{"id":13902576,"url":"https://github.com/step-security/wait-for-secrets","last_synced_at":"2025-05-16T03:06:30.124Z","repository":{"id":38015181,"uuid":"498456330","full_name":"step-security/wait-for-secrets","owner":"step-security","description":"Publish from GitHub Actions using multi-factor authentication","archived":false,"fork":false,"pushed_at":"2025-05-05T23:40:17.000Z","size":4900,"stargazers_count":284,"open_issues_count":20,"forks_count":20,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-05-06T19:11:39.887Z","etag":null,"topics":["action","actions","github-actions","mfa","security"],"latest_commit_sha":null,"homepage":"https://www.stepsecurity.io","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/step-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2022-05-31T18:40:45.000Z","updated_at":"2025-03-19T09:59:34.000Z","dependencies_parsed_at":"2024-03-30T23:32:39.449Z","dependency_job_id":"dcc59ad3-2332-4358-b21c-48b4bf489795","html_url":"https://github.com/step-security/wait-for-secrets","commit_stats":{"total_commits":84,"total_committers":9,"mean_commits":9.333333333333334,"dds":0.6071428571428572,"last_synced_commit":"5779be3fa6b17828d109d71a75a233d76f97c045"},"previous_names":[],"tags_count":10,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fwait-for-secrets","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fwait-for-secrets/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fwait-for-secrets/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fwait-for-secrets/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/step-security","download_url":"https://codeload.github.com/step-security/wait-for-secrets/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254459088,"owners_count":22074605,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["action","actions","github-actions","mfa","security"],"created_at":"2024-08-06T22:01:13.495Z","updated_at":"2025-05-16T03:06:25.111Z","avatar_url":"https://github.com/step-security.png","language":"TypeScript","funding_links":[],"categories":["TypeScript"],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\u003cimg src=\"images/banner.png\" width=\"400\" /\u003e\u003c/p\u003e\n\n\u003cdiv align=\"center\"\u003e\n\n[![Maintained by stepsecurity.io](https://img.shields.io/badge/maintained%20by-stepsecurity.io-blueviolet)](https://stepsecurity.io/?utm_source=github\u0026utm_medium=organic_oss\u0026utm_campaign=wait-for-secrets)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/step-security/wait-for-secrets/badge)](https://api.securityscorecards.dev/projects/github.com/step-security/wait-for-secrets)\n[![License: Apache 2.0](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://raw.githubusercontent.com/step-security/wait-for-secrets/main/LICENSE)\n\n\u003c/div\u003e\n\n---\n\nWait-for-secrets GitHub Action waits for the developer to enter secrets during a workflow run. Developers can enter secrets using a web browser and use them in the workflow.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"images/WaitForSecretsDemo2.gif\" alt=\"Demo\" \u003e\n\u003c/p\u003e\n\n## Why?\n\n- **MFA** To enable using multi-factor authentication (MFA)/ one-time password (OTPs) for a release workflow, e.g., use OTP to publish to the npm registry.\n- **Separation of duties** Even if someone has write access to the repository, they do not get access to the deployment secrets.\n- **More control** You have more control over _when_ secrets get used in your workflows. With `wait-for-secrets,` there is manual human interaction needed for publishing.\n- **Less management overhead** You can use your existing account for deployment. This removes the need to manage a separate set of deployment credentials.\n\n## How?\n\n1. Add the `wait-for-secrets` GitHub Action to your workflow and specify the secrets you need.\n2. The Action will print a URL in the build log every 10 seconds and wait for you to enter the secrets\n3. Click on the URL and enter the secrets that the workflow needs.\n4. The Action will get the secrets you entered in the browser and continue execution.\n5. Use the retrieved secrets in future steps.\n\n### Demo workflow\n\nUse this workflow to see a quick demo of `wait-for-secrets` with a dummy secret.\n\n```yaml\nname: Wait-for-secrets Demo\non: workflow_dispatch\n\njobs:\n  build:\n    permissions:\n      id-token: write\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v3\n      - uses: step-security/wait-for-secrets@v1\n        id: get-otp\n        with:\n          secrets: |\n            DUMMY_SECRET: \n              name: 'Dummy secret'\n              description: 'Dummy secret to demo wait-for-secrets'\n      - run: |\n          echo ${{ steps.get-otp.outputs.DUMMY_SECRET }}\n```\n\n### Publish to NPM registry using one-time password (OTP)\n\nUse this workflow to publish to the npm registry using a one-time password.\n\nPrerequisites:\n\n1. Setup [two-factor authentication](https://docs.npmjs.com/configuring-two-factor-authentication) for your account.\n2. Require two-factor authentication to publish the package. This can be [configured in the package settings](https://docs.npmjs.com/requiring-2fa-for-package-publishing-and-settings-modification).