-
Notifications
You must be signed in to change notification settings - Fork 994
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow to unset env variables #1126
Comments
Thank you for reporting this issue. Would you mind providing an example workflow to illustrate the issue? |
Sure! It's not a full workflow, but I hope it gets the message across...?
I don't trust So, basically what I would like to do is to clean up as much as possibly after I've done the parts that I trust more, before I start running the "risky" things. There is not always an option of splitting such tasks across separate workflows, which would be the best solution obviously. |
No. The file seems to be empty at the beginning of each workflow step. |
This seems like a useful addition. I'll put this on the backlog. Thanks for the feedback. |
Another use case example for this functionality turned up while working on git-lfs/git-lfs#5236, namely, that the Resolving this issue while still upgrading to the current |
I'm facing the same issue - I need to cleanup AWS creds from the |
Yep, that'd also be my use case. The problem for me is that environment variables exported by |
For GITHUB_ENV, you can tear out content with sed. Note specifically that this is simply a file that's sourced, so you can work on it in the same way you might a .bashrc file.
I cut a gist to help explain these convenience files. |
At least two years ago, that did not work: |
Has anyone found a workaround? I also was not able to make |
I believe the sed solution won't work with multiline values |
This is becoming a big issue when we want to utilize some third-party action that sets some env variables that then we cannot unset. This becomes an even bigger issue when we want to utilize that action several times and handle the output in a custom way. I am writing a EDIT: /~https://github.com/marketplace/actions/configure-multiple-aws-roles here is the action |
please help |
Using |
Yeah, you can't unset because each step is run out of proc and the toolkits export variable function informs the runner on variables to set on future steps: /~https://github.com/actions/toolkit/tree/main/packages/core#exporting-variables I believe it will also short circuit if the value is "" but might be worth validating. Would probably need an unset toolkit / runner support. This all does create odd coupling between steps though :/ |
Can someone post a link to the list where we can add customers who are asking for this feature? This is a feature Experian is very interested in. I didn't see one in the issue/discussion. Thanks! |
Does something like this work?
|
@kellertk nope, does not work :( |
@bryanmacfarlane We are encountering this issue as well. For example - awslabs/aws-sdk-kotlin#1281. Any updates on priority or workarounds? |
not a real work around but I was able to do this which at least works for my usecase.
then after you are done you can simply |
@kellertk yours does not work simply because you only unset the environment variables and NOT modify the |
The I guess it is all about security, still it is ANNOYING that GitHub does not offer a way |
Adding my voice to the problem, we have an action to fetch a secured credential using OIDC like this(yaml simplified for demo purposes) :
This works fine to clear out the creds, but we're left with
I know I could run this step in another job, but for simplicity and speed purposes, it would be much simpler to be able to properly unset environment variables. My only workaround for this is to set a default region at the end of the action but this does not make sense at all. |
I've dug a bit in the codebase and it seems that on each step, the runner service will generate a new empty This is why the Now the only way I see to do this would be to have a step before |
Since the setup action will set both `SP1_DEV=true` and `FRI_QUERIES=1`, the plonk artifact generation fails. We can override `SP1_DEV` but cannot override `FRI_QUERIES` since different StarkMachines use different values. Unsetting variables set via `GITHUB_ENV` is not currently supported according to actions/runner#1126 So just pass `perf: false` instead
Since the setup action will set both `SP1_DEV=true` and `FRI_QUERIES=1`, the plonk artifact generation fails. We can override `SP1_DEV` but cannot override `FRI_QUERIES` since different StarkMachines use different values. Unsetting variables set via `GITHUB_ENV` is not currently supported according to actions/runner#1126 So just pass `perf: false` instead
As quite some people on this ticket are explicitly searching for this to solve the AWS_ env vars issues, I quickly put together a simple action which will fill a profile based of the GHA OIDC token exchange/role-assumption. It only solves my use case (GHA OIDC). It allows to add multiple profiles. |
echo 'SOME_VAR=some-value' >> $GITHUB_ENV
can be used to set an environment variable for subsequent steps, but there seems to be no documented way to unset it.Note that
echo 'SOME_VAR=' >> $GITHUB_ENV
will set it to the empty value, but that's different from not having the variable set at all.Rationale: In some workflows, it might be necessary to checkout and/or run untrusted code. At that point I'd like to clean up as much sensitive values as possible. Unsetting env vars (like
SSH_AGENT_PID
orSSH_AUTH_SOCK
) is part of this.The text was updated successfully, but these errors were encountered: