Description
When retrieving secrets from Vault, I often include additional information in the secret that is not sensitive.
For example, when authenticating to a Docker registry, the secret may contain:
user_nameuser_passwordregistry_url
However, not all of these values are actually secret-worthy. For instance, the registry_url does not need to be treated as a secret and masked.
Currently, I am unable to pass this non-sensitive registry_url to another job within my workflow because GitHub Actions automatically masks all parts of the secret.
Describe the solution you'd like
I would like to be able to selectively disable masking for certain values directly when defining secrets within GitHub Actions workflows.
For example:
secrets: |
secret/data/ci/container registry | CONTAINER_REG masked=false ;
secret/data/ci/container user_password | USER_PASSWORD ;
secret/data/ci/container user_name
Alternatives
- Save the registry URL encoded inside Vault using base64 and decoding the secret inside my job to be able passing it via job outputs.
- Passing the registry URL through other means.
Additional context
A similar topic has been discussed in general terms here
Description
When retrieving secrets from Vault, I often include additional information in the secret that is not sensitive.
For example, when authenticating to a Docker registry, the secret may contain:
user_nameuser_passwordregistry_urlHowever, not all of these values are actually secret-worthy. For instance, the
registry_urldoes not need to be treated as a secret and masked.Currently, I am unable to pass this non-sensitive registry_url to another job within my workflow because GitHub Actions automatically masks all parts of the secret.
Describe the solution you'd like
I would like to be able to selectively disable masking for certain values directly when defining secrets within GitHub Actions workflows.
For example:
Alternatives
Additional context
A similar topic has been discussed in general terms here