Retrieve GitHub Action Secrets via Webhook

By Johannes Filter
Published Jan 30, 2023

If you need to extract secrets from GitHub Actions, there is no way you can do read them via the GitHub UI. Here is a quick way on how to get the secret values by using curl and a webhook. You can, e.g., use Keybase to create a webhook. Install the “Webhook Bot” into a chat or channel, then run !webhook create somename and note the resulting webhook URL.

Create the GitHub Action (see below) in your repo. Set a GitHub Action secret to KEYBASE_WEBHOOK and then manually execute the action once. Afterward, remove the GitHub Action from your code. You will see all the secrets in the chat.

name: Extract secrets


    runs-on: ubuntu-latest

      - name: Post secrets to Webhook
        shell: bash
        run: >
          curl -X POST ${{ secrets.KEYBASE_WEBHOOK }} -H 'Content-Type: application/json'
          -d '{"msg": "${{ toJSON(secrets) }}"}'