Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Environment variables vs outputs #14

Open
Danny-Smart opened this issue Jan 16, 2023 · 4 comments
Open

Environment variables vs outputs #14

Danny-Smart opened this issue Jan 16, 2023 · 4 comments
Labels
enhancement New feature or request

Comments

@Danny-Smart
Copy link

Hi

In the readme, you mention that environment variables are available to all steps within a job and that we should work to prevent them from being exploited or misused by malicious actions.

Would this issue be negated if the get-secrets action wrote the secrets as outputs rather than environment variables? The secrets wouldn't be automatically available to other steps, but could be passed into them explicitly as required, by the job itself.

From a security point of view, this feels to me like the more secure option; is there another advantage that environment variables have over outputs that would prevent this from being done?

@jbct
Copy link

jbct commented Feb 2, 2023

Thanks for the feedback, we'll note this as an enhancement request.

@Olfi01
Copy link

Olfi01 commented May 12, 2023

PR #36 or #37 implements this (they are equivalent, one contains the compiled files in dist and one doesn't)

@int128
Copy link

int128 commented Feb 19, 2024

I really need this feature.
For using a composite action, it would be nice if we can use outputs instead.

When this action is called twice, it causes the following error:

Error: The environment name 'KEY' is already in use. Please use an alias to ensure that each secret has a unique environment name.

@davidt-gh
Copy link

I'm still not sure how we can consume the secret in job.
If I can't pass them into next step, what is the purpose of this action?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants