You can pass-in Secrets as ENV variables.

Example:

   ...
   steps:
      - name: Git checkout
        uses: actions/checkout@v2

      - name: Use Node 12.x
        uses: actions/setup-node@v1
        with:
          node-version: 12.x

      - name: Install Dependencies (prod)
        run: yarn install --frozen-lockfile --production

      - name: Run Tests (JEST)
        run: yarn test --ci --silent --testPathIgnorePatterns=experimental
        env:
          CI: true
          API_KEY: ${{ secrets.API_KEY }}

In Node.js you can access it via process.env.API_KEY.

ex: MongoClient(username: mongodb_pass) instead of having the password in plain sight in the script.

Not having the credentials directly in the script is good practice, yes. That has nothing to do with masking, though.

You can use environment variable just like in the Actions workflow, you’ll just have to set them when you run the script. Just be aware of what else you run in the same environment and of shell history (if you use Bash, HISTCONTROL is your friend).

An alternative is to use a config file, just read the values from another file instead of coding them into the script. Python has built-in parsers for JSON and INI-style files. I like YAML, but that requires installing PyYAML. Obviously don’t commit that file, I recommend adding it to .gitignore.

You can even support both in your script: Read environment variables or config file depending on command line options or simply what’s available.

Automating the management of GitHub secrets can greatly enhance the security and efficiency of your development workflow. Here’s a step-by-step guide on how to achieve this:

Step 1: Use GitHub CLI
GitHub CLI (gh) is a powerful tool that allows you to interact with GitHub from the command line. You can use it to manage secrets programmatically.

Install GitHub CLI:
brew install gh # For macOS sudo apt install gh # For Ubuntu

Authenticate:
gh auth login

Step 2: Create a Secret
You can create a secret using the gh command. Here’s an example of how to add a secret to a repository:
gh secret set MY_SECRET --body "my_secret_value" --repo owner/repo

Step 3: Update a Secret
Updating a secret is similar to creating one. You just need to use the same command with the new value:
gh secret set MY_SECRET --body "new_secret_value" --repo owner/repo

Step 4: Delete a Secret
To delete a secret, use the following command:
gh secret remove MY_SECRET --repo owner/repo

Step 5: Automate with Scripts
You can automate these commands by writing scripts. For example, you can create a shell script to update secrets:
gh secret set MY_SECRET --body "$1" --repo owner/repo

Step 6: Integrate with CI/CD
Integrate the script into your CI/CD pipeline. For example, in GitHub Actions, you can create a workflow file:
name: Update Secret on: push: branches: - main jobs: update-secret: runs-on: ubuntu-latest steps: - name: Checkout code uses: actions/checkout@v2 - name: Update GitHub Secret run: | gh auth login --with-token ${{ secrets.GITHUB_TOKEN }} ./update_secret.sh "new_secret_value"

Best Practices
Use Environment Variables: Store sensitive values in environment variables and reference them in your scripts.
Rotate Secrets Regularly: Regularly update and rotate your secrets to minimize the risk of exposure.
Limit Access: Ensure that only necessary workflows and team members have access to the secrets.
By following these steps, you can automate the management of GitHub secrets, making your workflow more secure and efficient.

Seems the set secrets can't be read as json, so i just took the secret.json to a new private repository, then i placed its raw.githubusercontent.com/Username/main/secret.json?token=*** url (the url had the token query too) in a secret variable called GOOGLE_API_URL then in my action i just created a steps to download and set the credentials like this:

- name: Download credentials
        env:
          TOKEN: ${{ secrets.GOOGLE_API_URL }}
        run: |
          credentials=$(curl -s $TOKEN)
          echo "Downloaded credentials: $credentials"

      - name: Set credentials env var
        run: |  
          GOOGLE_APPLICATION_CREDENTIALS=$credentials
          echo "Credentials env var: $GOOGLE_APPLICATION_CREDENTIALS"

Hi @maksiksking

Yes, Github Pages is a static hosting site as metioned in the thread you mentioned. You can host the node.js web app/api on another hosting platform that supports node.js (eg. heroku, render, etc.). And have the frontend that consumes the api hosted in github pages.

Secrets are mainly used for Github Actions. Github Actions are used for CI/CD pipelines -- in simple terms, it's used to automate stuff like testing, linting, build & deploy, etc. when an event in Github triggers.

Secrets allow you to store sensitive information such as tokens that limit the permissions of these workflows. These automated workflows may need additional permission to access/modify certain stuff for example, but you don't want them to have admin access that they can just delete your repo. See example workflow snippet:

# sample workflow snippet
steps: 
  - name: Build and deploy
    working-directory: ./app
    run: npm run deploy
    env:
      token: ${{ secrets.DEPLOY_TOKEN }}
       # deploy token is used to build and deploy to a gh-pages branch 
       # (needs permission to create a branch, build the app and modify that branch, 
       # push changes to that branch, and deploy to github pages)

You can read more at the Github official docs: Using secrets in Github Actions