Skip to content

Inject BCS_API_KEY secret as step-level env var in bilbao-test workflow#316

Draft
Copilot wants to merge 2 commits intomainfrom
copilot/update-bilbao-test-workflow
Draft

Inject BCS_API_KEY secret as step-level env var in bilbao-test workflow#316
Copilot wants to merge 2 commits intomainfrom
copilot/update-bilbao-test-workflow

Conversation

Copy link
Contributor

Copilot AI commented Mar 21, 2026
edited
Loading

The Bilbao self-test step needs access to BCS_API_KEY at runtime, but the secret was never wired into the workflow.

Change

Added env: BCS_API_KEY: ${{ secrets.BCS_API_KEY }} scoped to only the run Bilbao self-test step (not job-level, minimizing exposure):

- name: run Bilbao self-test
  env:
    BCS_API_KEY: ${{ secrets.BCS_API_KEY }}
  run: |
      cd pixi
      pixi run python -m pytest ../tests/run_bilbao.py

Creating the secret

In AdvancedPhotonSource/GSAS-II: Settings → Secrets and variables → Actions → New repository secret

Field Value
Name BCS_API_KEY
Value (the API key)

GitHub automatically masks secrets.* values in logs — do not echo the variable explicitly.

Original prompt

Create a pull request in AdvancedPhotonSource/GSAS-II that updates the GitHub Actions workflow .github/workflows/bilbao-test.yml to inject the secret BCS_API_KEY as an environment variable at step-level (only for the run Bilbao self-test step).

Context:

Required change:

  • In the step named run Bilbao self-test, add:
    • env: mapping BCS_API_KEY: ${{ secrets.BCS_API_KEY }}
  • Do not add job-level env; keep it limited to that step.
  • Keep existing formatting/indentation consistent with the file.

Add instructions in PR description (or as a comment in the PR body) explaining how to create the secret:

  • In GitHub UI: repo AdvancedPhotonSource/GSAS-II → Settings → Secrets and variables → Actions → New repository secret
  • Name: BCS_API_KEY
  • Value: the API key value
  • Mention that secrets should not be echoed to logs.

Validation:

  • Ensure the workflow YAML remains valid after edits.

Deliverable:

  • Open a PR with the above change.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: How do I set an environment variable for a Github workflow process that keeps the variable setting as a secret

Assistant: You don’t “set an environment variable as a secret” in GitHub Actions. Instead, you store the value as a GitHub Secret, then inject it into the workflow as an environment variable at runtime. GitHub will automatically mask secrets in logs (and you can also mask additional values). (docs.github.com)

1) Create the secret (recommended place to store it)

Create a secret in one of these scopes:

  • Repository secret (most common)
  • Environment secret (if you use environment: with protection rules)
  • Organization secret (shared across repos)

GitHub docs walk through creating repo/environment/org secrets. (docs.github.com)

2) Use the secret as an environment variable in your workflow

Step-level env (most common)

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Use secret as env var
        env:
          MY_TOKEN: ${{ secrets.MY_TOKEN }}
        run: |
          my-command --token "$MY_TOKEN"

This pattern (mapping ${{ secrets.NAME }} into env:) is the standard approach. (docs.github.com)

Job-level env (available to all steps in the job)

jobs:
  build:
    runs-on: ubuntu-latest
    env:
      MY_TOKEN: ${{ secrets.MY_TOKEN }}
    steps:
      - run: my-command --token "$MY_TOKEN"

3) If you need it to persist across steps (without repeating env:)

Write to $GITHUB_ENV (this makes it available to later steps in the same job):

steps:
  - name: Export secret to later steps
    run: echo "MY_TOKEN=${{ secrets.MY_TOKEN }}" >> "$GITHUB_ENV"

  - name: Use it in a later step
    run: my-command --token "$MY_TOKEN"

Be careful not to print it.

4) Keep it from leaking in logs

  • GitHub masks values that come from secrets.* automatically in logs. (docs.github.com)
  • If you generate/transform a secret (e.g., decode, fetch from cloud), explicitly mask it: 
    echo "::add-mask::$VALUE"

GitHub specifically recommends masking sensitive values that aren’t already GitHub secrets. (docs.github.com)

Important notes

  • Don’t echo the secret (even though masking helps, it’s still risky).
  • Secrets aren’t provided to workflows triggered from forks (except GITHUB_TOKEN). (docs.github.com)

If you paste your workflow snippet (just the relevant job/steps), I can show the exact safest way to wire your secret into the command you’re running (bash/pwsh/cmd differences matter).

User: The workflow that I plan to modify is @AdvancedPhotonSource/GSAS-II/files/.github/workflows/bilbao-test.yml and the environment variable needed to be set is BCS_API_KEY

Assistant: To keep BCS_API_KEY secret in that workflow, you should store it as a GitHub Actions secret and then map it into an environment variable inside the job (or just the one step that needs it).

1) Create the secret

I...

This pull request was created from Copilot chat.

📱 Kick off Copilot coding agent tasks wherever you are with GitHub Mobile, available on iOS and Android.

Copilot AI changed the title [WIP] Update GitHub Actions workflow to add BCS_API_KEY Inject BCS_API_KEY secret as step-level env var in bilbao-test workflow Mar 21, 2026
Copilot AI requested a review from briantoby March 21, 2026 14:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@briantoby briantoby Awaiting requested review from briantoby

Assignees

@briantoby briantoby

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@briantoby