The load-secrets action lets me export secrets into my GitHub Actions environment:
- name: Load secrets
id: op-load-secret
uses: 1password/load-secrets-action@v2
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
FOO: op://MyVault/MyItem/Foo
BAR: op://MyVault/MyItem/Bar
BAZ: op://MyVault/MyItem/BaZThis works, but it's duplicative with my .env.tpl file:
FOO = "op://MyVault/MyItem/Foo"
BAR = "op://MyVault/MyItem/Bar"
BAZ = "op://MyVault/MyItem/BaZ"
I process this file in local development with op run or op inject, e.g. op inject -i .env.tpl -o .env.
The first thing I tried was to load the .env.tpl file in a GitHub action and pipe it into $GITHUB_ENV:
- name: Install 1Password CLI
uses: 1password/install-cli-action@v1
- name: Load Secrets
run: op inject -i .env.tpl >> $GITHUB_ENV # <-- insecure; don't do this
This is a bad idea because those variables aren't marked as secrets. GitHub will log the values of FOO, BAR, and BAZ on every subsequent run step.
Perhaps something like
- name: Load secrets
id: op-load-secret
uses: 1password/load-secrets-action@v2
env:
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
OP_ENV_FILE: "path/to/.env.tpl"
The
load-secretsaction lets me export secrets into my GitHub Actions environment:This works, but it's duplicative with my
.env.tplfile:I process this file in local development with
op runorop inject, e.g.op inject -i .env.tpl -o .env.The first thing I tried was to load the
.env.tplfile in a GitHub action and pipe it into$GITHUB_ENV:This is a bad idea because those variables aren't marked as secrets. GitHub will log the values of
FOO,BAR, andBAZon every subsequentrunstep.Perhaps something like