https://github.com/step-security/wait-for-secrets Skip to content Toggle navigation Sign up * Product + Actions Automate any workflow + Packages Host and manage packages + Security Find and fix vulnerabilities + Codespaces Instant dev environments + Copilot Write better code with AI + Code review Manage code changes + Issues Plan and track work + Discussions Collaborate outside of code + Explore + All features + Documentation + GitHub Skills + Blog * Solutions + For + Enterprise + Teams + Startups + Education + By Solution + CI/CD & Automation + DevOps + DevSecOps + Case Studies + Customer Stories + Resources * Open Source + GitHub Sponsors Fund open source developers + The ReadME Project GitHub community articles + Repositories + Topics + Trending + Collections * Pricing [ ] * # In this repository All GitHub | Jump to | * No suggested jump to results * # In this repository All GitHub | Jump to | * # In this organization All GitHub | Jump to | * # In this repository All GitHub | Jump to | Sign in Sign up {{ message }} step-security / wait-for-secrets Public * Notifications * Fork 5 * Star 29 Publish from GitHub Actions using multi-factor authentication License Apache-2.0 license 29 stars 5 forks Star Notifications * Code * Issues 1 * Pull requests 5 * Actions * Projects 0 * Security * Insights More * Code * Issues * Pull requests * Actions * Projects * Security * Insights step-security/wait-for-secrets This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. Use this GitHub Action with your project Add this Action to an existing workflow or create a new one. View on Marketplace main Switch branches/tags [ ] Branches Tags Could not load branches Nothing to show {{ refName }} default View all branches Could not load tags Nothing to show {{ refName }} default View all tags Name already in use A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch? Cancel Create 6 branches 7 tags Code * Local * Codespaces * Clone HTTPS GitHub CLI [https://github.com/s] Use Git or checkout with SVN using the web URL. [gh repo clone step-s] Work fast with our official CLI. Learn more. * Open with GitHub Desktop * Download ZIP Sign In Required Please sign in to use Codespaces. Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching GitHub Desktop If nothing happens, download GitHub Desktop and try again. Launching Xcode If nothing happens, download Xcode and try again. Launching Visual Studio Code Your codespace will open once ready. There was a problem preparing your codespace, please try again. Latest commit @varunsh-coder varunsh-coder Merge pull request #52 from step-security/ update-readme-gif ... 0d713b8 Dec 5, 2022 Merge pull request #52 from step-security/update-readme-gif Update README 0d713b8 Git stats * 89 commits Files Permalink Failed to load latest commit information. Type Name Latest commit message Commit time .github Merge pull request #48 from step-security/dependabot/github_actions/ a... Dec 3, 2022 dist Release v1.0.5 (#45) Dec 2, 2022 images Update README Dec 5, 2022 src Release v1.0.5 (#45) Dec 2, 2022 .gitignore Add first commit May 31, 2022 LICENSE Initial commit May 31, 2022 README.md Update README Dec 5, 2022 SECURITY.md Release v1.0.5 (#45) Dec 2, 2022 action.yml Update action.yml Dec 3, 2022 package-lock.json Release v1.0.5 (#45) Dec 2, 2022 package.json Release v1.0.5 (#45) Dec 2, 2022 tsconfig.json Add first commit May 31, 2022 View code [ ] Why? How? Demo workflow Publish to NPM registry using one-time password (OTP) Slack notification Deploy to AWS using temporary security credentials Actual examples FAQ README.md [banner] Maintained by stepsecurity.io OpenSSF Scorecard License: Apache 2.0 --------------------------------------------------------------------- Wait-for-secrets GitHub Action waits for the developer to enter secrets during a workflow run. Developers can enter secrets using a web browser and use them in the workflow. Demo Why? * MFA To enable using multi-factor authentication (MFA)/ one-time password (OTPs) for a release workflow, e.g., use OTP to publish to the npm registry. * Separation of duties Even if someone has write access to the repository, they do not get access to the deployment secrets. * More control You have more control over when secrets get used in your workflows. With wait-for-secrets, there is manual human interaction needed for publishing. * Less management overhead You can use your existing account for deployment. This removes the need to manage a separate set of deployment credentials. How? 1. Add the wait-for-secrets GitHub Action to your workflow and specify the secrets you need. 2. The Action will print a URL in the build log every 10 seconds and wait for you to enter the secrets 3. Click on the URL and enter the secrets that the workflow needs. 4. The Action will get the secrets you entered in the browser and continue execution. 5. Use the retrieved secrets in future steps. Demo workflow Use this workflow to see a quick demo of wait-for-secrets with a dummy secret. name: Wait-for-secrets Demo on: workflow_dispatch jobs: build: permissions: id-token: write runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 - uses: step-security/wait-for-secrets@v1 id: get-otp with: secrets: | DUMMY_SECRET: name: 'Dummy secret' description: 'Dummy secret to demo wait-for-secrets' - run: | echo ${{ steps.get-otp.outputs.DUMMY_SECRET }} Publish to NPM registry using one-time password (OTP) Use this workflow to publish to the npm registry using a one-time password. Prerequisites: 1. Setup two-factor authentication for your account. 