Spun out from #49.
Ship an official Action that wraps secretspec export --format gha (#94) so secrets land in $GITHUB_ENV for the rest of the job, including third-party Actions later in the workflow. The secretspec run -- cmd wrapper only works for steps we control; once a third-party Action needs the env (Docker build, deploy, etc.), the wrapper pattern breaks.
Shape:
- uses: cachix/secretspec-action@v1
with:
profile: production
provider: env # optionalResponsibilities:
- Install and cache the
secretspec binary
- Run
secretspec export --format gha
- Append
KEY=value to $GITHUB_ENV
- Emit
::add-mask::value per secret so the runner's log scrubber catches accidental echoes
Depends on #94.
Spun out from #49.
Ship an official Action that wraps
secretspec export --format gha(#94) so secrets land in$GITHUB_ENVfor the rest of the job, including third-party Actions later in the workflow. Thesecretspec run -- cmdwrapper only works for steps we control; once a third-party Action needs the env (Docker build, deploy, etc.), the wrapper pattern breaks.Shape:
Responsibilities:
secretspecbinarysecretspec export --format ghaKEY=valueto$GITHUB_ENV::add-mask::valueper secret so the runner's log scrubber catches accidental echoesDepends on #94.