A simple tool to extract the plain text values of GitHub Secrets. This action was made to show the importance of limiting who can run workflows in repositories with secrets.
This action takes a string, secret as input and prints an encoded version of it to the console. You can then use this tool to get the secret in plain text.
- name: Extract A Juicy Secret
uses: Plabick/GitHub-Secret-Extractor@master
with:
secret: ${{ secrets.TARGET_SECRET}}*************************************
* Encoded Secret: epousfbenztfdsfut *
*************************************
To view the plain-text secret, use the decoder
plabick.github.io/Actions-Secret-Decoder/
GitHub redacts text that matches secrets from the console. The only way to output secrets in the console is to encode them.
To protect your secrets from a variant of this tool that uses an arbitrary encoding scheme, limit who can modify workflows on repos with secrets. There is no other way to prevent the disclosure of stored secrets.
GitHub Secret Extractor is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.