How to recover a GitHub Actions secret

Published on 11/02/2023, 308 words, 2 minutes to read

Sometimes you fuck up and lose your only copy of a GitHub secret that you can't replace easily, such as a Cachix signing key. However you lucked out and that key is actually saved in GitHub Actions secrets...which won't let you read the contents of that secret for understandable security reasons. Here's how you work around that.

First, make sure Deno is installed and copy this program to recover-secret.ts.

const port = 8080;

const handler = async (req: Request): Promise<Response> => {
  const body = await req.text();
  console.log(body);

  return new Response();
};

console.log(`HTTP server running. Access it at: http://localhost:${port}/`);
Deno.serve({ port }, handler);

Run it with deno run -A recover-secret.ts.

Next go to the Tailscale admin console OAuth clients section and generate a new OAuth client that lets you create auth keys (you want the write on devices scope). Add a helpful description like "GitHub Actions secret recovery" and copy the client ID and secret to your password manager. Then add them as GitHub secrets named TAILSCALE_CLIENT_ID and TAILSCALE_CLIENT_SECRET.

Now create a new GitHub Actions workflow with the following contents:

on:
  workflow_dispatch:

jobs:
  recoversecret:
    runs-on: ubuntu-latest
    steps:
      - name: Tailscale
        uses: tailscale/github-action@v2
        with:
          oauth-client-id: ${{ secrets.TAILSCALE_CLIENT_ID }}
          oauth-secret: ${{ secrets.TAILSCALE_CLIENT_SECRET }}
          tags: tag:ci
          version: 1.52.0
      - name: "Recover secret"
        run: |
          echo ${SECRET} > ./output.txt
          curl --data-binary @./output.txt ${TARGET}
        env:
          SECRET: ${{ secrets.CACHIX_SIGNING_KEY }}
          TARGET: "http://kaine.shark-harmonic.ts.net:8080"

Replace the contents of TARGET as facts and circumstances demand.

Now you can recover your secret by hitting the "Run workflow" button on the Actions tab of your repo. The secret will be in your terminal, and you can copy it to your password manager as a note.

Facts and circumstances may have changed since publication. Please contact me before jumping to conclusions if something seems wrong or unclear.

Tags: github, actions, secrets, tailscale