GitHub Actions and Doppler Integration

Hello,

I am having issues injecting doppler secrets into my GitHub actions.

I’ve done the steps here: https://docs.doppler.com/docs/enclave-github-actions

And my actions file contains the following code:
- name: Install Doppler CLI
uses: dopplerhq/cli-action@v1

- name: Test Doppler Access
  run: doppler run -- printenv | grep GCP_PROJECT
  env:
      DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
      
- name: Pass all secrets to next steps
  run: doppler secrets download --no-file --format=env >> $GITHUB_ENV; 
  env:
    DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}

However, when I try to use the environment values, GitHub actions is adding escape characters which is messing up the parsing. Ideally, I would like to use doppler as my single source of truth for secrets and avoid GitHub secrets but something is up when I inject them. For example, here are the GitHub actions logs:

env:

5 IMAGE: mctwist_server

6 AZURE_COSMOS_DB_NAME: “db_name”

7 AZURE_COSMOS_KEY: “key”

8 AZURE_COSMOS_URI: “uri/

9 AZURE_RESOURCE_GROUP: “resource group”

10 GCP_PROJECT: “project id”

11 PIP_INDEX_URL: “index url”

12 PIP_TRUSTED_HOST_URL: “host”

13 DOPPLER_PROJECT: “mctwist”

14 DOPPLER_ENVIRONMENT: “prd”

15 DOPPLER_CONFIG: “prd”

16 CLOUDSDK_METRICS_ENVIRONMENT: github-actions-setup-gcloud

And when I try to use the doppler secret for creating an image, I get the following output:

26invalid argument “gcr.io/\“project id\”/mctwist_server:3b413277c5786c0d586d04a77a733f78582f3bd9” for “-t, --tag” flag: invalid reference format

When running this step in my GitHub actions code:
docker build
–tag “gcr.io/$GCP_PROJECT/$IMAGE:$GITHUB_SHA
–build-arg GITHUB_SHA="$GITHUB_SHA"
–build-arg GITHUB_REF="$GITHUB_REF"
–build-arg AZURE_COSMOS_KEY="$AZURE_COSMOS_KEY"
–build-arg AZURE_COSMOS_URI="$AZURE_COSMOS_URI"
–build-arg TRUSTED_HOST_URL="$PIP_TRUSTED_HOST_URL"
–build-arg INDEX_URL="$PIP_INDEX_URL" \ .

For some reason, the characters \ are being injected before and after the secret. Anyway around this to configure my secret?

This is also happening when I try to use the secret for a variable in a step
- uses: google-github-actions/setup-gcloud@v0.2.0
with:
service_account_key: {{ secrets.GKE_SA_KEY }} project_id: {{ env.GCP_PROJECT }}

And what happens is that GitHub actions injects it as a string, rather than a variable, leading to the project id to not be found

Hi Brendan,
Thanks for reaching out! With --format=env we return the format KEY="value" and it looks like it is not handling the " correctly. Could you try:

doppler secrets download --no-file --format=docker >> $GITHUB_ENV;

This should return the format KEY=value. We have seen some issues with multiline secrets in the past without the quotes, but this might work in your case.
Best,

Ruud

Awesome, it worked! Thanks and happy holidays, I’ve posted my actions file for others to reference:

name: Build and Deploy Docker Image to GCP

on:
  push:
    branches:
      - master

env:
  IMAGE: mctwist_server

jobs:
  setup-build-publish-deploy:
    name: Setup, Build, Publish, and Deploy
    runs-on: ubuntu-latest

    steps:
    - name: Checkout
      uses: actions/checkout@v2
      
    - name: Install Doppler CLI
      uses: dopplerhq/cli-action@v1

    - name: Test Doppler Access
      run: doppler run -- printenv | grep GCP_PROJECT
      env:
          DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}
          
    - name: Pass all secrets to next steps
      run: doppler secrets download --no-file --format=docker >> $GITHUB_ENV; 
      env:
        DOPPLER_TOKEN: ${{ secrets.DOPPLER_TOKEN }}

    # Setup gcloud CLI
    - uses: google-github-actions/setup-gcloud@v0.2.0
      with:
        service_account_key: ${{ secrets.GKE_SA_KEY }}
        project_id: ${{ env.GCP_PROJECT }}

    # Configure Docker to use the gcloud command-line tool as a credential
    # helper for authentication
    - run: |-
        gcloud --quiet auth configure-docker
    # Build the Docker image
    - name: Build
      run: |-
        docker build \
          --tag "gcr.io/$GCP_PROJECT/$IMAGE:$GITHUB_SHA" \
          --build-arg GITHUB_SHA="$GITHUB_SHA" \
          --build-arg GITHUB_REF="$GITHUB_REF" \
          --build-arg AZURE_COSMOS_KEY=$AZURE_COSMOS_KEY \
          --build-arg AZURE_COSMOS_URI=$AZURE_COSMOS_URI \
          --build-arg TRUSTED_HOST_URL=$PIP_TRUSTED_HOST_URL \
          --build-arg INDEX_URL=$PIP_INDEX_URL \
          .
    # Push the Docker image to Google Container Registry
    - name: Publish
      run: |-
        docker push "gcr.io/$GCP_PROJECT/$IMAGE:$GITHUB_SHA"

That’s great Brandon, thanks for sharing your solution, very helpful!

Happy holiday to you too,

Ruud

1 Like

The issue i have with this is that all the secrets are printed to github actions logs. Is there a way to prevent github actions from printing these doppler secrets?

Hi @luther_hill,

Are you using our GitHub integration? If you are, then the secrets from Doppler will be synced over as GitHub Actions secrets. These will be accessible inside your actions using ${{ secrets.YOUR_SECRET_NAME_HERE }} and the contents of those secrets are redacted by GitHub by default (meaning if they’re printed by the action, they won’t show up as plaintext in the output you can view).

Could you elaborate a bit on specifically what you’re trying to accomplish and how you have things setup?

Thanks!
-Joel