How can I see my git secrets unencrypted?

Question

Background

I had some secrets in my code and upon learning about GitHub Actions I decided to save them in the repositories secret menu for later use in my pipeline.

Problem

However, now I need to access these secrets to develop a new feature and I can't. Every time I try to see the value it asks me to update the secrets. There is no option to just "see" them.

I don't want to update anything I just want to see their values.

Question

How can I see the unencrypted values of my secrets in the project?

Answer 1

In order to see your GitHub Secrets follow these steps:

1. Create a workflow that echos all the secrets to a file.
2. As the last step of the workflow, start a tmate session.
3. Enter the GitHub Actions runner via SSH (the SSH address will be displayed in the action log) and view your secrets file.

Here is a complete working GitHub Action to do that:

name: Show Me the S3cr3tz
on: [push]

jobs:
  debug:
    name: Debug
    runs-on: ubuntu-latest

    steps:
    - name: Check out code
      uses: actions/checkout@v2

    - name: Set up secret file
      env:
        DEBUG_PASSWORD: ${{ secrets.DEBUG_PASSWORD }}
        DEBUG_SECRET_KEY: ${{ secrets.DEBUG_SECRET_KEY }}
      run: |
        echo $DEBUG_PASSWORD >> secrets.txt
        echo $DEBUG_SECRET_KEY >> secrets.txt

    - name: Run tmate
      uses: mxschmitt/action-tmate@v2

The reason for using tmate in order to allow SSH access, instead of just running cat secrets.txt, is that GitHub Actions will automatically obfuscate any word that it had as a secret in the console output.

---

That said - I agree with the commenters. You should normally avoid that. Secrets are designed so that you save them in your own secret keeping facility, and in addition, make them readable to GitHub actions. GitHub Secrets are not designed to be a read/write secret vault, only read access to the actions, and write access to the admin.