Ci was working without an issue, getting this error now.

Did anyone see this before?

Thanks!

Warning: The set-output command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/

Please update action to support new output method:

• name: Set output
  run: echo "{name}={value}" >> $GITHUB_OUTPUT

Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Please update the following actions to use Node.js 16: hmanzur/[email protected]

Hi, your action works great for secrets with value not containing dash (-), but I noticed that whenever a secret contains dash, your action doesn't persist the secret value when creating a new secret in GitHub. For example, the following step does create the new repo secret for S3_BUCKET_NAME, however, the value is blank (see verification step below).

     - name: Create GitHub Repository secret for frontend S3_BUCKET_NAME
        uses: hmanzur/[email protected]
        with:
          name: 'S3_BUCKET_NAME'
          value: 'abc-company-bucket'
          repository: ${{ github.repository }}
          token: ${{ secrets.GH_ACTIONS_SECRETS_PAT }}

When I tried to verify that newly created secret "abc-company-bucket" using this step below, it retrieved blank value. But when I modified the secret value from "abc-company-bucket" to "abccompanybucket" in the above step, this step retrieved that value successfully.

     - name: Verify secrets
        run: |
          echo ${{ secrets.S3_BUCKET_NAME }} | sed -e 's/\(.\)/\1 /g'

Please help find root cause and provide a fix. Thanks!

I'm willing to open a PR

I would like to use your action to push a secret to my Organization secrets. And not on my repository.

On this line you set the url to repo hard coded.

Sugestion

Declare a input to switch this hardcoded value to org. It could be a input org: true on the action.

This way it could be default false, mantaining the funcionality to the repo.

Example

  repository_or_org:
    description: Repository or organization name
    default: github.repository
    required: false

  org:
    description: flag to push to organization
    default: false
    required: false

Refs

• https://developer.github.com/v3/actions/secrets/#create-or-update-an-organization-secret

I discovered your action from this answer and wondered if I can set a secret from a script executed during the workflow.

In my case, I have a script generating a facebook token. I would like the token to update my repository secret.

When using this Github Action, the secret value to be set as an input is logged in the Github Action logs that is publicly accessible to anyone logged into Github for public Github repositories.

For example in the Github Action logs it looks like:

Run hmanzur/[email protected]
  with:
    name: REPOSITORY_SECRET_TO_SET
    value: "Secret is leaked here in plaintext"
    repository: my-user/my-public-repository
    token: ***

I do not know of a workaround to redact this information from Github Action logs as it appears that only secrets specified as inputs like {{ secrets.MY_REPOSITORY_SECRET }} will be properly redacted which unfortunately defeats the purpose of this module.

My recommendation is that no one should use this Github Action module unless their Github Action logs are properly protected, redacted, or has a minimal retention window of 0 days.

See ericanastas/deploy-google-app-script-action#1 for more details

Thank you for your PR #3

But there are some missing things on your PR that I managed to do on #4 (which you closed).

Organization secret

I want to upload a secret to my organization, not to my repo (which is from my organization).

Your variable _base is correct. But you are still passing a /:repo/ hardcoded on your URL.

When uploading to organization level secret, it must be passed the owner/organization_name in the url

let { data } = await this.octokit.request('GET /:base/:owner/actions/secrets/public-key', { 

Input owner

Shouldn't be better to create a input owner for this on the action?

Input repository

Your input is using a {github.repository}.

This context returns owner/repository? I think it will return repository only.

The urls for repo are:

• PUT /repos/:owner/:repo/actions/secrets/:secret_name
• GET /repos/:owner/:repo/actions/secrets/public-key

You are obfuscating the owner attribute! This caused me a lot a confusion. And a made those changes on PR #4 to declare it explicitly.

References for repository

• https://developer.github.com/v3/actions/secrets/#get-a-repository-public-key
• https://developer.github.com/v3/actions/secrets/#create-or-update-a-repository-secret

References for organization

• https://developer.github.com/v3/actions/secrets/#get-an-organization-public-key
• https://developer.github.com/v3/actions/secrets/#create-or-update-an-organization-secret

Hello @hmanzur! 👋

I was wondering if you're still making accepting PRs and maintaining this repository. I note that there have been no commits to the main branch in 3 years. It's great if you're still active on it, and it's perfectly OK if you've moved on. ❤️ I would appreciate a concrete y/n answer though! 😊

related to #21 (comment)

Resume

I'm setting the visibility input. But the input is not passed to github API!

Where is your method isOrg?

This method called is not present in your src/api.js

Proofs

On your Dockerfile you use the variable name repo

But on your action.yml you define repository

Isn't this wrong?