AWS_ACCESS_KEY_ID }}  
          aws-secret-access-key: ${{ steps.wait-for-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-west-2

Slack notification

You can get a notification on Slack when the secret needs to be entered. Set the slack-webhook-url as shown below. This example also shows how to publish to NPM registry using an OTP.

jobs:
  release:
    permissions:
      contents: read
      id-token: write
    runs-on: ubuntu-latest
    steps:
      - uses: step-security/wait-for-secrets@v1
        id: wait-for-secrets
        with:
          slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
          secrets: |
            otp
            npm_token
      - run: | 
          echo "//registry.npmjs.org/:_authToken=$NODE_AUTH_TOKEN" > .npmrc
          npm publish --otp ${{ steps.wait-for-secrets.outputs.otp }}
        env:
          NODE_AUTH_TOKEN: ${{ steps.wait-for-secrets.outputs.npm_token }}

Actual examples

Here are a couple of workflows that use wait-for-secrets

  1. https://github.com/step-security/secure-workflows/blob/main/.github/workflows/release.yml#L36-L49
  2. https://github.com/step-security/wait-for-secrets/blob/main/.github/workflows/release.yml#L35-L44

About

Waits for secrets to be entered during a GitHub Actions workflow run. The secrets can be entered using a web browser

Resources

Readme

License

Apache-2.0 license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • TypeScript 100.0%