Eric J Ma's Website

GitHub Actions secrets need to be explicitly declared

written by Eric J. Ma on 2024-01-11 | tags: llamabot mistral gpt-4 api key environment variables github actions repository secret workflow step


In this blog post, I share my experience of debugging GitHub Actions for LlamaBot. I encountered a challenge with setting the Mistral API key as an environment variable in my GitHub action. After hours of frustration, I discovered that GitHub Actions can only read a secret if it's explicitly included in a workflow. I explain how to include it in a workflow step. Curious about how to securely manage your API keys in GitHub Actions? Read on!

Today, in releasing a new version of LlamaBot, I also made a change for one of the SimpleBots that I wrote to use the Mistral AI models instead of GPT-4. That meant that I needed to use a Mistral API key as part of the environment variables. However, no matter what I tried, I couldn't seem to get the environment variable set within my GitHub action, even though it was declared as an Actions Repository-level secret.

Turns out, declaring an Actions Repository secret doesn't immediately make it available to the GitHub Actions runner! According to the official documentation,

GitHub Actions can only read a secret if you explicitly include the secret in a workflow.

(Source: GitHub Actions docs)

This turns out to be a great security practice, even if it caused me no end of frustration for over 3 hours this evening. But how do we include it in a workflow step? It is done this way:

    - step:
      - name: Write release notes
        ##### PAY ATTENTION HERE! #####
        env:
          MISTRAL_API_KEY: ${{ secrets.MISTRAL_API_KEY }}
        ##### PAY ATTENTION HERE! #####
        run: |
          python -m pip install -e .
          llamabot configure api-key --api-key="${{ secrets.OPENAI_API_KEY }}"
          llamabot configure default-model --model-name="${{ secrets.DEFAULT_LANGUAGE_MODEL }}"
          llamabot git write-release-notes # <-- this line needs access to the MISTRAL_API_KEY environment variable!

Cite this blog post:
@article{
    ericmjl-2024-github-declared,
    author = {Eric J. Ma},
    title = {GitHub Actions secrets need to be explicitly declared},
    year = {2024},
    month = {01},
    day = {11},
    howpublished = {\url{https://ericmjl.github.io}},
    journal = {Eric J. Ma's Blog},
    url = {https://ericmjl.github.io/blog/2024/1/11/github-actions-secrets-need-to-be-explicitly-declared},
}
  

I send out a newsletter with tips and tools for data scientists. Come check it out at Substack.

If you would like to sponsor the coffee that goes into making my posts, please consider GitHub Sponsors!

Finally, I do free 30-minute GenAI strategy calls for teams that are looking to leverage GenAI for maximum impact. Consider booking a call on Calendly if you're interested!