Skip to main content

Read Secrets

The Read Secrets action retrieves sensitive values from GitHub Secrets or Azure Key Vault and makes them available to AL-Go workflows. It handles secret encoding, encryption, and masking to ensure secure handling of sensitive data.

Overview

This action provides secure secret management for AL-Go workflows by:
  • Retrieving secrets from GitHub Secrets or Azure Key Vault
  • Resolving dependency secrets from AppDependencyProbingPaths and TrustedNuGetFeeds
  • Base64 encoding all secrets to handle national characters safely
  • Optionally encrypting secrets (when prefixed with *)
  • Masking secret values in workflow logs
  • Providing authentication tokens for repository operations
Always use this action to handle secrets. Never hard-code sensitive values or pass them as plain text parameters. All secrets are automatically masked in logs for security.

Inputs

shell
string
default:"powershell"
The shell in which to run the PowerShell script:
  • powershell - Windows PowerShell 5.1
  • pwsh - PowerShell 7+
gitHubSecrets
string
required
All GitHub Secrets in compressed JSON format. Typically passed using ${{ toJson(secrets) }} to include all available secrets from the repository.
getSecrets
string
required
Comma-separated list of secrets to retrieve. This parameter supports several special values and modifiers:
  • Standard secret names: Any GitHub secret name
  • appDependencySecrets: Automatically retrieves all secrets needed for resolving dependencies in AppDependencyProbingPaths and TrustedNuGetFeeds
  • TokenForPush: Requests a token for making commits and creating pull requests
  • *SecretName: Prefix with asterisk to return the secret encrypted and Base64 encoded
Example: "licenseFileUrl,*CodeSignCertificate,appDependencySecrets,TokenForPush"
useGhTokenWorkflowForPush
boolean
default:"false"
Determines whether to use the GhTokenWorkflow secret for the TokenForPush output. When false, the standard GITHUB_TOKEN is used. Set to true to use a custom GitHub token with elevated permissions.

Outputs

Secrets
string
A compressed JSON structure containing all requested secrets. Each secret value is Base64 encoded. Secrets whose names were preceded by an asterisk (*) are encrypted before Base64 encoding.Both the original secret value and its Base64 encoded form are automatically masked in workflow logs.
TokenForPush
string
The authentication token to use when workflows need to push changes to the repository, either directly or via pull requests. This is either:
  • The standard GITHUB_TOKEN (default)
  • The GhTokenWorkflow secret (when useGhTokenWorkflowForPush is true)
This token is automatically masked in logs.

Prerequisites

Before using Read Secrets, you must first call the ReadSettings action to populate the env.Settings variable. Read Secrets depends on settings to locate Azure Key Vault configuration and dependency paths.

Usage Examples

Basic Usage

- name: Read secrets
  uses: microsoft/AL-Go/Actions/ReadSecrets@main
  with:
    shell: pwsh
    gitHubSecrets: ${{ toJson(secrets) }}
    getSecrets: 'licenseFileUrl,InsiderSasToken'

With Encrypted Secrets

- name: Read secrets with encryption
  uses: microsoft/AL-Go/Actions/ReadSecrets@main
  with:
    shell: pwsh
    gitHubSecrets: ${{ toJson(secrets) }}
    getSecrets: '*CodeSignCertificate,*KeyVaultCertificate,licenseFileUrl'

Including Dependency Secrets

- name: Read all necessary secrets
  uses: microsoft/AL-Go/Actions/ReadSecrets@main
  with:
    shell: pwsh
    gitHubSecrets: ${{ toJson(secrets) }}
    getSecrets: 'licenseFileUrl,appDependencySecrets,TokenForPush'

Using Custom Token for Push

- name: Read secrets with custom push token
  id: secrets
  uses: microsoft/AL-Go/Actions/ReadSecrets@main
  with:
    shell: pwsh
    gitHubSecrets: ${{ toJson(secrets) }}
    getSecrets: 'licenseFileUrl,TokenForPush'
    useGhTokenWorkflowForPush: true

- name: Make changes and push
  env:
    GITHUB_TOKEN: ${{ steps.secrets.outputs.TokenForPush }}
  run: |
    git add .
    git commit -m "Update"
    git push

Complete Workflow Example

name: Build and Deploy

jobs:
  build:
    runs-on: windows-latest
    steps:
      - uses: actions/checkout@v3
      
      - name: Read settings
        uses: microsoft/AL-Go/Actions/ReadSettings@main
        with:
          shell: pwsh
      
      - name: Read secrets
        id: secrets
        uses: microsoft/AL-Go/Actions/ReadSecrets@main
        with:
          shell: pwsh
          gitHubSecrets: ${{ toJson(secrets) }}
          getSecrets: 'licenseFileUrl,*CodeSignCertificate,appDependencySecrets'
      
      - name: Run pipeline
        uses: microsoft/AL-Go/Actions/RunPipeline@main
        with:
          shell: pwsh

Secret Sources

The Read Secrets action can retrieve secrets from two sources:

GitHub Secrets

Secrets defined in your repository or organization settings are accessed directly through the gitHubSecrets parameter. These are the primary source for most secrets.

