0

Just to give some background, we are refactoring our action for fetching secrets and we are trying to keep it compatible with our old action, so that we don't have to rewrite all of the workflows to make it work. The old action would put all the secrets in environment variables, whereas the new action is using google-github-actions/get-secretmanager-secrets, which sets the secrets as outputs of the action. Like so:

steps:
- id: 'auth'
  uses: 'google-github-actions/auth@v2'
  with:
    workload_identity_provider: 'projects/123456789/locations/global/workloadIdentityPools/my-pool/providers/my-provider'
    service_account: '[email protected]'

- id: 'secrets'
  uses: 'google-github-actions/get-secretmanager-secrets@v2'
  with:
    secrets: |-
      token:my-project/docker-registry-token

# Example of using the output
- id: 'publish'
  uses: 'foo/bar@v1'
  env:
    TOKEN: '${{ steps.secrets.outputs.token }}'

What I have tried so far is to pass all the outputs to the next step to be set as environment variables. Something similar to:

- id: 'publish'
  uses: 'foo/bar@v1'
  env:
    SECRETS: '${{ steps.secrets.outputs }}'

However that gives me the following error:

Error: The template is not valid. action.yaml (Line: 4, Col: 18): A mapping was not expected

So it seems like I can't pass all the outputs to a script to set them as environment variables. I was hoping that someone might have an idea of how this might be accomplished.

If that is not possible, perhaps it is possible to expose the outputs to the caller of the composite action?

Improve this question
1
  • The structure of the output file and the env file in the github context are basically the same, did you evaluate creating an action / script to loop the output file and set all its value in the env file? (I've got an example here where you can see a variable is saved using the same code in both files in python. It should be possible to perform some automation manipulating those files using a similar logic). Commented May 17, 2024 at 17:18

1 Answer 1

Reset to default
0

You can pass all the outputs as a JSON object, like this:

- id: 'publish'
  uses: 'foo/bar@v1'
  env:
    SECRETS: "${{ toJSON(steps.secrets.outputs) }}"
  run: |
    ...
    echo "${{ env.SECRETS }}"
    ...

So you get something like this:

{
  token: my-token,
  password: my-password
}
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.