How to pass string value with white space to github actions env

2
votes

I am trying to create a GitHub action to deploy the lambda function with the script provided below. When I try to pass the description through the GitHub secrets the Github actions could not recognize it as a string and treat as a command. Is there any way to pass the string from the GitHub secrets so that the Github actions treat it as a string. Or Can we pass the double quotes string from the secrets?

name: Test Lambda Actions

on:
  pull_request:
    paths:
      - lambda/src/lambda_function.py
      - .github/workflows/lambda-dev.yml

jobs:
  deploy-lambda:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@master
      - run: chmod 777 *
      - uses: actions/setup-python@v1
        with:
          python-version: 3.7
      - run: pip3 install awscli
      - name: Deploy Lambda Function
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          AWS_DEFAULT_REGION: us-east-1
          ROLE: ${{ secrets.ROLE }}
          HANDLER: lambda_function.lambda_handler
          ALIAS_NAME: ${{ secrets.TEST_ALIAS }}
          DESCRIPTION: ${{ secrets.DESCRIPTION }}
        run: |
          cd lambda/dist
          aws lambda update-function-configuration --function-name test-lambda --role ${ROLE} --description ${DESCRIPTION} --handler ${HANDLER}
          version=$(aws lambda update-function-code --function-name test-lambda --zip-file fileb://lambda_function.zip --publish | jq -r .Version)
          aws lambda create-alias --function-name test-lambda --name ${ALIAS_NAME} --function-version $version

If I add value LAMBDA IS to a secret name Description and run the GitHub actions following results appear: enter image description here

1
github-actions
You can definitely quote your strings in yaml using single or double quotes. However, I'm not sure I understand what you mean that the variable is being treated as a command. It shouldn't be if your yaml syntax is correct - smac89

1 Answers

2
votes

The variables will be present as environment variables

Like with any shell script, you'll need to quote the variables when using them otherwise you expose yourself to shell injection (or the more minor case which you are experiencing: whitespace will be expanded into multiple arguments)

For a small example, here's how azure pipelines may be setting your environment variables:

export ROLE=my-iam-role
export DESCRIPTION='This is my lambda function'
export HANDLER=foo

When you run this command:

# escaped newlines added so it is more readable on stack overflow
aws lambda \
    update-function-configuration \
    --function-name test-lambda \
    --role ${ROLE} \
    --description ${DESCRIPTION} \
    --handler ${HANDLER}

with your current variables this will be expanded to something like:

aws lambda \
    update-function-configuration \
    --function-name test-lambda \
    --role my-iam-role \
    --description This is my lambda function \
    --handler foo

Notice how the description was expanded into multiple arguments (since arguments are just whitespace delimited strings in bash)

To fix this, quote your variables in your command:

aws lambda \
    update-function-configuration \
    --function-name test-lambda \
    --role "${ROLE}" \
    --description "${DESCRIPTION}" \
    --handler "${HANDLER}"

Note that if you feed your bash code through something like shellcheck or shellharden it will make similar suggestions regarding quoting