2. Require two-factor authentication to publish the package. This can be configured in the package settings. 3. Create a Publish access token and set it as a GitHub secret NODE_AUTH_TOKEN name: Publish Package to npmjs on: workflow_dispatch permissions: contents: read jobs: build: runs-on: ubuntu-latest permissions: contents: read id-token: write steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 with: node-version: "16.x" registry-url: "https://registry.npmjs.org" - uses: step-security/wait-for-secrets@v1 id: wait-for-secrets with: secrets: | OTP: name: 'OTP to publish package' description: 'OTP from authenticator app' - run: npm ci - run: npm publish --otp ${{ steps.wait-for-secrets.outputs.OTP }} env: NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }} When you run this workflow, you will see a link in the build log to enter the OTP. * Click on the link and enter the OTP. * The workflow will take the OTP and pass it to the npm publish step. * OTP will be used to publish the package. Slack notification You can get a notification on Slack when the secret needs to be entered. Set the slack-webhook-url as shown below. Deploy to AWS using temporary security credentials Example of how to provide AWS temporary security credentials in a workflow. name: Deploy to AWS on: workflow_dispatch: push: branches: - main permissions: contents: read jobs: publish: permissions: contents: read id-token: write runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v3 - uses: step-security/wait-for-secrets@v1 id: wait-for-secrets with: slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }} secrets: | AWS_ACCESS_KEY_ID: name: 'AWS access key id' description: 'Access key id for prod' AWS_SECRET_ACCESS_KEY: name: 'AWS secret access key' description: 'Secret access key for prod' AWS_SESSION_TOKEN: name: 'AWS session token' description: 'Session token for prod' - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v1 with: aws-access-key-id: ${{ steps.wait-for-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-secret-access-key: ${{ steps.wait-for-secrets.outputs.AWS_SECRET_ACCESS_KEY }} aws-session-token: ${{ steps.wait-for-secrets.outputs.AWS_SESSION_TOKEN }} aws-region: us-west-2 During the workflow run, you can generate temporary AWS credentials for your account and enter them using the browser. Actual examples Here are a couple of workflows that use wait-for-secrets 1. Publish to NPM: https://github.com/jsx-eslint/eslint-plugin-react /blob/master/.github/workflows/npm-publish.yml 2. Deploy to AWS: https://github.com/step-security/secure-workflows/ blob/main/.github/workflows/release.yml 3. GitHub release: https://github.com/step-security/wait-for-secrets /blob/main/.github/workflows/release.yml FAQ 1. Why does wait-for-secrets need id-token: write permission? It needs the id-token: write permission to authenticate to the StepSecurity API. This is to ensure only the authorized workflow can retrieve the secrets. 2. How does wait-for-secrets work? This is how wait-for-secrets works: 1. When the wait-for-secrets Action is called, it gets an OpenID Connect (OIDC) token using the id-token: write permission. 2. The token is sent to the StepSecurity API along with the needed list of secrets. 3. StepSecurity API authenticates the caller using the token and stores the list of secrets in a data store. 4. When a user clicks on the link in the build log, the list of secrets is shown to the user. 5. The user enters the secrets in the browser. 6. The secrets are sent to the StepSecurity API, where they are stored in the datastore. 7. wait-for-secrets Action polls every 10 seconds to check if the secrets are available. 8. If available, the StepSecurity API returns the secret values to the Action. 9. wait-for-secrets Action makes a call to the StepSecurity API to clear the secrets in the datastore 10. wait-for-secrets Action makes the secrets available for future steps. 3. Where is the code for the StepSecurity API? Wait-for-secrets GitHub Action and the backend API it uses are open-source. The backend API is in the https://github.com/ step-security/secure-workflows repository. About Publish from GitHub Actions using multi-factor authentication Topics security actions action mfa github-actions Resources Readme License Apache-2.0 license Security policy Security policy Stars 29 stars Watchers 1 watching Forks 5 forks Releases 6 v1.0.5 Latest Dec 3, 2022 + 5 releases Used by 6 * @jsx-eslint * @classicvalues * @classicvalues * @step-security * @step-security * @varunsh-coder Contributors 7 * @varunsh-coder * @arjundashrath * @dependabot[bot] * @Devils-Knight * @step-security-bot * @boahc077 * @stepsecurity-app[bot] Languages * TypeScript 100.0% Footer (c) 2022 GitHub, Inc. Footer navigation * Terms * Privacy * Security * Status * Docs * Contact GitHub * Pricing * API * Training * Blog * About You can't perform that action at this time. You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.