Azure Key Vault

If your AL-Go settings include Key Vault configuration, the action can retrieve secrets from Azure Key Vault. Configure Key Vault in your settings: 
{
  "keyVaultName": "your-keyvault-name",
  "keyVaultClientId": "...",
  "keyVaultCertificateUrl": "..."
}
Then provide the necessary Key Vault authentication secrets: 
getSecrets: 'keyVaultCertificateUrl,keyVaultCertificatePassword,keyVaultClientId,licenseFileUrl'

Common Secrets

Here are commonly used secrets in AL-Go workflows:

Build and Signing Secrets

  • licenseFileUrl: URL to the Business Central license file (required for most builds)
  • CodeSignCertificate: Code signing certificate for signing apps
  • CodeSignCertificatePassword: Password for the code signing certificate
  • InsiderSasToken: SAS token for accessing insider artifacts

Azure Key Vault Secrets

  • keyVaultName: Name of the Azure Key Vault
  • keyVaultClientId: Client ID for Key Vault authentication
  • keyVaultCertificateUrl: URL to the Key Vault certificate
  • keyVaultCertificatePassword: Password for the Key Vault certificate

Deployment Secrets

  • AuthContext: Authentication context for Business Central environments
  • EnvironmentName: Target environment name

Repository Secrets

  • GhTokenWorkflow: Custom GitHub token with elevated permissions
  • gitHubPackagesContext: Authentication context for GitHub Packages

Dependency Secrets

When you specify appDependencySecrets in the getSecrets parameter, the action automatically:
  1. Reads your AppDependencyProbingPaths from settings
  2. Reads your TrustedNuGetFeeds from settings
  3. Extracts the authTokenSecret from each path/feed
  4. Retrieves all referenced authentication secrets
This simplifies secret management for dependencies: 
getSecrets: 'licenseFileUrl,appDependencySecrets'
Instead of: 
getSecrets: 'licenseFileUrl,secret1,secret2,secret3'

Security Considerations

Important Security Notes:
  • All secret values are automatically masked in GitHub Actions logs
  • Both the original value and Base64 encoded value are masked
  • Use the * prefix for secrets that need encryption
  • Never output secret values directly in workflow steps
  • Always use the Secrets output to access secret values
  • Use TokenForPush for authentication, never hard-code tokens

Encrypted Secrets

Secrets prefixed with * receive additional encryption before Base64 encoding. Use this for highly sensitive values like:
  • Code signing certificates
  • Private keys
  • Certificate passwords
Example: 
getSecrets: '*CodeSignCertificate,*PrivateKey,licenseFileUrl'

Accessing Secrets in Subsequent Steps

Using the Secrets Output

- name: Read secrets
  id: secrets
  uses: microsoft/AL-Go/Actions/ReadSecrets@main
  with:
    gitHubSecrets: ${{ toJson(secrets) }}
    getSecrets: 'licenseFileUrl,InsiderSasToken'

- name: Use secrets
  shell: pwsh
  run: |
    $secrets = '${{ steps.secrets.outputs.Secrets }}' | ConvertFrom-Json
    # Secrets are Base64 encoded, decode as needed
    # The env.Secrets variable is also available in actions that expect it

Using TokenForPush

- name: Read secrets
  id: secrets
  uses: microsoft/AL-Go/Actions/ReadSecrets@main
  with:
    gitHubSecrets: ${{ toJson(secrets) }}
    getSecrets: 'TokenForPush'
    useGhTokenWorkflowForPush: true

- name: Create pull request
  env:
    GITHUB_TOKEN: ${{ steps.secrets.outputs.TokenForPush }}
  run: gh pr create --title "Update" --body "Automated update"

Troubleshooting

Secret Not Found

If a requested secret is not found:
  • Verify the secret exists in GitHub repository/organization secrets
  • Check the secret name spelling
  • Ensure you have access to organization secrets (if applicable)
  • For Key Vault secrets, verify Key Vault configuration in settings

Key Vault Access Issues

If Azure Key Vault secrets cannot be retrieved:
  • Verify keyVaultName in settings is correct
  • Ensure Key Vault authentication secrets are provided
  • Check that the service principal has access to the Key Vault
  • Verify the Key Vault certificate is valid and not expired

Token Permission Issues

If TokenForPush doesn’t have sufficient permissions:
  • Consider setting useGhTokenWorkflowForPush: true
  • Ensure GhTokenWorkflow secret is configured with a PAT
  • Verify the PAT has required permissions (repo, workflow, etc.)
  • Check token expiration date

Build docs developers (and LLMs) love

Get started for freeTalk to us