Happy new year! 🎉
Let’s start by doing something YOU SHOULD NEVER EVER DO.
The Problem
At $DAYJOB
, a colleague that is no longer working with us stored a useful piece of information in a GitHub secret and nowhere else. We usually also store these values in a team-shared password manager, so they can always be retrieved if needed, but apparently this one was missed.
We need a way to retrieve the secret. Fortunately, we have access to the repository where it is stored.
Disclaimer
This will output the secret in plain text in the GitHub Actions log, which usually is a VERY BAD IDEA. I don’t know for how long the logs are retained (a web search is telling me 90 days). I don’t know if the logs are still retained even after the workflow run is deleted.
The Solution
We’ll use a GitHub Actions workflow that prints the secret to the log.
Create a new branch in the repository where the secret is stored, name it something like
ci_secret
.Create a new file in the
.github/workflows
directory, name it something likesecret.yml
.Add the following content to the file:
name: Secret on: workflow_dispatch: push: branches: - ci_secret jobs: secret: runs-on: ubuntu-latest steps: - name: print_secret run: | echo ${{ secrets.YOUR_SECRET_NAME }} | sed 's/./& /g'
Remember to replace
YOUR_SECRET_NAME
with the name of the secret you want to print. You can also add multipleecho
commands to print multiple secrets.
Thesed
command adds a space between each character of the secret, so that GitHub does not replace the value with***
.Commit the changes and push the branch to the repository.
See the logs of the workflow run in the GitHub Actions tab of the repository.
Delete the workflow run and the branch after you’ve retrieved the secret.
If possible, rotate the secret.