Our Thoughts on Modern Configuration and Secrets Management

Skipping Jobs in GitHub Actions when Secrets are Unavailable

Written by Jim King | Jun 1, 2021 5:14:00 PM

How to Securely Inject Configuration Secrets into GitHub

CloudTruth’s configure-action for GitHub allows you securely inject configuration secrets into GitHub with this addition to the GitHub Actions workflow files. The build process for the action has a few jobs that require a secret to demonstrate the behavior. For security reasons, GitHub normally restricts secrets from being used in a pull request that comes from a fork. This becomes obvious very quickly when pull requests from Dependabot are failing some build steps because secrets were not available.

We added recording to our unit tests using a very nice wrapper around polly.js called @scaleleap/jest-polly so that they could run even from a fork. We were still left with a few build jobs that demonstrate the action behavior which still require a secret. Our first attempt to fix this was to make certain GitHub Actions’ jobs were conditional based on the presence of a secret:

jobs:
  demo:
    runs-on: ubuntu-latest
    if: $false
    steps:
      - ...

Unfortunately, this did not work – fortunately, the error message is pretty clear:

The workflow is not valid. .github/workflows/demo.yml (Line: 4, Col: 9): 
  Unrecognized named-value: 'secrets'. 
  Located at position 1 within expression: secrets.CLOUDTRUTH_API_KEY != null

The GitHub documentation about this conditional is vague, stating that only supported contexts can be used, but it does not specify which ones are supported. Sadly, it looks like secrets are one of the unsupported contexts. 😞

Fortunately, needs is supported in job conditionals, and though it is more verbose than one might like, it does correctly limit job execution to situations where secrets are available. The secrets-gate job runs a step that checks whether secret content is available, and sets the output of the job for other jobs to check:

jobs:
  secrets-gate:
    runs-on: ubuntu-latest
    outputs:
      ok: $0
    steps:
      - name: check for secrets needed to run demo
        id: check-secrets
        run: |
          if [ ! -z "$" ]; then
            echo "::set-output name=ok::true"
          fi

  demo:
    needs:
      - secrets-gate
    if: $
    runs-on: ubuntu-latest
    steps:
      - ...

With this addition to the GitHub Actions workflow files, we were able to make certain jobs conditional on the presence of secrets. This allows our own pull requests and pushes into the main branch to run everything, while pull requests from forks are able to complete all the steps that do not require secrets – namely the unit tests and code security sweep.

CloudTruth GitHub Action to securely inject secrets

CloudTruth provides configuration as a service that allows you to externalize your application secrets across all of your environments.

The CloudTruth Configure GitHub Action will securely inject configuration secrets into GitHub from CloudTruth’s secrets manager hosted on Vault. Specify a configured project and environment to select the required secrets and values for your pipeline. The action ensures that all of your sensitive information is redacted throughout the job.

About the Author: Jim King is a software engineer, architect, startup founder, and has contributed to a number of open-source projects including Apache Thrift and Boost.