How to retrieve a github actions secret

2 min read | by Jordi Prats

When using Github Actions secrets, it won't show any secrets on the action's logs: It is going to replace any string that matches with an existing secret with ***

There are several ways we can bypass this string substitution in order to get a github action secret, maybe the easiest way is to reverse the string so that the secret doesnt match the stored secret (so it doesn't get substituted). To do so we can use rev as follows:

name: Get Secret

on: [push]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Set up secret file
        env:
          DEBUG_TEST: ${{ secrets.AWS_DEPLOY_ROLE_CICD }}
        run: |
          echo $DEBUG_TEST | rev

This way we'll be able to see the secret on the github action's log, to reverse it back we just need to reverse it back:

$ echo "eloromed/tset/elor:678987654321::mai:swa:nra" | rev
arn:aws:iam::123456789876:role/test/demorole

We could so a similar thing using base64 instred of rev

Needless to say, reversing a string or encoding it in base64 is almost the same as keeping it as clear text, so as soon as we are able to retrieve it we should immediately delete the logs.

Posted on 24/08/2022

How to retrieve a github actions secret

Categories