If a secret in actions has a value similar to other secrets, subsequent secrets or variables will be overwritten. #14334

New Issue

Closed

opened 2025-11-02 11:10:06 -06:00 by GiteaMirror · 4 comments

GiteaMirror commented 2025-11-02 11:10:06 -06:00

Owner

Copy Link

Originally created by @Updates-Unihoster on GitHub (Apr 3, 2025).

Description

If a secret in actions has a value similar to other secrets, subsequent secrets or variables will be overwritten.
How to reproduce:

1. Create empty repo and init it.
2. Create secret (name not meters but in my case it named "LOKI_USER") and set its value as, for example "loki"
3. Create another secret, (name not meters but in my case it named "LOKI_PASSWORD") and set its value similar but not exactly like in step 2. So in my case it will be supersecretlokipassword (word contain the "loki" string)
4. Create gitea actions CI\CD in order not to describe each step, I just provide a simple example when the bug is reproduced.

name: Prod CI/CD
on:
  push:
    branches:
      - 'master'

jobs:
  Prod-Build-Deploy:
    runs-on: ubuntu-latest
    steps:
      -
        name: Check out repository code
        uses: actions/checkout@v4
      -
        name: Print secret and var
        run: |
          echo "LOKI user var: ${{ vars.LOKI_USER }}"
          echo "LOKI user secret: ${{ secrets.LOKI_USER }}"
          echo "LOKI password var: ${{ vars.LOKI_PASSWORD }}"
          echo "LOKI password secret: ${{ secrets.LOKI_PASSWORD }}"

5. Commit your ci\cd and see output of step named "Print secret and var". You will see something like this:

6. If you delete for example variables and leave only secrets and change value of secret from "supersecretlokipassword" to for example json format "supersecret.loki.password" (dots added) you will see that now not the entire line is replaced, but only part of it:

Its seems like very hard to find bug i literally spend days to find what happens to my secrets and why it turn to "****". Only works with case sensitive secrets, so if you try to set LOKI_USER as "LOKI" and do not change password and leave it as "supersecretlokipassword" - nothing happens to it.

Version of gitea what i running (but also bug reproduces in older 1.23+ versions):
Latest ([1.23.6])

Gitea Version

1.23.6

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

2.43.0

Operating System

Ubuntu 24.04

How are you running Gitea?

Running as systemd service but i think its core gitea bug so you can reproduce this behavior no matter how you run gitea

Database

MySQL/MariaDB

Originally created by @Updates-Unihoster on GitHub (Apr 3, 2025). ### Description If a secret in actions has a value similar to other secrets, subsequent secrets or variables will be overwritten. How to reproduce: 1. Create empty repo and init it. 2. Create secret (name not meters but in my case it named "LOKI_USER") and set its value as, for example "loki" 3. Create another secret, (name not meters but in my case it named "LOKI_PASSWORD") and set its value similar but not exactly like in step 2. So in my case it will be supersecretlokipassword (word contain the "loki" string) 4. Create gitea actions CI\CD in order not to describe each step, I just provide a simple example when the bug is reproduced. ```yaml name: Prod CI/CD on: push: branches: - 'master' jobs: Prod-Build-Deploy: runs-on: ubuntu-latest steps: - name: Check out repository code uses: actions/checkout@v4 - name: Print secret and var run: | echo "LOKI user var: ${{ vars.LOKI_USER }}" echo "LOKI user secret: ${{ secrets.LOKI_USER }}" echo "LOKI password var: ${{ vars.LOKI_PASSWORD }}" echo "LOKI password secret: ${{ secrets.LOKI_PASSWORD }}" ``` 5. Commit your ci\cd and see output of step named "Print secret and var". You will see something like this:  6. If you delete for example variables and leave only secrets and change value of secret from "supersecretlokipassword" to for example json format "supersecret.loki.password" (dots added) you will see that now not the entire line is replaced, but only part of it:  Its seems like very hard to find bug i literally spend days to find what happens to my secrets and why it turn to "****". Only works with case sensitive secrets, so if you try to set LOKI_USER as "LOKI" and do not change password and leave it as "supersecretlokipassword" - nothing happens to it. Version of gitea what i running (but also bug reproduces in older 1.23+ versions): Latest ([1.23.6]) ### Gitea Version 1.23.6 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version 2.43.0 ### Operating System Ubuntu 24.04 ### How are you running Gitea? Running as systemd service but i think its core gitea bug so you can reproduce this behavior no matter how you run gitea ### Database MySQL/MariaDB

GiteaMirror added the topic/gitea-actionsissue/needs-feedbacktype/bug labels 2025-11-02 11:10:06 -06:00

GiteaMirror closed this issue 2025-11-02 11:10:07 -06:00

GiteaMirror commented 2025-11-02 11:10:07 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (May 10, 2025):

How did you change a secret value? It looks like it hasn't been implemented until #32362 merged.

@lunny commented on GitHub (May 10, 2025): How did you change a secret value? It looks like it hasn't been implemented until #32362 merged.

GiteaMirror commented 2025-11-02 11:10:07 -06:00

Author

Owner

Copy Link

@lunny commented on GitHub (May 10, 2025):

I followed the steps, but I couldn't reproduce it. Since you just delete vars and no workflow changes, the result should like this

LOKI user var: 
LOKI user secret: ***
LOKI password var: 
LOKI password secret: ***

but not

LOKI user secret: ***
LOKI password secret: ***

@lunny commented on GitHub (May 10, 2025): I followed the steps, but I couldn't reproduce it. Since you just delete vars and no workflow changes, the result should like this ``` LOKI user var: LOKI user secret: *** LOKI password var: LOKI password secret: *** ``` but not ``` LOKI user secret: *** LOKI password secret: *** ```

GiteaMirror commented 2025-11-02 11:10:08 -06:00

Author

Owner

Copy Link

@Alexsandr-Random commented on GitHub (May 10, 2025):

I followed the steps, but I couldn't reproduce it. Since you just delete vars and no workflow changes, the result should like this

LOKI user var: 
LOKI user secret: ***
LOKI password var: 
LOKI password secret: ***

but not

LOKI user secret: ***
LOKI password secret: ***

Hello. Don't close the problem, I will answer in more detail in a week. Now I'm going on vacation. Please provide the full order of actions and the value of the secrets that you created.
I have given a fairly detailed order of actions and the meaning of the secrets in the description.

@Alexsandr-Random commented on GitHub (May 10, 2025): > I followed the steps, but I couldn't reproduce it. Since you just delete vars and no workflow changes, the result should like this > > ``` > LOKI user var: > LOKI user secret: *** > LOKI password var: > LOKI password secret: *** > ``` > > but not > > ``` > LOKI user secret: *** > LOKI password secret: *** > ``` Hello. Don't close the problem, I will answer in more detail in a week. Now I'm going on vacation. Please provide the full order of actions and the value of the secrets that you created. I have given a fairly detailed order of actions and the meaning of the secrets in the description.

GiteaMirror commented 2025-11-02 11:10:08 -06:00

Author

Owner

Copy Link

@GiteaBot commented on GitHub (Jun 9, 2025):

We close issues that need feedback from the author if there were no new comments for a month. 🍵

@GiteaBot commented on GitHub (Jun 9, 2025): We close issues that need feedback from the author if there were no new comments for a month. :tea:

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label issue/needs-feedback topic/gitea-actions type/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#14334