Add 'password' input type for manual workflows

[TaffarelJr]

The input types for manual workflows are great so far:

• string
• choice
• boolean
• environment

But I could really use a password input type.

I need to deploy infrastructure-as-code from my GitHub Action, and I need to be able to prompt for Admin credentials from whoever is running the workflow. I bet I could make it work with a plain string, but I have a feeling my password shouldn't be floating across the internet unprotected. At the very least, a masking effect would be nice to prevent the password from being seen on the screen.

[ethomson]

Appreciate the feedback @TaffarelJr - this is good feedback. There are some details that we'll definitely want to think through because - as you note - these are your secrets. 😁 But your use case makes sense.

Thanks again for the feedback.

[JacobRiske]

@ethomson is there any update on this request?

[Aholicknight]

Has there been any updates for this? I am interested in this as well.

[ravipalla-solasai]

Hi @ethomson

Any updates on Adding password or secret types.

[dev-stupid-codes]

I could be wrong, but I think it's more secure keeping some secrets on my offline password manager. That's why I would rather type passwords each time I need to manually trigger a workflow.

[isacmms]

Bump

[karchun0]

Bump

[milena537blr]

Bump

[luisd-telus]

Bump

[cybernotic]

This is just what I need, a password input type.

[keren-benzion]

This is exactly what I am looking for

[pabloolvcastro]

I would love that

[b4st1en]

Over a year... and nothing new?

I do confirm that it is simply not possible to use Azure (non) secrets (at all) in certain cases. (e.g. echo from some base 64...)
And it's a bit annoying to have to stop sharing your screen in the middle of a meeting just to launch a workflow.

So please add another string type such as masked, password, secret, whatever you like, as long as it has a masking effect when you enter it.

[simonramosb]

Bump

[raja-anbazhagan]

While the comments might help, you might also want to upvote the author's post so it gets more attention.

[gaojx]

Bump

[N-Fannilla]

bump

[ZenouskaMurphy]

bump

[JacobRiske]

bump

[SweetIceLolly]

bump

[pshynin]

bump

[santiagomoranlabat]

bump

[Robert-Dunn]

bump. pretty awkard having to hide my laptop screen from those sitting around me when deploying a workflow. Not to mention a security risk if ever done in public

[Pieeer1]

This would be a helpful feature. Bumping

[ThermodynamicBeta]

Please for the love of god please I'm begging you please I'm on my hands and knees please

[phymo]

bump
finally, I used the github secrets

[loewe]

bump! There are situations where the secrets can and should not be saved.

[loewe]

BTW: As an idea you could also write a greasemonkey script or something that reacts to the test "password" in the label. When i have time i will provide a link to this solution. If anyone else wants to write that workaround, feel free to do so and provide the reference to the script ;).

[nebuk89]

Sorry no one from GitHub has commented back on this one :) let me add this to the set of yaml papercuts we are looking at. I don't have a timeframe but it is still something we are aware of.
Please keep using the vote up on the top level item as well as the bump comments as this gives me a consistent way to check the engagement on everything <3

Thank you for continuing to provide us feedback 🙇

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐

[jeffbraga]

I really want this password type feature too. But while it is not developed, I managed to solve the masked string problem this way.

e.g.

## To avoid expression render ${{ }} and retrieve the value
export SPOTINST_TOKEN=$(jq -r '.inputs.SPOTINST_TOKEN' ${GITHUB_EVENT_PATH})

## Add mask to hide if necessary
echo "::add-mask::${SPOTINST_TOKEN}"

Just read the input directly from the event file that is placed on each run. This way, we don't need to render the ${{ }} expressions where the values ​​are presented and if necessary, add a mask.

Hope this helps.

[loewe]

Hi guys,

I wrote a small ViolentMonkey script. It is activated via Shift after the page is loaded :).

// ==UserScript==
// @name        Password protected input fields for github actions
// @namespace   Violentmonkey Scripts
// @match       https://[enter URL here]/SA3/workflows/actions/workflows/*
// @grant       none
// @version     1.0
// @author      -
// @description 28.8.2024, 10:26:06
// ==/UserScript==

'use strict';

window.doTheThing = () => {
    [...document.querySelectorAll('.form-group')]
        .forEach(e => {

            let inputName = e.querySelector('.form-group-header').getElementsByTagName('label')[0].innerHTML;

            if (inputName.includes("password")) {
                e.querySelector('.form-group-body').getElementsByTagName('input')[0].type = 'password';
            }
        }
    );
}

document.querySelector('body').addEventListener("keydown", (event) => {
    if (event.key === "Shift") {
        window.doTheThing();
    }
});