Support alternative names for the GIT_PASSWORD secret

Question

Support alternative names for the GIT_PASSWORD secret

Closed this issue 5 years ago · 3 comments

Because GitHub Actions secrets are scoped to a GitHub repository, it means that it is currently impossible to push to two different mirrored endpoints in the same workflow (or even in multiple workflows for one repository). For example, I was unable to get this configuration to work:

workflow "Mirror to GitLab and Bitbucket" {
  on = "push"
  resolves = ["Push to GitLab", "Push to Bitbucket"]
}

action "Push to GitLab" {
  uses = "spyoungtech/mirror-action@master"
  args = "https://gitlab.com/artob/dotfiles.git"
  env = {
    GIT_USERNAME = "artob"
  }
  secrets = ["GIT_PASSWORD"]
}

action "Push to Bitbucket" {
  uses = "spyoungtech/mirror-action@master"
  args = "https://bitbucket.org/artob/dotfiles.git"
  env = {
    GIT_USERNAME = "x-token-auth"
  }
  secrets = ["GIT_PASSWORD"]
}

The problem being that the GIT_PASSWORD secret will be the same for all actions, which cannot succeed.

Assuming GitHub Actions will continue to scope all secrets to the repository, and not allow secrets scoped to a workflow or action, I don't see any other workaround than making the secret's environment variable name configurable.

For example, the secret's environment variable name could be passed as a second argument, as follows:

action "Push to Bitbucket" {
  uses = "spyoungtech/mirror-action@master"
  args = ["https://bitbucket.org/artob/dotfiles.git", "GIT_PASSWORD_BITBUCKET"]
  env = {
    GIT_USERNAME = "x-token-auth"
  }
  secrets = ["GIT_PASSWORD_BITBUCKET"]
}

Thoughts?

Answer 1 · 2019-06-25T18:02:40.000Z

Makes perfect sense to me. I think the solution you propose is a good idea. I'll work on implementing in the near term.

Answer 2 · 2019-06-26T07:15:42.000Z

An alternative formulation that might perhaps be a little cleaner than my previous suggestion:

action "Push to Bitbucket" {
  uses = "spyoungtech/mirror-action@master"
  args = ["https://bitbucket.org/artob/dotfiles.git"]
  env = {
    GIT_USERNAME = "x-token-auth"
    GIT_PASSWORD_VAR = "GIT_PASSWORD_BITBUCKET"
  }
  secrets = ["GIT_PASSWORD_BITBUCKET"]
}

In this case, GIT_PASSWORD_VAR would default to GIT_PASSWORD, but allow the override when necessary.

BTW, I contacted GitHub support about the scoping of GitHub Actions secrets, referencing this issue, and they responded that they've noted it as a feature request. No guarantees they'll allow more narrow scoping in the future, but at least they're aware of the problem.

Answer 3 · 2019-08-09T17:19:25.000Z

With the release of GitHub Actions 2.0, I believe this has been overcome by events. The new YAML syntax for workflows should allow something like the following, which effectively solves the problem (not tested yet, though):

name: Mirror
on: push
jobs:
  mirrorToGitLab:
    name: Mirror to GitLab
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - name: Push to GitLab
      uses: spyoungtech/mirror-action@master
      env:
        GIT_USERNAME: artob
        GIT_PASSWORD: ${{ secrets.GITLAB_PASSWORD }}
      with:
        args: https://gitlab.com/artob/dotfiles.git
  mirrorToBitbucket:
    name: Mirror to Bitbucket
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master
    - name: Push to Bitbucket
      uses: spyoungtech/mirror-action@master
      env:
        GIT_USERNAME: x-token-auth
        GIT_PASSWORD: ${{ secrets.BITBUCKET_PASSWORD }}
      with:
        args: https://bitbucket.org/artob/dotfiles.git