
GitHub Actions: Organization secrets - anthonysterling
https://github.blog/changelog/2020-05-14-organization-secrets/
======
kmf
this is a really awesome improvement - a bunch of my projects all deploy w/
actions using the same api token to cloudflare workers (using wrangler-
action[1]), so this makes it super easy to add new projects or re-roll the key
without having to go in and change each project's config.

btw, if you're looking for an intro to github actions, i put out a video last
december covering publishing your first github action workflow:
[https://youtu.be/J4EhgEskSZA](https://youtu.be/J4EhgEskSZA)

[1]: [https://github.com/cloudflare/wrangler-
action](https://github.com/cloudflare/wrangler-action)

~~~
ignoramous
> _...a bunch of my projects all deploy w / actions using the same api token
> to cloudflare workers..._

Assuming some of those are open source, would you please link to them?

------
some_furry
This is really cool in a way that will make developers that use Github Actions
one day ask, "How did we live without that?"

~~~
nullwarp
I was asking for this exact thing on May 1st in slack. Glad it came through, I
shelved the project until I could come up with something.

------
neximo64
Cant you create a github action in a commit that simply spits the secret out?
Anyone know how to prevent this hack? Is there a way to have an open repo
except for the actions folder?

~~~
jsmeaton
You can prevent forks from running actions which guards against external
parties.

Nothing to be done about internal parties except policies.

~~~
neximo64
Policies, a verbal rule with your devs?

~~~
skybrian
Mandatory code review would do it.

~~~
jsmeaton
Not really, because people could change the action on their PR and have it
run. Unless you've got a fork based workflow internally.

------
ggordan
Great to see. I've definitely missed it coming from circleci where you have
contexts where you can define secrets that you can share across multiple repos

------
nodesocket
Awesome. Now we just need the ability for self hosted runners[1] to support
multiple repos. As I understand it, currently you need to deploy a dedicated
runner per repo.

[1] [https://help.github.com/en/actions/hosting-your-own-
runners/...](https://help.github.com/en/actions/hosting-your-own-
runners/about-self-hosted-runners)

~~~
chrisrpatterson
self-hosted runners can be deployed for an org as well
[https://github.blog/changelog/2020-04-22-github-actions-
orga...](https://github.blog/changelog/2020-04-22-github-actions-organization-
level-self-hosted-runners/).

~~~
nodesocket
Huzzah! That’s great.

------
jopsen
I wish GitHub Actions had a mechanism for authenticating to third-party
services without secrets.

It could be as simple as calling a metadata API only available from inside a
GitHub Actions container and obtain a oauth2 token/JWT for an external
audience.

~~~
captncraig
This would be great. Then we could reliably use something like vault to store
secrets with individual acls per-workflow, and have reasonable confidence that
only that single workflow can access them.

~~~
jopsen
I don't get the obsession with secrets...

Why not give us some signed JWTs for external authentication.

Secrets is only good for legacy systems.

------
DelightOne
Does it come together with the actions feature to Github Enterprise?

------
actionowl
f i n a l l y !

This is very welcome, now how about organization-level branch protections
please!

------
atarian
Could this replace Vault?

~~~
rileymichael
If your only use case for Vault is access to K/V secrets during a workflow (CD
for example) -- then sure, it's a much simpler alternative. If you need access
to secrets dynamically / at runtime (outside of the Actions container), or any
of the other features Vault has, then no.

~~~
izolate
I’m not sure if you’re aware but the GitHub API provides dynamic access to the
secrets so you can theoretically use it in your application/outside your
workflow.

~~~
rileymichael
do you happen to have a link to the api docs for that? Everywhere I'm looking
it doesn't return the value.

[https://developer.github.com/v3/actions/secrets/#get-a-
repos...](https://developer.github.com/v3/actions/secrets/#get-a-repository-
secret)

and the blog states the same behavior I'm seeing in the docs:

    
    
      First, the API doesn’t return any values, only names.

[https://github.blog/2020-02-06-manage-secrets-and-more-
with-...](https://github.blog/2020-02-06-manage-secrets-and-more-with-the-
github-actions-api/#managing-secrets)

~~~
izolate
No, you're right, I was mistaken. Sorry about that.

