[FEAT]
mneverov opened this issue · 6 comments
It would be nice to have possibility to share the output from the vault action.
Currently, with the setup below if I reference the output in another job it is empty. My understanding is that the output is only available within same job for subsequent steps.
name: Secrets
on:
workflow_call:
outputs:
TOKEN:
value: ${{ jobs.secrets.outputs.TOKEN }}
jobs:
secrets:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
outputs:
TOKEN: ${{ steps.secrets.outputs.TOKEN }}
steps:
- name: Import Secrets
id: secrets
uses: hashicorp/vault-action@v2
with:
...
secrets: |
somepath VAR | TOKEN@mneverov Hello, I am sorry you are having trouble.
To use job outputs in a dependent job, you can use the needs context.
For more information, see "Context and expression syntax for GitHub Actions."
Hopefully that helps! However, I am not sure how this will work with workflow_call.
We reserve github issues for bug reports and feature requests, which this doesn't appear to be. As such, I'm going to close this and suggest that you ask about this at Vault.
hi @fairclothjm, the same holds true for the dependent jobs, i.e. the outputs are empty. It only works inside the same job - the secrets are shared between steps.
@mneverov Thanks for the feedback. Could you please provide a minimal config that reproduces the issue?
@fairclothjm ptal
name: Test
on:
pull_request:
branches:
- main
jobs:
get-secrets:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
outputs:
TOKEN: ${{ steps.secrets.outputs.TOKEN }}
steps:
- name: Import Secrets
id: secrets
uses: hashicorp/vault-action@v2
with:
url: <some-url>
method: jwt
role: some-role
jwtGithubAudience: sigstore
exportEnv: true
secrets: |
/foo/bar VAR | TOKEN
- name: print
id: print
run: |
echo ${{ env.TOKEN }} # <--- prints ***
print:
runs-on: ubuntu-latest
needs: get-secrets
steps:
- name: print
run: |
echo ${{ env.TOKEN }} # <--- prints nothing
echo ${{ needs.get-secrets.outputs.TOKEN }} # <--- prints nothing
echo ${{ needs.get-secrets.result }} # <--- prints "success"Hey @mneverov thanks for that example this is useful. I tried it on my side and can confirm that secrets pulled by vault-action cannot be transferred to other jobs via outputs. Sample code:
name: Cross-Job-Outputs
on:
push:
jobs:
job1:
runs-on: ubuntu-latest
outputs:
VAULT_ACTION: ${{ steps.vault-action.outputs.ACTION }}
MANUAL_OUTPUT: ${{ steps.manual-output.outputs.MANUAL }}
steps:
- name: Vault Action
id: vault-action
uses: hashicorp/vault-action@v2.7.4
with:
url: ${{ secrets.VAULT_URL }}
namespace: ${{ secrets.VAULT_NAMESPACE }}
token: ${{ secrets.VAULT_TOKEN }}
secrets: |
secret/data/sample-secret first-secret | ACTION
- name: Manual Output
id: manual-output
run: |
echo "MANUAL=hello" >> "$GITHUB_OUTPUT"
job2:
runs-on: ubuntu-latest
needs: job1
steps:
- name: print
run: |
echo Action:
echo ${{ needs.job1.outputs.VAULT_ACTION }} <--- prints nothing
echo Manual:
echo ${{ needs.job1.outputs.MANUAL_OUTPUT }} <--- prints "hello", this method works
Unfortunately, it looks like a built-in behavior for GitHub Actions. Sensitive and masked outputs are skipped and unavailable to downstream jobs. A potential solution would be not to mask Vault secrets as requested in #322, but we feel like not treating Vault secrets as sensitive opens up too many risks even if it'd sometimes be convenient.
We can see in the execution results of the job define above that the vault-action output is explicitly skipped by GitHub:
Let us know if that explanation and reasoning make sense. If that's ok, I'll close this issue so we can consolidate the discussions in #322 as this would be the solution to share outputs across jobs if implemented.