Warning

I am a GitHub Actions noob. They confuse and scare me.

I have a GitHub action that runs on a cron schedule to rebuild my site once a day. This is mostly to make sure my TODO page gets updated from the latest issues. But it could have other uses in the future.

I made a noob mistake and left my Netlify webhook in plain text in the action definition. I caught it before anyone could abuse it and make run out of build minutes or whatever. I deleted the old webhook and created a new one. Figured I should move it into a secret.

Secret seemed to be the right choice here because GitHub will obfuscate secrets in logs, but variables will be logged as plain text. It wasn't until later that I realized you need to be logged in to see logs anyway. So in reality, secrets and variables would work the same for me.

I created a new environment and added the secret to that. Off to a good start.

The job failed. And failed again. And again. I could not figure out why it was not picking up the secrets! I tried so many things and syntaxes and properties. Nothing I tried would get the job to pickup the secrets.

Turns out, there are 2 buckets of secrets or variables—Repository and Environment.

I needed to define an environment for my job:

jobs:
  build:
    name: Request Netlify Webhook
    runs-on: ubuntu-latest
    environment: samwarnick.com
    steps:
      - name: Curl request
        run: curl -X POST -d {} ${{ secrets.NETLIFY_HOOK }}

Then it worked! Hallelujah.

After realizing my mistake, I deleted the environment and moved the secret to be a repository secret. This simplifies things.