Use environment variables as template variables

[alfieyfc]

First of all, thanks for the great effort for making this project! 🎩 I'm submitting this issue as a feature request. Not sure if there is already similar ones but I searched for env in this repo and didn't recognize other issues or PRs on this topic.

I wanted to use variables that aren't in the scope of pre-defined template variables. An example of the configuration would be something like this:

# workflow.yml
...
    steps:
      - name: Release Drafter
        uses: release-drafter/release-drafter@v5.15.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          MY_RELEASE_NAME: "AwesomeReleaseName"

# .github/release-drafter.yml
name-template: "$MY_RELEASE_NAME"
template: |
  ## Changes
  $CHANGES

I imagine it would be implemented at somewhere around this section of code, but I'm not familiar with how the dist/index.js is composed.

https://github.com/release-drafter/release-drafter/blob/fe52e97d262833ae07d05efaf1a239df3f1b5cd4/dist/index.js#L1168-L1185

Edit:
Something like this might work? This will take environment variable as priority though, not sure if that's a concern.

  let str = string.replace(/(\$[A-Z_]+)/g, (_, k) => {
    let result
    if (process.env[k]) {
      result = process.env[k]
    } else if (obj[k] === undefined || obj[k] === null) {
      result = k
    } else if (typeof obj[k] === 'object') {
      result = template(obj[k].template, obj[k])
    } else {
      result = `${obj[k]}`
    }
    return result
  })

---

In case the above code snippet isn't rendering, I'm referencing the following block in dist/index.js

/**
 * replaces all uppercase dollar templates with their string representation from obj
 * if replacement is undefined in obj the dollar template string is left untouched
 */

const template = (string, obj, customReplacers) => {
  let str = string.replace(/(\$[A-Z_]+)/g, (_, k) => {
    let result
    if (obj[k] === undefined || obj[k] === null) {
      result = k
    } else if (typeof obj[k] === 'object') {
      result = template(obj[k].template, obj[k])
    } else {
      result = `${obj[k]}`
    }
    return result
  })
  if (customReplacers) {
    customReplacers.forEach(({ search, replace }) => {
      str = str.replace(search, replace)
    })
  }
  return str
}

[jetersen]

I would be afraid of potentially leaking secrets, I would have to test this.

[alfieyfc]

@jetersen
Didn't think of that 🤦 and definitely agree! Might be able to retrieve Personal Access Tokens in plaintext if purposely done this way 🤔🤔🤔 :

# workflow.yml
...
    steps:
      - name: Release Drafter
        uses: release-drafter/release-drafter@v5.15.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          MY_TOKEN: ${{ secrets.MY_PAT }}

# .github/release-drafter.yml
name-template: "$MY_TOKEN"
template: |
  ## Changes
  $CHANGES

[tjenkinson]

Would be a neat feature and useful in video-dev/hls.js#4025.

How about having a new config option which is an allow list of env variables to expose?

[tjenkinson]

Started something here: #892

[tjenkinson]

Actually I’m wondering what the security concerns are of just allowing any env var? The release is only updated from trusted branches, not prs, right?

If someone updates the template and gets past pr review they could also just update the config so the draft pr I started might not be useful.

[jetersen]

Created actions/toolkit#976 to ask for a way that GitHub actions can mask secrets.

[mkurz]

+1
We have almost the exact use case like in the original comment.

@jetersen Would it be possible to iterate over the secrets (like secrets.*) ourselves and mask secrets instead of waiting for the GitHub ToolKit to implement that?

[jetersen]

@mkurz @alfieyfc

I believe with #1142 it should be possible to append custom content to the release notes.

[jetersen]

@mkurz @alfieyfc

This is fully possible now

    steps:
      - name: Release Drafter
        uses: release-drafter/release-drafter@v5
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          header: "Hello"
          footer: "World"

Inside the header you could use github template variables header: "Hello ${{ inputs.name }}"

[jetersen]

@mkurz @alfieyfc

Maybe another good use case would be potential replacers?

env:
  HELLO: "Hello"
  WORLD: "World"
  INPUT_NAME: "${{ inputs.name }}"
with:
  environment-replacers: "$HELLO,$WORLD,$GITHUB_SHA"

as a way to register what variables should be replaced?

For instance $GITHUB_SHA is a default environment variable passed into each action and by registering it on the action that we should replace the text $GITHUB_SHA with the value of GITHUB_SHA environment variable.

Reason for having a environment-replacers would be to avoid all environment variables being looked up and we can target the search for strings.

Would $TEXT be a good enough or should we allow for more flexibility?

[mkurz]

@jetersen I ike that idea with replacers. So basically this would be whitelisting env vars. Maybe just call it environment-whitelist? Just an idea, I am fine with whatever naming.