\n3. Create a `Publish` [access token](https://docs.npmjs.com/creating-and-viewing-access-tokens) and set it as a GitHub secret `NODE_AUTH_TOKEN`\n\n```yaml\nname: Publish Package to npmjs\non: workflow_dispatch\n\npermissions:\n  contents: read\n\njobs:\n  build:\n    runs-on: ubuntu-latest\n    permissions:\n      contents: read\n      id-token: write\n    steps:\n      - uses: actions/checkout@v3\n      - uses: actions/setup-node@v3\n        with:\n          node-version: \"16.x\"\n          registry-url: \"https://registry.npmjs.org\"\n      - uses: step-security/wait-for-secrets@v1\n        id: wait-for-secrets\n        with:\n          secrets: |\n            OTP: \n              name: 'OTP to publish package'\n              description: 'OTP from authenticator app'\n      - run: npm ci\n      - run: npm publish --otp ${{ steps.wait-for-secrets.outputs.OTP }}\n        env:\n          NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}\n```\n\nWhen you run this workflow, you will see a link in the build log to enter the OTP.\n\n- Click on the link and enter the OTP.\n- The workflow will take the OTP and pass it to the `npm publish` step.\n- OTP will be used to publish the package.\n\n### Slack notification\n\nYou can get a notification on Slack when the secret needs to be entered. Set the `slack-webhook-url` as shown below.\n\n### Deploy to AWS using temporary security credentials\n\nExample of how to provide AWS temporary security credentials in a workflow.\n\n```yaml\nname: Deploy to AWS\n\non:\n  workflow_dispatch:\n  push:\n    branches:\n      - main\n\npermissions:\n  contents: read\n\njobs:\n  publish:\n    permissions:\n      contents: read\n      id-token: write\n    runs-on: ubuntu-latest\n    steps:\n      - name: Checkout\n        uses: actions/checkout@v3\n\n      - uses: step-security/wait-for-secrets@v1\n        id: wait-for-secrets\n        with:\n          slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}\n          secrets: |\n            AWS_ACCESS_KEY_ID: \n              name: 'AWS access key id'\n              description: 'Access key id for prod'\n            AWS_SECRET_ACCESS_KEY:\n              name: 'AWS secret access key'\n              description: 'Secret access key for prod'\n            AWS_SESSION_TOKEN:\n              name: 'AWS session token'\n              description: 'Session token for prod'\n\n      - name: Configure AWS Credentials\n        uses: aws-actions/configure-aws-credentials@v1\n        with:\n          aws-access-key-id: ${{ steps.wait-for-secrets.outputs.AWS_ACCESS_KEY_ID }}\n          aws-secret-access-key: ${{ steps.wait-for-secrets.outputs.AWS_SECRET_ACCESS_KEY }}\n          aws-session-token: ${{ steps.wait-for-secrets.outputs.AWS_SESSION_TOKEN }}\n          aws-region: us-west-2\n```\n\nDuring the workflow run, you can generate temporary AWS credentials for your account and enter them using the browser.\n\n### Actual examples\n\nHere are a couple of workflows that use `wait-for-secrets`\n\n1. Publish to NPM: https://github.com/jsx-eslint/eslint-plugin-react/blob/master/.github/workflows/npm-publish.yml\n2. Deploy to AWS: https://github.com/step-security/secure-workflows/blob/main/.github/workflows/release.yml\n3. GitHub release: https://github.com/step-security/wait-for-secrets/blob/main/.github/workflows/release.yml\n\n### FAQ\n\n1. Why does `wait-for-secrets` need `id-token: write` permission?\n\n   It needs the `id-token: write` permission to authenticate to the StepSecurity API. This is to ensure only the authorized workflow can retrieve the secrets.\n\n2. How does `wait-for-secrets` work?\n\n   This is how `wait-for-secrets` works:\n\n   1. When the `wait-for-secrets` Action is called, it gets an OpenID Connect (OIDC) token using the `id-token: write` permission.\n   2. The token is sent to the StepSecurity API along with the needed list of secrets.\n   3. StepSecurity API authenticates the caller using the token and stores the list of secrets in a data store.\n   4. When a user clicks on the link in the build log, the list of secrets is shown to the user.\n   5. The user enters the secrets in the browser.\n   6. The secrets are sent to the StepSecurity API, where they are stored in the datastore.\n   7. `wait-for-secrets` Action polls every 10 seconds to check if the secrets are available.\n   8. If available, the StepSecurity API returns the secret values to the Action.\n   9. `wait-for-secrets` Action makes a call to the StepSecurity API to clear the secrets in the datastore\n   10. `wait-for-secrets` Action makes the secrets available for future steps.\n\n3. Where is the code for the StepSecurity API?\n\n   `Wait-for-secrets` GitHub Action and the backend API it uses are open-source. The backend API is in the [https://github.com/step-security/secure-workflows](https://github.com/step-security/secure-workflows/tree/main/remediation/secrets) repository.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstep-security%2Fwait-for-secrets","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstep-security%2Fwait-for-secrets","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstep-security%2Fwait-for-secrets/lists"}