ex: MongoClient(username: mongodb_pass) instead of having the password in plain sight in the script.
Not having the credentials directly in the script is good practice, yes. That has nothing to do with masking, though.
You can use environment variable just like in the Actions workflow, you’ll just have to set them when you run the script. Just be aware of what else you run in the same environment and of shell history (if you use Bash, HISTCONTROL is your friend).
An alternative is to use a config file, just read the values from another file instead of coding them into the script. Python has built-in parsers for JSON and INI-style files. I like YAML, but that requires installing PyYAML. Obviously don’t commit that file, I recommend adding it to .gitignore.
You can even support both in your script: Read environment variables or config file depending on command line options or simply what’s available.
How to pass secrets from GitHub Actions to python environ variables? - Stack Overflow
git - How do I include GitHub secrets in a python script? - Stack Overflow
python - Using github with secret keys - Stack Overflow
Manage your GitHub Actions secrets, with a simple Python script
Videos
» pip install githubsecrets
There are three types of secrets within GitHub Actions.
- Organization secrets
- Repository secrets
- Environment secrets
To access Environment secrets, you have to referencing an environment in your job. (Thanks to @riQQ)
name: python
on: push
jobs:
test_env:
environment: TEST_SECRET
runs-on: ubuntu-latest
steps:
- name: Set up Python
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Test env vars for python
run: python -c 'import os;print(os.environ)'
env:
ENV_SECRET: ${{ secrets.ENV_SECRET }}
REPO_SECRET: ${{ secrets.REPO_SECRET }}
You try the things below:
- name: Test env vars for python
run: TEST_SECRET=${{ secrets.MY_TOKEN }} python -c 'import os;print(os.environ['TEST_SECRET'])
This will pass ${{ secrets.MY_TOKEN }} directly as an environment variable to the python process and not share with other processes. Then you can use os.environ['TEST_SECRET'] to get it.
I have done this here and here
- name: start bot
env:
TOKEN: ${{ secrets.SECRET }}
In the GitHub Action you named the variable secrets.SECRET but in environment variables you named it TOKEN. Either change the name of the environment variable to SECRET:
- name: start bot
env:
SECRET: ${{ secrets.SECRET }}
or change your code:
SECRET = os.environ['TOKEN']
The problem was that in the workflow.yml, the variable was named "TOKEN", and in the test.py it was called "SECRET"
# project/.gitignore
passwords.py
# project/passwords.py
GITHUB_KEY = '123'
GITHUB_KEY_SECRET = 'ABC'
GITHUB_TOKEN = '456'
GITHUB_TOKEN_SECRET = 'XYZ'
# project/my_script.py
from passwords import GITHUB_KEY, GITHUB_KEY_SECRET, GITHUB_TOKEN, GITHUB_TOKEN_SECRET
KEY = GITHUB_KEY
KEY_SECRET = GITHUB_KEY_SECRET
TOKEN = GITHUB_TOKEN
TOKEN_SECRET = GITHUB_TOKEN_SECRET
As hinted to by @chishaku, a good idea would be to save all your confidential information in a separate file that is not version controlled ie: is not known by git. You do this by adding it to the .gitignore file.
With this in place, you can safely commit your code to GitHub where everyone can see your project - however your confidential information and passwords are no where to be seen!
Within your project, you can now read that file (or import it) and use the information held within.
Keep in mind that when you (or someone else) accesses this project, you will have to ensure that your "secret" file exists since your project depends on it.
In my projects, creating this "secret" file is part of the deploy script. Something like:
echo '{"password": "123"}' > config.json && git checkout master
This line of code writes the (simple) settings file to config.json and only afterwards retrieves the latest code version from the master branch.
» pip install python-git-secrets
Hi all,
I found myself struggling with managing the GitHub Actions secrets from UI, so I wrote a very simple Python script which acts as a CLI - https://github.com/unfor19/githubsecrets
Enjoy!