How to retrieve a github actions secret

github action get secret

2 min read | by Jordi Prats

When using Github Actions secrets, it won't show any secrets on the action's logs: It is going to replace any string that matches with an existing secret with ***

There are several ways we can bypass this string substitution in order to get a github action secret, maybe the easiest way is to reverse the string so that the secret doesnt match the stored secret (so it doesn't get substituted). To do so we can use rev as follows:

name: Get Secret

on: [push]

    runs-on: ubuntu-latest
      - name: Set up secret file
          DEBUG_TEST: ${{ secrets.AWS_DEPLOY_ROLE_CICD }}
        run: |
          echo $DEBUG_TEST | rev

This way we'll be able to see the secret on the github action's log, to reverse it back we just need to reverse it back:

$ echo "eloromed/tset/elor:678987654321::mai:swa:nra" | rev

We could so a similar thing using base64 instred of rev

Needless to say, reversing a string or encoding it in base64 is almost the same as keeping it as clear text, so as soon as we are able to retrieve it we should immediately delete the logs.

Posted on 24/08/2022