Skip to content
Extract a stored Github secret
Albert-Jan Schot
Albert-Jan Schot

· 2 min read

Post

Extract a stored Github secret

So over the years we have seen a great push on security, something that is really important so I am not here to judge. However sometimes it will get you stuck. As you might know GitHub automatically masks secrets, so once a secret is stored you can’t see it again. In most cases that makes perfect sense, you need the secret to authenticate, not to ‘read’ it yourself. However sometimes you just need to get some more details..

GitHub Secrets

Github secrets are stored in the repository settings, you can add them there and they will be available in your workflows. For working with web content I usually store the Azure credentials needed to publish content to my Azure Website or Static Web App in the secrets. And of course you store those same credentials in your local password vault.. Or not. For our website we host for the DIWUG I forgot to store the details. So the secret expired, we had to renew it, but we couldn’t find the Entra ID App registration it used..

I figured I could easily export the details, but I was wrong. Luckily Google provided a few answers:

I opted for the second solution as that would print the value somewhat unreadable and requiring me to run a second command locally. So I stored my workflow as a blog making sure that next time I will ever need to retrieve the Entra Application ID from my Azure Credentials I can use this blog as a reference.

The workflow is simple, you start it manually, it prints the secret in a hex format. You can copy the output and convert it back to a readable format. The workflow is as follows:

name: Print secret

on:
  workflow_dispatch:

jobs:
  build-deploy:
    name: Print secret
    runs-on: ubuntu-latest
    steps:
      - name: Print secret
        env:
          AZURE_CREDENTIALS: ${{ secrets.AZURE_CREDENTIALS }}
        run: |
          echo "Trick to echo GitHub Actions Secret:  "
          echo "${{secrets.AZURE_CREDENTIALS}}" | xxd -ps

To convert it back to a readable string you can run echo 'myoutput' | xxd -ps -r where myoutput is the hex string you copied from the output. With that you get your secret back in a readable format. And in my case a nice json string that included the Entra Application ID and Azure Tenant ID so I could figure out where it all lived. With those details we could renew the secret and update the website again.

Albert-Jan Schot

Albert-Jan Schot

CTO, Microsoft MVP & FastTrack Recognized Solution Architect

I am Albert-Jan Schot, CTO at Blis Digital, Microsoft MVP, and FastTrack Recognized Solution Architect focused on Microsoft 365, Azure, and AI agents. I help teams turn complex Microsoft Cloud challenges into practical architecture decisions and shipped outcomes.

Copilot Studio Microsoft 365 Agent Flows

Zuid Holland, Netherlands

Related Posts