-
Notifications
You must be signed in to change notification settings - Fork 6.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add gh secret encrypt
command to encrypt a secret locally without sending to GitHub
#4388
Comments
Hi, why would you need to print an encrypted secret without storing the value to repository or org secrets on GitHub? |
Hi @mislav! The use-case I have in mind is specifically for infrastructure-as-code using Terraform. I am using infrastructure code to configure my Organization Secrets. Any value I provide to Terraform will be persisted in the Terraform State, and so if I pass in an unencrypted secret, the unencrypted secret will forever be a part of the infrastructure state (which is often uploaded to something like Azure Storage or Amazon S3). resource "github_actions_organization_secret" "service_account_credentials" {
secret_name = "my_secret"
visibility = "all"
plaintext_value = "Hello, World! This is my secret value that is encrypted in GitHub but recoverable from the infrastructure state."
} If I encrypt it before it enters my infrastructure code then I do not have to worry about what happens to the value -- essentially, the same principle as resource "github_actions_organization_secret" "service_account_credentials" {
secret_name = "my_secret"
visibility = "all"
encrypted_value = "QkMFB+vyCCE2yT5j6Tb07doxD2xKHagI2l6AjMuwUkizN7pMGXKBVOj154Pg/hwn0PbPWFvo83z+ir25iw=="
} The official GitHub Terraform provider specifically encourages encrypting the secret locally before sharing it with Terraform:
The non-hack way to do this at the moment is by using the code snippets in the GitHub Documentation. My current workflow is:
My ideal workflow would be:
Thanks, |
Interesting! Thank you for explaining. It should definitely be easy for us to introduce an extra flag or command that causes the encrypted value to be printed instead of stored. Something like |
Hi I see you need some help with this, is it OK if I give it a try? I'm trying to get myself into open source |
Describe the feature or problem you’d like to solve
Proposed solution
Separate the encryption step and make it available as a separate command so that users can easily generate an encrypted secret for their repository/organisation in infrastructure automation. An alternative might be a simple flag on
set
(e.g:--preview
or--nowrite
or--local
) but I think that would be semantically incorrect (the meaning ofset
is explicit).Additional context
github_actions_secret
) is unable to describe how to encrypt a secretgh secret encrypt
..."There are hacks to grab the encrypted value now, like enabling debugging with API output which exposes the encrypted value in the request body -- and then deleted from the repository/organisation.
I'm happy to submit a Pull Request with an implementation for this if it's given the go-ahead.
The text was updated successfully, but these errors were encountered: