fix: register SOPS-decrypted secrets for CI log redaction (#460)
## Summary - The Forgejo/GitHub Actions runner only redacts values it has been explicitly told about. Secrets exported via `$GITHUB_ENV` in `setup_dagger_remote.sh` were never registered, so they could appear in plain text in CI log output. - Added `::add-mask::` calls for every secret exported by `export_secret()`, and for the two inline variables `DAGGER_SSH_KEY` and `DAGGER_ENGINE_HOST` that bypass that function. - Multiline values (e.g. SSH private keys, JSON key files) are masked line-by-line, since `::add-mask::` covers a single line at a time. ## Test plan - [ ] Trigger a `workflow_dispatch` run of `deploy.yml` and confirm no secret values appear in plain text in the "Setup Dagger Remote Engine" step or any subsequent steps. - [ ] Confirm the existing `[secrets] exported NAME (N chars)` log lines still appear (they log only the name and length, not the value). Closes #434 Co-authored-by: Thomas SharedInbox <sharedinbox@thomas-guettler.de> Reviewed-on: https://codeberg.org/guettli/sharedinbox/pulls/460
This commit was merged in pull request #460.
This commit is contained in:
Bot of Thomas Güttler
committed by
guettli
guettli
co-authored by
guettli
Thomas SharedInbox
guettli
Thomas SharedInbox
parent
3e2da2bdf8
commit
f88d14f362
@@ -17,12 +17,25 @@ sops --decrypt --output-type json secrets.enc.yaml > "$SECRETS_JSON"
|
||||
DAGGER_SSH_KEY=$(jq -r '.DAGGER_SSH_KEY' "$SECRETS_JSON")
|
||||
DAGGER_ENGINE_HOST=$(jq -r '.DAGGER_ENGINE_HOST' "$SECRETS_JSON")
|
||||
|
||||
# Register inline secrets for log redaction. Multiline values (e.g. SSH keys)
|
||||
# must be masked line-by-line because ::add-mask:: covers one line at a time.
|
||||
printf '::add-mask::%s\n' "$DAGGER_ENGINE_HOST"
|
||||
while IFS= read -r line; do
|
||||
[ -n "$line" ] && printf '::add-mask::%s\n' "$line"
|
||||
done <<< "$DAGGER_SSH_KEY"
|
||||
|
||||
# Export all CI secrets to the GitHub Actions environment so subsequent steps
|
||||
# can use them without referencing Forgejo secrets directly.
|
||||
export_secret() {
|
||||
local name="$1"
|
||||
local value
|
||||
value=$(jq -r --arg k "$name" '.[$k] // empty' "$SECRETS_JSON")
|
||||
# Register each non-empty line for log redaction in the Actions runner.
|
||||
if [ -n "$value" ] && [ -n "${GITHUB_ENV:-}" ]; then
|
||||
while IFS= read -r line; do
|
||||
[ -n "$line" ] && printf '::add-mask::%s\n' "$line"
|
||||
done <<< "$value"
|
||||
fi
|
||||
if [ -n "${GITHUB_ENV:-}" ]; then
|
||||
# Use heredoc syntax for multiline-safe export.
|
||||
# Avoid adding a second trailing newline for values that already end with one
|
||||
|
||||
Reference in New Issue
Block a user