I am using github secrets in a bash script but it wont work

[lakshmajee]

I have a github workflow where I am accessing a secret S3_URL from GitHub secrets and consuming it in workflow like below

• upload-to-s3.yml

name: 'Upload to s3'

inputs:
  version:
    required: true
    description: Version
  service_name:
    required: true
    description: Service name
  service_directory:
    required: true
    description: Service directory
  aws-region:
    required: true
  role-to-assume:
    required: true
    description: role-to-assume
  s3_release_url:
    required: true
    description: s3 URL

runs:
  using: composite
  steps:
    - name: configure aws credentials
      uses: aws-actions/configure-aws-credentials@v1
      with:
        role-to-assume: ${{ inputs.role-to-assume }}
        aws-region: ${{ inputs.aws-region }}
    - name: Copy files to s3
      shell: bash
      run: |
        mkdir -p services/${{ inputs.service_name }}/builds
        touch services/${{ inputs.service_name }}/builds/example.txt
        aws s3 sync services/${{ inputs.service_name }}/builds/ ${{ format('{0}/releases/{1}', inputs.s3_release_url, inputs.version) }}

and in my caller workflow

  push_images:
    runs-on: ubuntu-latest
    needs: [publish-something]
    steps:
      - name: Checkout
        uses: actions/checkout@v2
        with:
          fetch-depth: "0"
      - name: Setup node
        uses: actions/setup-node@v2
        with:
          node-version: "14"
      - name: Use Upload to s3
        uses: ./.github/actions/upload-to-s3
        with:
          service_name: my_artifact_1
          service_directory: output_folder
          aws-region: ${{ inputs.aws-region }}
          role-to-assume: ${{ secrets.role-to-assume }}
          version: ${{ github.sha }}
          s3_release_url: ${{ secrets.S3_URL }} # from GitHub secrets

I am getting the following error

aws s3 sync services/my_artifact_1/builds/ *** /outputs/843sdf23239e77891eb96a8f14347ee1e7/
[109](https://github.com/org/api/runs/7446143686?check_suite_focus=true#step:5:114)

Unknown options: /releases/3189d4c1cb9dca8439e77891eb96a8f1f17ee1e7/
[111](https://github.com/org/api/runs/7446143686?check_suite_focus=true#step:5:116)

The error is happening due to secrets.S3_URL accessibility.
How can I access secrets.S3_URL in. my composite action properly in the bash script.

I have tried to print my command to a file as follows, it works when I echoed it (I know this is bad practice, tried this as last resort to know whether the S3_URL is accessible in my composite action or not. It echoed output as expected

    - name: Show
      env:
        S3_PREFIX: ${{ inputs.s3_release_url }}
      run: |
        echo "aws s3 sync services/${{ inputs.service_name }}/builds/ $S3_PREFIX/outputs/${{ inputs.version }}" | sed 's/[[:space:]]/& /g' 
       # output aws s3 sync services/my_artifact_1/builds/ s3://test-abc-bucket/outputs/7tytvfwytstr6
      shell: bash

Could someone help me?
Thanks in Advance 🙏

[gistrec]

When you write ${{ ... }} directly inside a run: block, GitHub evaluates that expression and embeds the resulting value into the shell script before Bash starts

In your case, the secret is available, but the generated command appears to be parsed as multiple arguments:

aws s3 sync services/my_artifact_1/builds/ *** /outputs/...

That makes the AWS CLI receive the destination as separate arguments, which matches the Unknown options error

A safer pattern is to pass the values through env: and then reference them as quoted shell variables:

- name: Copy files to s3
  shell: bash
  env:
    S3_PREFIX: ${{ inputs.s3_release_url }}
    SERVICE_NAME: ${{ inputs.service_name }}
    VERSION: ${{ inputs.version }}
  run: |
    mkdir -p "services/${SERVICE_NAME}/builds"
    touch "services/${SERVICE_NAME}/builds/example.txt"

    aws s3 sync "services/${SERVICE_NAME}/builds/" \
      "${S3_PREFIX}/releases/${VERSION}"

This keeps the expression value out of the generated shell script text and lets Bash receive it as an environment variable instead. Quoting the variables also prevents word splitting in the final aws s3 sync command