#Github Actions secrets

Hello everyone.. I'm pretty new to both dagger and GHA so sorry if this is obvious..

When passing an access token to a dagger workflow as a Secret type, I think I need to use --token=env:TOKEN_SECRET, right?

I don't think secrets in GHA are accessible like that though, are they? It seems like they are expected to be used like ${{ secrets.TOKEN_SECRET }}.

Is it right that using a string type and passing the value like --token=${{ secrets.TOKEN_SECRET }} would include the value in the output logs?

Is there a suggested way I should be doing this?

Thanks in advance.

👋 here's an example on how we do it: https://github.com/dagger/dagger/blob/main/.github/workflows/publish.yml#L31-L65

we basically assingn the secret to a variable and use that instead

Weird.. I was doing the same but still getting authentication failures.

jobs:
  call-publish-image:
    name: Publish Image
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Dagger Action
        uses: dagger/dagger-for-github@v7
        with:
          call: build-and-publish --source=. --username=${{ secrets.ACCESS_ID }} --password=env:ACCESS_TOKEN --imgTag=v1.0.0-rc${{ github.sha }}
        env:
          ACCESS_ID: ${{ secrets.XPKG_ACCESS_ID }}
          ACCESS_TOKEN: ${{ secrets.XPKG_ACCESS_TOKEN }}

That seem about right?

What's the value of using Secret type and --myArg=env:WHATEVER vs a string type and --myArg=$WHATEVER?

using a random string will leak in the pipeline output

does it work if you call it locally with the correct credentials?

did you double check the credentials are correct in CI?

if it works locally, it should work in CI

Yeah it works locally. I created new secrets in GH too just to be certain that the values are correct.. Same behavior. This is the error from the pipeline:

push access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed 

@fringe citrus as I see in your snippet, is the username correct?

shouldn't the username be ${{ secrets.XPKG_ACCESS_ID }}?

seems like you're using the env variable ACCESS_ID name as a secret?

Oh yeah it is correct in the config.. I was just cleaning up to post publicly and guess I missed that. Woops. 😄

ok.. I guess what I'd do to see if the envs are being passed correctly is to print them in your pipeline and see if they show there. You'll have to base64 encode the secret or something since otherwise Dagger will mask the secret from the output by default

Ahh ok got it. I had tried that but wasn't sure why it wasn't working. I'll try to encode. Thanks.

I think there's a way to tell GHA to mask this as well: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/workflow-commands-for-github-actions#masking-a-value-in-a-log

@fringe citrus just checking if you were able to figure it out