Passing secrets as inputs to composite actions. Is it safe ?

[rekaparathalwar]

Composite action doesnt support passing secrets. Instead we can pass the secrets as inputs to composite action.

Is it safe doing so ? Is there any security implications ?

[airtower-luna]

The security implications are the same as for passing secrets to any other type of action: You're giving the secret to the action, and potentially (depending on how the action handles its inputs) any code the action calls. For a composite action that might include other actions it calls.

To see if the handling is safe you'll have to audit the specific action, and anything it calls with access to the secret input. If you determine the action is safe you might want to reference it by commit ID in your workflow to make sure it can't change without you noticing.

[jsugarman]

I have a couple questions on this

• Assuming the action is handling the secret safely is there any risk of inputs that are secrets being logged in plain text by the github action?
• Also, what, then, is the purpose of the secrets option for reusable workflows in that case? Is it registering the secret input in some way

[madkins-webscale]

From my testing it appears they remain redacted in the logs even after being passed across to a composite action as an input (and referred to then via the inputs context)

[alexmercerind]

i wasted so much time now