How To Reveal GitHub-Actions Secrets

GitHub gh-actions

By default, gh-actions secrets are read-only, and their log output is hidden. A simple trick can reveal their values.

Corey Regan's avatar
Authored by Corey Regan
GitHubGitHubLinkedInTwitterTwitterInstagramInstagramCredly

Published on August 12, 2024

1 min read

You can create or add to an existing workflow a job step that echos a secret and pipes it into sed which will add a space between each character, thereby tricking & bypassing GitHub's secrets exposure analysis, revealing secrets in plaintext.

bash:An example gh-actions workflow that reveals secrets
name: Reveal Secrets
on: [workflow_dispatch]
jobs:
  reveal-secrets:
    runs-on: ubuntu-latest
    steps:
      - name: Reveal secrets
        run: |
          echo "SECRET_NAME=${{ secrets.SECRET_NAME }}" | sed 's/./& /g'

After merging the PR into your master/main branch, you can go to your repo's Actions, select this new Workflow, and manually run the Workflow. In the Workflow's output you will see the revealed secrets. Copy/paste the results into a text editor and search/replace the space character with nothing.

Ensure you delete all Workflow runs that revealed secrets. Also delete the Workflow YAML itself.

If your secrets contain spaces, modify the sed command to inject one or more special characters instead of spaces: sed 's/./&!!!/g'

bash:Try using special characters when you need to preserve spaces in secrets
echo "secret contains spaces" | sed 's/./&!!!/g'
s!!!e!!!c!!!r!!!e!!!t!!! !!!c!!!o!!!n!!!t!!!a!!!i!!!n!!!s!!! !!!s!!!p!!!a!!!c!!!e!!!s!!!