Comments (6)
@BALAGA-GAYATRI : Could you provide an update on this issue including:
-
Reasoning for the deprecation originally
(there was no issue nor additional details in the changes that explain why this might be necessary)
-
Examples of how the suggested
azure/cli
action might be used as a suitable replacement(as @nicholasgibson2 mentions, I'm not 💯 how this is as easy of a migration given the use of outputs versus a free-form script)
I realize this action has largely been in maintenance mode since the few issue template changes you made approximately a year ago. Maybe some of the other contributors might have ideas about this given past experience.
cc: @kanika1894 @tspascoal @rakku-ms @romil07 @artsheiko
from get-keyvault-secrets.
@andyfeller
It is not like a total deprecation. The action keeps working even after archiving this repo. So existing workflows are not impacted and new workflows also work fine.
We can come up with more information around the reason for deprecation, roadmaps, and investments in this action soon along with the workaround CLI script.
from get-keyvault-secrets.
I would never use a deprecated action in any workflows even if they will still work after archiving. You should provide full details of alternatives or have a replacement action available when issuing a deprecation notice.
In any case I managed to get it working in a rudimentary way with Az CLI below:
env:
keyvaultName: myvault
secretName1: foo
secretName2: bar
steps:
- name: Az Keyvault Secrets # Using az cli to query keyvault as Azure/get-keyvault-secrets@v1 is deprecated
id: keyvault
run: |
secrets=($secretName1 $secretName2)
for secretName in ${secrets[@]}
do
value=$(az keyvault secret show --name $secretName --vault-name $keyvaultName --query value --output tsv)
echo "::add-mask::$value"
echo "::set-output name=$secretName::$value"
done
working-directory: ./
Output values have the same names as the secrets and are masked.
from get-keyvault-secrets.
I would never use a deprecated action in any workflows even if they will still work after archiving. You should provide full details of alternatives or have a replacement action available when issuing a deprecation notice.
In any case I managed to get it working in a rudimentary way with Az CLI below:
env: keyvaultName: myvault secretName1: foo secretName2: bar steps: - name: Az Keyvault Secrets # Using az cli to query keyvault as Azure/get-keyvault-secrets@v1 is deprecated id: keyvault run: | secrets=($secretName1 $secretName2) for secretName in ${secrets[@]} do value=$(az keyvault secret show --name $secretName --vault-name $keyvaultName --query value --output tsv) echo "::add-mask::$value" echo "::set-output name=$secretName::$value" done working-directory: ./
Output values have the same names as the secrets and are masked.
this is what I do as well, and it works well between steps of the same job, but when attempting to pass that masked secret to a 2nd job in the same workflow, the value can become unmasked in the GH Logs
from get-keyvault-secrets.
but when attempting to pass that masked secret to a 2nd job in the same workflow, the value can become unmasked in the GH Logs
@jku-sr: as far as I know, actions/runner
will not allow you to pass outputs between jobs that are secrets: https://docs.github.com/en/actions/using-jobs/defining-outputs-for-jobs
from get-keyvault-secrets.
but when attempting to pass that masked secret to a 2nd job in the same workflow, the value can become unmasked in the GH Logs
@jku-sr: as far as I know,
actions/runner
will not allow you to pass outputs between jobs that are secrets: https://docs.github.com/en/actions/using-jobs/defining-outputs-for-jobs
@andyfeller sharing secret across jobs works, may be you are missing output section for job
job1:
runs-on: ubuntu-latest
# Map a step output to a job output
outputs:
output1: ${{ steps.step1.outputs.test }}
output2: ${{ steps.step2.outputs.test }}
steps:
- id: step1
from get-keyvault-secrets.
Related Issues (12)
- Add Support for Sovereign clouds like AzureUSGovernment HOT 5
- Support Managed Service Identity KeyVault access for Self-Hosted Runners HOT 9
- Environment variables created from secrets cannot be hyphenated HOT 11
- Action need to update to deal with CVE vulnerabilities HOT 16
- Receiving Error: Unable to process command '::set-env HOT 9
- Handling dynamic key names HOT 6
- RBAC based access policies on the Key Vault HOT 4
- GA Date HOT 4
- Failure to login AKV using SPN Certificate Credentials. HOT 5
- Invalid regular expression: /*/: Nothing to repeat on self-hosted GithubRunner HOT 1
- Action never fails when trying to access non-existing KV
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from get-keyvault-secrets.