integrating sops with github actions
Published in
Nov 21, 2021
It’s surprisingly tricky, if you want to work with env variables.
After some clumsiness around exec-env I settle down on this snippet:
- name: Add secrets
run: |
echo "::add-mask::$(sops exec-file secrets.env 'cat {} | cut -d = -f 2-')"
sops exec-file secrets.env 'cat {} >> $GITHUB_ENV'
shell: bash
First line masks values in github logs, second adds them as env variables for all following steps, which reduces clutter a lot.
Note: shell: bash
is essential here, because they treats ‘\n’ in echo very differently.